473720 – (CVE-2013-3567) <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticated clients (CVE-2013-3567)

Bug 473720 (CVE-2013-3567) - <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticated clients (CVE-2013-3567)

Summary: <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticat...

Status:	RESOLVED FIXED

Alias:	CVE-2013-3567

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-06-18 17:32 UTC by Matthew Thode ( prometheanfire )
Modified:	2013-08-27 17:19 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Thode ( prometheanfire ) archtester

2013-06-18 17:32:28 UTC

When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.

I have fixes in tree in as 2.7.21-r1, 2.7.22, 3.2.1-r3 and 3.2.2.  The only thing I see as remaining to be done is a fast stabilization of 2.7.21-r1 so we can remove the last vulnerable version from tree (2.7.21).

Reproducible: Always

Comment 1 Matthew Thode ( prometheanfire ) archtester

2013-06-24 19:48:41 UTC

amd64 hppa ppc sparc x86

all arches, please stabilize puppet 2.7.21-r1 and 2.7.22.

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2013-06-28 15:32:43 UTC

Arch teams, please test and mark stable:
=app-admin/puppet-2.7.21-r1
app-admin/puppet-2.7.22
Stable KEYWORDS : amd64 hppa ppc sparc x86

Also, who dropped SPARC from 3.*? I don't see a keyword request bug.

Comment 3 Matthew Thode ( prometheanfire ) archtester

2013-06-28 18:10:09 UTC

there's a dependency that needs to be worked out for sparc, bug 449184.  I should update that stating I have 3.2.2 in tree now as well.

Comment 4 Agostino Sarubbo gentoo-dev

2013-06-28 18:54:57 UTC

(In reply to Jeroen Roovers from comment #2)
> Arch teams, please test and mark stable:
> =app-admin/puppet-2.7.21-r1
> app-admin/puppet-2.7.22
> Stable KEYWORDS : amd64 hppa ppc sparc x86
> 

Only 2.7.22 is fine.

Comment 5 Agostino Sarubbo gentoo-dev

2013-06-28 20:58:28 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2013-06-29 10:13:45 UTC

ppc stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2013-06-30 22:19:31 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2013-07-04 12:26:36 UTC

x86 stable

Comment 9 Matthew Thode ( prometheanfire ) archtester

2013-07-16 05:33:27 UTC

how's sparc doing?

Comment 10 Agostino Sarubbo gentoo-dev

2013-07-21 17:55:16 UTC

sparc stable

Comment 11 Matthew Thode ( prometheanfire ) archtester

2013-08-15 15:15:50 UTC

well, now that we are all stable we have another CVE :D

I think we should close in favor of bug 481186

Comment 12 Sergey Popov gentoo-dev

2013-08-21 07:26:42 UTC

Thanks for you work

Added to existing GLSA draft

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2013-08-23 18:44:09 UTC

This issue was resolved and addressed in
 GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2013-08-27 17:19:16 UTC

CVE-2013-3567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3567):
  Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise
  before 2.8.2, deserializes untrusted YAML, which allows remote attackers to
  instantiate arbitrary Ruby classes and execute arbitrary code via a crafted
  REST API call.