Bug 624704 (CVE-2017-2292)

Summary:	<app-admin/mcollective-2.11.0: RCE via YAML deserialization
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	prometheanfire
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1470086
Whiteboard:	B2 [glsa cve]
Package list:	=app-admin/mcollective-2.11.0 amd64 x86	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2017-07-12 15:19:12 UTC

From ${URL} :

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call 
YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

External References:

https://puppet.com/security/cve/cve-2017-2292

Upstream patch:

https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2017-07-12 15:56:13 UTC

ya, 2.11.0 can be stablized, it's just amd64/x86 so shouldn't be too bad

Comment 2 Tobias Klausmann (RETIRED) gentoo-dev

2017-07-15 09:59:00 UTC

Stable on alpha.

Comment 3 Tobias Klausmann (RETIRED) gentoo-dev

2017-07-15 10:05:02 UTC

(In reply to Tobias Klausmann from comment #2)
> Stable on alpha.

Bullshit. Amd64 stable.

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-11 23:08:11 UTC

ping:

Keywords for app-admin/mcollective:
       |                                 |   u   |  
       | a a         p s   a     n r     |   n   |  
       | l m   h i   p p   r m m i i s   | e u s | r
       | p d a p a p c a x m i 6 o s 3   | a s l | e
       | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
       | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
-------+---------------------------------+-------+-------
2.10.5 | o + o o o o o o + o o o o o o o | 5 # 0 | gentoo
2.11.1 | o + o o o o o o + o o o o o o o | 5 o   | gentoo

@x86: Could you please confirm that package is stable for x86 and if we need to cleanup or there are no fulnerable ebuilds.

Thanks,

Gentoo Security Padawan
ChrisADR

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-18 19:50:58 UTC

Already stable.

Comment 6 Mikle Kolyada (RETIRED) archtester

2017-08-26 22:19:14 UTC

glsa request is filed

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-09-04 22:36:38 UTC

This issue was resolved and addressed in
 GLSA 201709-01 at https://security.gentoo.org/glsa/201709-01
by GLSA coordinator Aaron Bauman (b-man).