[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

puppet packages ready for testing



Hi,

Considering the [discussion][1] surrounding the possibility of
backporting the upstream patch for [CVE-2017-2295][2], I have made
Puppet packages available for testing at the [usual location][3]
(debdiff attached).

 [1]: https://lists.debian.org/20170524095154.5ooj6inyeg643xas@marvin.dmesg.gr
 [2]: https://security-tracker.debian.org/tracker/CVE-2017-2295
 [3]: https://people.debian.org/~anarcat/debian/wheezy-lts/

Those can be fetched and verified with:

    dget https://people.debian.org/~anarcat/debian/wheezy-lts/puppet_2.7.23-1~deb7u4_amd64.changes

The packages above update *both* the master and the clients, and *both*
need to be updated for infrastructure to keep on working: with the
proposed changes, the puppetmaster will refused unpatched 2.7 clients
since they send YAML instead of PSON facts. The packages include a patch
for clients to flip them to PSON as well. Clients running 3.2.3 or later
should send the proper serialization format. Rationale for this change
is explained in this [email][4].

 [4]: [🔎] 87mv8te5jv.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87mv8te5jv.fsf@curie.anarc.at

I have tried to see if the test suite passes, but unfortunately, it was
already failing in wheezy-security *before* I applied the upstream
patches:

524 tests, 1717 assertions, 2 failures, 768 errors, 0 skips

The good news is that the number of failures remains the same after the
patch is applied, so there are no catastrophic failures.

A friendly organisation (Koumbit.org, ex-employer) was nice enough to
let me test the puppetmaster packages on their servers, and it seems the
change didn't break anything on their side, as long as clients are also
upgraded. Out of dates client will see the following error while
fetching the catalog:

    err: Could not retrieve catalog from remote server: Error 400 on SERVER: Unsupported facts format: b64_zlib_yaml

Considering the severity of this issue and how long it's been stalled, I
plan on uploading this by the end of the week unless someone objects.

A.

