Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 619016 (CVE-2017-2295)

Summary: <app-admin/puppet-4.10.1: Unsafe YAML deserialization
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: prometheanfire, ruby, sysadmin
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1452651
Whiteboard: B3 [noglsa cve]
Package list:
app-admin/puppet-4.10.1 amd64 hppa x86 app-admin/puppet-agent-1.10.1 amd64 x86 dev-ruby/rgen-0.8.0 x86 dev-ruby/hiera-3.2.2 x86 dev-ruby/deep_merge-1.0.1 x86
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-20 08:19:27 UTC
From ${URL} :

It was found that Puppet will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. 
This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the 
format of data on the wire to PSON or safely decoded YAML.

External References:

https://puppet.com/security/cve/cve-2017-2295


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-05-20 21:38:00 UTC
yep, arches, please stabilize.
Comment 2 Stabilization helper bot gentoo-dev 2017-05-20 22:00:40 UTC
An automated check of this bug failed - the following atom is unknown:

app-admin/puppet-agent-4.10.1

Please verify the atom list.
Comment 3 Stabilization helper bot gentoo-dev 2017-05-20 23:01:17 UTC
An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): 

> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-05-20 23:40:02 UTC
@ruby, are you fine with those packages getting stabilized as well?
Comment 5 Hans de Graaff gentoo-dev 2017-05-21 05:32:28 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #4)
> @ruby, are you fine with those packages getting stabilized as well?

Note that these are only needed for x86 and x86 currently does not have a stable puppet version at all.

No problem from my side. I have updated the package list accordingly.
Comment 6 Stabilization helper bot gentoo-dev 2017-05-21 06:00:41 UTC
An automated check of this bug failed - the following atom is unknown:

dev-ruby/deep-merge-1.0.1

Please verify the atom list.
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-21 09:47:37 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-22 09:26:16 UTC
x86 stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:36:51 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:31:58 UTC
stable..........
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:01:51 UTC
bman, stable hppa? (it's still cc'd)
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:24:45 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #11)
> bman, stable hppa? (it's still cc'd)

Yup
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:44:53 UTC
you should probably remove hppa from cc :P (I'm doing that this time)
Comment 14 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 04:18:41 UTC
readding hppa, wrong version stabilized
Comment 15 Sergei Trofimovich gentoo-dev 2017-10-31 22:42:25 UTC
hppa stable
Comment 16 Aleksandr Wagner (Kivak) 2017-10-31 23:05:41 UTC
Stabilization done, thank you arches.

@ Maintainer(s): Please clean vulnerable versions from tree.

@ Security: Please vote on glsa.
Comment 17 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-31 23:15:41 UTC
cleaned up