Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624704 (CVE-2017-2292) - <app-admin/mcollective-2.11.0: RCE via YAML deserialization
Summary: <app-admin/mcollective-2.11.0: RCE via YAML deserialization
Status: RESOLVED FIXED
Alias: CVE-2017-2292
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-12 15:19 UTC by Agostino Sarubbo
Modified: 2017-09-04 22:36 UTC (History)
1 user (show)

See Also:
Package list:
=app-admin/mcollective-2.11.0 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-12 15:19:12 UTC
From ${URL} :

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call 
YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

External References:

https://puppet.com/security/cve/cve-2017-2292

Upstream patch:

https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-07-12 15:56:13 UTC
ya, 2.11.0 can be stablized, it's just amd64/x86 so shouldn't be too bad
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 09:59:00 UTC
Stable on alpha.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 10:05:02 UTC
(In reply to Tobias Klausmann from comment #2)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-11 23:08:11 UTC
ping:

Keywords for app-admin/mcollective:
       |                                 |   u   |  
       | a a         p s   a     n r     |   n   |  
       | l m   h i   p p   r m m i i s   | e u s | r
       | p d a p a p c a x m i 6 o s 3   | a s l | e
       | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
       | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
-------+---------------------------------+-------+-------
2.10.5 | o + o o o o o o + o o o o o o o | 5 # 0 | gentoo
2.11.1 | o + o o o o o o + o o o o o o o | 5 o   | gentoo

@x86: Could you please confirm that package is stable for x86 and if we need to cleanup or there are no fulnerable ebuilds.

Thanks,

Gentoo Security Padawan
ChrisADR
Comment 5 Thomas Deutschmann gentoo-dev 2017-08-18 19:50:58 UTC
Already stable.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2017-08-26 22:19:14 UTC
glsa request is filed
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-09-04 22:36:38 UTC
This issue was resolved and addressed in
 GLSA 201709-01 at https://security.gentoo.org/glsa/201709-01
by GLSA coordinator Aaron Bauman (b-man).