-- 
Men often become what they believe themselves to be. If I believe I
cannot do something, it makes me incapable of doing it. But when I
believe I can, then I acquire the ability to do it even if I didn't
have it in the beginning.
                         - Mahatma Gandhi
diff -Nru puppet-2.7.23/debian/changelog puppet-2.7.23/debian/changelog
--- puppet-2.7.23/debian/changelog	2014-01-16 15:44:37.000000000 -0500
+++ puppet-2.7.23/debian/changelog	2017-06-27 10:45:40.000000000 -0400
@@ -1,3 +1,14 @@
+puppet (2.7.23-1~deb7u4) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-2295: Unsafe YAML deseralization (Closes: #863212).
+  * This update rejects non-PSON client catalog requests, which will break
+    clients running non-patched versions or older than 3.2.3. It is
+    therefore necessary to update both clients and servers for this
+    security upgrade.
+
+ -- Antoine Beaupré <anarcat@debian.org>  Tue, 27 Jun 2017 10:45:40 -0400
+
 puppet (2.7.23-1~deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru puppet-2.7.23/debian/patches/CVE-2017-2295-06d8c51367ca932b9da5d9b01958cfc0adf0f2ea.patch puppet-2.7.23/debian/patches/CVE-2017-2295-06d8c51367ca932b9da5d9b01958cfc0adf0f2ea.patch
--- puppet-2.7.23/debian/patches/CVE-2017-2295-06d8c51367ca932b9da5d9b01958cfc0adf0f2ea.patch	1969-12-31 19:00:00.000000000 -0500
+++ puppet-2.7.23/debian/patches/CVE-2017-2295-06d8c51367ca932b9da5d9b01958cfc0adf0f2ea.patch	2017-06-27 10:45:40.000000000 -0400
@@ -0,0 +1,101 @@
+From 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea Mon Sep 17 00:00:00 2001
+From: Josh Cooper <josh@puppet.com>
+Date: Fri, 28 Apr 2017 12:09:11 -0700
+Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
+
+Previously, an authenticated user could cause the master to execute
+YAML.load on user-specified input, as well as MessagePack.unpack if the
+msgpack gem was installed.
+
+Since 3.2.2, agents have always sent facts as PSON. There is no reason
+to support other formats, so reject all fact formats except PSON.
+---
+ lib/puppet/indirector/catalog/compiler.rb     |  6 +++--
+ spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+--- a/lib/puppet/indirector/catalog/compiler.rb
++++ b/lib/puppet/indirector/catalog/compiler.rb
+@@ -21,8 +21,10 @@ class Puppet::Resource::Catalog::Compile
+     # in Network::HTTP::Handler will automagically deserialize the value.
+     if text_facts.is_a?(Puppet::Node::Facts)
+       facts = text_facts
++    elsif format == 'pson'
++      facts = Puppet::Node::Facts.convert_from('pson', text_facts)
+     else
+-      facts = Puppet::Node::Facts.convert_from(format, text_facts)
++      raise ArgumentError, "Unsupported facts format: #{format}"
+     end
+ 
+     unless facts.name == request.key
+--- a/spec/unit/indirector/catalog/compiler_spec.rb
++++ b/spec/unit/indirector/catalog/compiler_spec.rb
+@@ -4,6 +4,13 @@ require 'spec_helper'
+ require 'puppet/indirector/catalog/compiler'
+ require 'puppet/rails'
+ 
++def a_request_that_contains(facts, format = :pson)
++  request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
++  request.options[:facts_format] = format.to_s
++  request.options[:facts] = CGI.escape(facts.render(format))
++  request
++end
++
+ describe Puppet::Resource::Catalog::Compiler do
+   before do
+     require 'puppet/rails'
+@@ -203,6 +210,19 @@ describe Puppet::Resource::Catalog::Comp
+ 
+       @compiler.extract_facts_from_request(@request)
+     end
++
++    it "accepts PSON facts" do
++      request = a_request_that_contains(@facts)
++
++      options = {
++        :environment => request.environment,
++        :transaction_uuid => request.options[:transaction_uuid],
++      }
++
++      Puppet::Node::Facts.indirection.expects(:save).with(equals(@facts), nil, options)
++
++      @compiler.extract_facts_from_request(request)
++    end
+   end
+ 
+   describe "when finding nodes" do
+@@ -249,6 +269,34 @@ describe Puppet::Resource::Catalog::Comp
+       @node.expects(:merge).with { |args| args["serverip"] == "my.ip.address" }
+       @compiler.find(@request)
+     end
++
++    it "rejects YAML facts" do
++      request = a_request_that_contains(@facts, :yaml)
++
++      options = {
++        :environment => request.environment,
++        :transaction_uuid => request.options[:transaction_uuid],
++      }
++
++      expect {
++        @compiler.extract_facts_from_request(request)
++      }.to raise_error(ArgumentError, /Unsupported facts format/)
++    end
++
++    it "rejects unknown fact formats" do
++      request = a_request_that_contains(@facts)
++      request.options[:facts_format] = 'unknown-format'
++
++      options = {
++        :environment => request.environment,
++        :transaction_uuid => request.options[:transaction_uuid],
++      }
++
++      expect {
++        @compiler.extract_facts_from_request(request)
++      }.to raise_error(ArgumentError, /Unsupported facts format/)
++    end
++
+   end
+ 
+   describe "when filtering resources" do
diff -Nru puppet-2.7.23/debian/patches/CVE-2017-2295-use-pson.patch puppet-2.7.23/debian/patches/CVE-2017-2295-use-pson.patch
--- puppet-2.7.23/debian/patches/CVE-2017-2295-use-pson.patch	1969-12-31 19:00:00.000000000 -0500
+++ puppet-2.7.23/debian/patches/CVE-2017-2295-use-pson.patch	2017-06-27 10:45:40.000000000 -0400
@@ -0,0 +1,23 @@
+Description: send facts as PSON instead of YAML
+  The upstream fix for CVE-2017-2295 includes disabling YAML
+  serialization on the server, but 2.7 clients still send YAML. This
+  enables sending PSON on clients to be more forward-compatible.  
+Author: Antoine Beaupré <anarcat@debian.org>
+Bug-Debian: https://bugs.debian.org/863212
+Origin: debian
+Forwarded: not-needed
+Last-Update: 2017-06-27
+
+--- puppet-2.7.23.orig/lib/puppet/configurer/fact_handler.rb
++++ puppet-2.7.23/lib/puppet/configurer/fact_handler.rb
+@@ -33,7 +33,9 @@ module Puppet::Configurer::FactHandler
+     facts = find_facts
+     #format = facts.class.default_format
+ 
+-    if facts.support_format?(:b64_zlib_yaml)
++    if facts.support_format?(:pson)
++      format = :pson
++    elsif facts.support_format?(:b64_zlib_yaml)
+       format = :b64_zlib_yaml
+     else
+       format = :yaml
diff -Nru puppet-2.7.23/debian/patches/series puppet-2.7.23/debian/patches/series
--- puppet-2.7.23/debian/patches/series	2014-01-16 15:40:43.000000000 -0500
+++ puppet-2.7.23/debian/patches/series	2017-06-27 10:45:40.000000000 -0400
@@ -6,3 +6,5 @@
 fix_logcheck
 CVE-2013-4969-2.7.x-temp-file.patch
 CVE-2013-4969-2.7.x-temp-file-regression-fix.patch
+CVE-2017-2295-06d8c51367ca932b9da5d9b01958cfc0adf0f2ea.patch
+CVE-2017-2295-use-pson.patch

Reply to: