Fix remote code execution via YAML deserialization

* CVE-2017-2295 * https://puppet.com/security/cve/cve-2017-2295 * https://github.com/puppetlabs/puppet/commit/06d8c51 Fixes BZ#1452654
8 years ago · a3757312cb
parent 6d30d07d32
commit a3757312cb
2 changed files with 105 additions and 1 deletions
--- a/0005-PUP-7483-Reject-all-fact-formats-except-PSON.patch
+++ b/0005-PUP-7483-Reject-all-fact-formats-except-PSON.patch
@ -0,0 +1,99 @@
+From 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea Mon Sep 17 00:00:00 2001
+From: Josh Cooper <josh@puppet.com>
+Date: Fri, 28 Apr 2017 12:09:11 -0700
+Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
+
+Previously, an authenticated user could cause the master to execute
+YAML.load on user-specified input, as well as MessagePack.unpack if the
+msgpack gem was installed.
+
+Since 3.2.2, agents have always sent facts as PSON. There is no reason
+to support other formats, so reject all fact formats except PSON.
+---
+ lib/puppet/indirector/catalog/compiler.rb     |  6 +++--
+ spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
+index e4e60ce..16c8353 100644
+--- a/lib/puppet/indirector/catalog/compiler.rb
+++ b/lib/puppet/indirector/catalog/compiler.rb
+@@ -25,9 +25,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
+       # in Network::HTTP::Handler will automagically deserialize the value.
+       if text_facts.is_a?(Puppet::Node::Facts)
+         facts = text_facts
+-      else
+      elsif format == 'pson'
+         # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
+-        facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
+        facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
+      else
+        raise ArgumentError, "Unsupported facts format"
+       end
+ 
+       unless facts.name == request.key
+diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
+index b134c90..d31eaee 100644
+--- a/spec/unit/indirector/catalog/compiler_spec.rb
+++ b/spec/unit/indirector/catalog/compiler_spec.rb
+@@ -255,10 +255,10 @@ describe Puppet::Resource::Catalog::Compiler do
+       @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
+     end
+ 
+-    def a_request_that_contains(facts)
+    def a_request_that_contains(facts, format = :pson)
+       request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
+-      request.options[:facts_format] = "pson"
+-      request.options[:facts] = CGI.escape(facts.render(:pson))
+      request.options[:facts_format] = format.to_s
+      request.options[:facts] = CGI.escape(facts.render(format))
+       request
+     end
+ 
+@@ -277,7 +277,7 @@ describe Puppet::Resource::Catalog::Compiler do
+       expect(facts.timestamp).to eq(time)
+     end
+ 
+-    it "should convert the facts into a fact instance and save it" do
+    it "accepts PSON facts" do
+       request = a_request_that_contains(@facts)
+ 
+       options = {
+@@ -289,6 +289,34 @@ describe Puppet::Resource::Catalog::Compiler do
+ 
+       @compiler.extract_facts_from_request(request)
+     end
+
+    it "rejects YAML facts" do
+      request = a_request_that_contains(@facts, :yaml)
+
+      options = {
+        :environment => request.environment,
+        :transaction_uuid => request.options[:transaction_uuid],
+      }
+
+      expect {
+        @compiler.extract_facts_from_request(request)
+      }.to raise_error(ArgumentError, /Unsupported facts format/)
+    end
+
+    it "rejects unknown fact formats" do
+      request = a_request_that_contains(@facts)
+      request.options[:facts_format] = 'unknown-format'
+
+      options = {
+        :environment => request.environment,
+        :transaction_uuid => request.options[:transaction_uuid],
+      }
+
+      expect {
+        @compiler.extract_facts_from_request(request)
+      }.to raise_error(ArgumentError, /Unsupported facts format/)
+    end
+
+   end
+ 
+   describe "when finding nodes" do
+-- 
+2.7.4
+
--- a/puppet.spec
+++ b/puppet.spec
@ -19,7 +19,7 @@

 Name:           puppet
 Version:        4.6.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        ASL 2.0
 URL:            http://puppetlabs.com
@ -34,6 +34,7 @@ Patch01:        0001-Fix-puppet-paths.patch
 Patch02:        0002-Revert-maint-Remove-puppetmaster.service.patch
 Patch03:        0003-Remove-unused-requre-xmlrpc-client.patch
 Patch04:        0004-PUP-7383-Skip-cipher-monkey-patch-on-ruby-2.4.patch
+Patch05:        0005-PUP-7483-Reject-all-fact-formats-except-PSON.patch
 Group:          System Environment/Base

 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -123,6 +124,7 @@ The server can also function as a certificate authority and file server.
 %patch02 -p1 -b .server
 %patch03 -p1
 %patch04 -p1
+%patch05 -p1
 # Unbundle
 rm -r lib/puppet/vendor/*{pathspec,rgen}*

@ -390,6 +392,9 @@ exit 0
 rm -rf %{buildroot}

 %changelog
+* Tue May 23 2017 Dominic Cleal <dominic@cleal.org> - 4.6.2-4
+- Fix remote code exec via YAML deserialization (BZ#1452654, CVE-2017-2295)
+
 * Thu May 18 2017 Dominic Cleal <dominic@cleal.org> - 4.6.2-3
 - Fix Ruby 2.4 compatibility, xmlrpc + OpenSSL errors (BZ#1443673, BZ#1440710)