rpms
/
puppet
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix remote code execution via YAML deserialization

Browse Source 
* CVE-2017-2295
* https://puppet.com/security/cve/cve-2017-2295
* https://github.com/puppetlabs/puppet/commit/06d8c51

Fixes BZ#1452654
epel9
Dominic Cleal 8 years ago
parent 6d30d07d32
commit a3757312cb
No known key found for this signature in database
GPG Key ID: 7C7D326F2C2B72CC
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File

99
0005-PUP-7483-Reject-all-fact-formats-except-PSON.patch
Unescape View File

@ -0,0 +1,99 @@
From 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea Mon Sep 17 00:00:00 2001
From: Josh Cooper <josh@puppet.com>
Date: Fri, 28 Apr 2017 12:09:11 -0700
Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
Previously, an authenticated user could cause the master to execute
YAML.load on user-specified input, as well as MessagePack.unpack if the
msgpack gem was installed.
Since 3.2.2, agents have always sent facts as PSON. There is no reason
to support other formats, so reject all fact formats except PSON.
---
lib/puppet/indirector/catalog/compiler.rb | 6 +++--
spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
2 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
index e4e60ce..16c8353 100644
--- a/lib/puppet/indirector/catalog/compiler.rb
+++ b/lib/puppet/indirector/catalog/compiler.rb
@@ -25,9 +25,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
# in Network::HTTP::Handler will automagically deserialize the value.
if text_facts.is_a?(Puppet::Node::Facts)
facts = text_facts
- else
+ elsif format == 'pson'
# We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
- facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
+ facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
+ else
+ raise ArgumentError, "Unsupported facts format"
end
unless facts.name == request.key
diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
index b134c90..d31eaee 100644
--- a/spec/unit/indirector/catalog/compiler_spec.rb
+++ b/spec/unit/indirector/catalog/compiler_spec.rb
@@ -255,10 +255,10 @@ describe Puppet::Resource::Catalog::Compiler do
@facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
end
- def a_request_that_contains(facts)
+ def a_request_that_contains(facts, format = :pson)
request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
- request.options[:facts_format] = "pson"
- request.options[:facts] = CGI.escape(facts.render(:pson))
+ request.options[:facts_format] = format.to_s
+ request.options[:facts] = CGI.escape(facts.render(format))
request
end
@@ -277,7 +277,7 @@ describe Puppet::Resource::Catalog::Compiler do
expect(facts.timestamp).to eq(time)
end
- it "should convert the facts into a fact instance and save it" do
+ it "accepts PSON facts" do
request = a_request_that_contains(@facts)
options = {
@@ -289,6 +289,34 @@ describe Puppet::Resource::Catalog::Compiler do
@compiler.extract_facts_from_request(request)
end
+
+ it "rejects YAML facts" do
+ request = a_request_that_contains(@facts, :yaml)
+
+ options = {
+ :environment => request.environment,
+ :transaction_uuid => request.options[:transaction_uuid],
+ }
+
+ expect {
+ @compiler.extract_facts_from_request(request)
+ }.to raise_error(ArgumentError, /Unsupported facts format/)
+ end
+
+ it "rejects unknown fact formats" do
+ request = a_request_that_contains(@facts)
+ request.options[:facts_format] = 'unknown-format'
+
+ options = {
+ :environment => request.environment,
+ :transaction_uuid => request.options[:transaction_uuid],
+ }
+
+ expect {
+ @compiler.extract_facts_from_request(request)
+ }.to raise_error(ArgumentError, /Unsupported facts format/)
+ end
+
end
describe "when finding nodes" do
--
2.7.4

7
puppet.spec
Unescape View File

@ -19,7 +19,7 @@
Name: puppet Name: puppet
Version: 4.6.2 Version: 4.6.2
Release: 3%{?dist} Release: 4%{?dist}
Summary: A network tool for managing many disparate systems Summary: A network tool for managing many disparate systems
License: ASL 2.0 License: ASL 2.0
URL: http://puppetlabs.com URL: http://puppetlabs.com
@ -34,6 +34,7 @@ Patch01: 0001-Fix-puppet-paths.patch
Patch02: 0002-Revert-maint-Remove-puppetmaster.service.patch Patch02: 0002-Revert-maint-Remove-puppetmaster.service.patch
Patch03: 0003-Remove-unused-requre-xmlrpc-client.patch Patch03: 0003-Remove-unused-requre-xmlrpc-client.patch
Patch04: 0004-PUP-7383-Skip-cipher-monkey-patch-on-ruby-2.4.patch Patch04: 0004-PUP-7383-Skip-cipher-monkey-patch-on-ruby-2.4.patch
Patch05: 0005-PUP-7483-Reject-all-fact-formats-except-PSON.patch
Group: System Environment/Base Group: System Environment/Base
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -123,6 +124,7 @@ The server can also function as a certificate authority and file server.
%patch02 -p1 -b .server %patch02 -p1 -b .server
%patch03 -p1 %patch03 -p1
%patch04 -p1 %patch04 -p1
%patch05 -p1
# Unbundle # Unbundle
rm -r lib/puppet/vendor/*{pathspec,rgen}* rm -r lib/puppet/vendor/*{pathspec,rgen}*
@ -390,6 +392,9 @@ exit 0
rm -rf %{buildroot} rm -rf %{buildroot}
%changelog %changelog
* Tue May 23 2017 Dominic Cleal <dominic@cleal.org> - 4.6.2-4
- Fix remote code exec via YAML deserialization (BZ#1452654, CVE-2017-2295)
* Thu May 18 2017 Dominic Cleal <dominic@cleal.org> - 4.6.2-3 * Thu May 18 2017 Dominic Cleal <dominic@cleal.org> - 4.6.2-3
- Fix Ruby 2.4 compatibility, xmlrpc + OpenSSL errors (BZ#1443673, BZ#1440710) - Fix Ruby 2.4 compatibility, xmlrpc + OpenSSL errors (BZ#1443673, BZ#1440710)

Write Preview
Loading…
Cancel
Save