Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473720 (CVE-2013-3567) - <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticated clients (CVE-2013-3567)
Summary: <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticat...
Status: RESOLVED FIXED
Alias: CVE-2013-3567
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-18 17:32 UTC by Matthew Thode ( prometheanfire )
Modified: 2013-08-27 17:19 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-18 17:32:28 UTC
When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.

I have fixes in tree in as 2.7.21-r1, 2.7.22, 3.2.1-r3 and 3.2.2.  The only thing I see as remaining to be done is a fast stabilization of 2.7.21-r1 so we can remove the last vulnerable version from tree (2.7.21).

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-24 19:48:41 UTC
amd64 hppa ppc sparc x86

all arches, please stabilize puppet 2.7.21-r1 and 2.7.22.
Comment 2 Jeroen Roovers gentoo-dev 2013-06-28 15:32:43 UTC
Arch teams, please test and mark stable:
=app-admin/puppet-2.7.21-r1
app-admin/puppet-2.7.22
Stable KEYWORDS : amd64 hppa ppc sparc x86

Also, who dropped SPARC from 3.*? I don't see a keyword request bug.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-28 18:10:09 UTC
there's a dependency that needs to be worked out for sparc, bug 449184.  I should update that stating I have 3.2.2 in tree now as well.
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-28 18:54:57 UTC
(In reply to Jeroen Roovers from comment #2)
> Arch teams, please test and mark stable:
> =app-admin/puppet-2.7.21-r1
> app-admin/puppet-2.7.22
> Stable KEYWORDS : amd64 hppa ppc sparc x86
> 

Only 2.7.22 is fine.
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-28 20:58:28 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-29 10:13:45 UTC
ppc stable
Comment 7 Jeroen Roovers gentoo-dev 2013-06-30 22:19:31 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-04 12:26:36 UTC
x86 stable
Comment 9 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-16 05:33:27 UTC
how's sparc doing?
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:16 UTC
sparc stable
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-15 15:15:50 UTC
well, now that we are all stable we have another CVE :D

I think we should close in favor of bug 481186
Comment 12 Sergey Popov gentoo-dev Security 2013-08-21 07:26:42 UTC
Thanks for you work

Added to existing GLSA draft
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-23 18:44:09 UTC
This issue was resolved and addressed in
 GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 17:19:16 UTC
CVE-2013-3567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3567):
  Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise
  before 2.8.2, deserializes untrusted YAML, which allows remote attackers to
  instantiate arbitrary Ruby classes and execute arbitrary code via a crafted
  REST API call.