When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.
I have fixes in tree in as 2.7.21-r1, 2.7.22, 3.2.1-r3 and 3.2.2. The only thing I see as remaining to be done is a fast stabilization of 2.7.21-r1 so we can remove the last vulnerable version from tree (2.7.21).
amd64 hppa ppc sparc x86
all arches, please stabilize puppet 2.7.21-r1 and 2.7.22.
Arch teams, please test and mark stable:
Stable KEYWORDS : amd64 hppa ppc sparc x86
Also, who dropped SPARC from 3.*? I don't see a keyword request bug.
there's a dependency that needs to be worked out for sparc, bug 449184. I should update that stating I have 3.2.2 in tree now as well.
(In reply to Jeroen Roovers from comment #2)
> Arch teams, please test and mark stable:
> Stable KEYWORDS : amd64 hppa ppc sparc x86
Only 2.7.22 is fine.
Stable for HPPA.
how's sparc doing?
well, now that we are all stable we have another CVE :D
I think we should close in favor of bug 481186
Thanks for you work
Added to existing GLSA draft
This issue was resolved and addressed in
GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise
before 2.8.2, deserializes untrusted YAML, which allows remote attackers to
instantiate arbitrary Ruby classes and execute arbitrary code via a crafted
REST API call.