--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package puppet.
The version in unstable fixes a security issue (remote code execution),
please see #863212 for more details.
Full source debdiff attached.
Thanks,
Apollon
unblock puppet/4.8.2-5
diff -Nru puppet-4.8.2/debian/changelog puppet-4.8.2/debian/changelog
--- puppet-4.8.2/debian/changelog 2017-04-28 17:38:26.000000000 +0300
+++ puppet-4.8.2/debian/changelog 2017-05-23 23:17:46.000000000 +0300
@@ -1,3 +1,10 @@
+puppet (4.8.2-5) unstable; urgency=high
+
+ * master: accept facts only in PSON format (CVE-2017-2295) (Closes:
+ #863212).
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org> Tue, 23 May 2017 23:17:46 +0300
+
puppet (4.8.2-4) unstable; urgency=medium
* Handle creation and removal of /var/cache/puppet/state (Closes: #855923)
diff -Nru puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch
--- puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch 1970-01-01 02:00:00.000000000 +0200
+++ puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch 2017-05-22 10:47:55.000000000 +0300
@@ -0,0 +1,101 @@
+From b29fd533913786ef1e7de421c6128239b839fb5f Mon Sep 17 00:00:00 2001
+From: Josh Cooper <josh@puppet.com>
+Date: Fri, 28 Apr 2017 12:09:11 -0700
+Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
+
+Previously, an authenticated user could cause the master to execute
+YAML.load on user-specified input, as well as MessagePack.unpack if the
+msgpack gem was installed.
+
+Since 3.2.2, agents have always sent facts as PSON. There is no reason
+to support other formats, so reject all fact formats except PSON.
+
+(cherry picked from commit 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea)
+---
+ lib/puppet/indirector/catalog/compiler.rb | 6 +++--
+ spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
+index e4e60ce54..16c83533e 100644
+--- a/lib/puppet/indirector/catalog/compiler.rb
++++ b/lib/puppet/indirector/catalog/compiler.rb
+@@ -25,9 +25,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
+ # in Network::HTTP::Handler will automagically deserialize the value.
+ if text_facts.is_a?(Puppet::Node::Facts)
+ facts = text_facts
+- else
++ elsif format == 'pson'
+ # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
+- facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
++ facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
++ else
++ raise ArgumentError, "Unsupported facts format"
+ end
+
+ unless facts.name == request.key
+diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
+index b134c9094..d31eaeeef 100644
+--- a/spec/unit/indirector/catalog/compiler_spec.rb
++++ b/spec/unit/indirector/catalog/compiler_spec.rb
+@@ -255,10 +255,10 @@ describe Puppet::Resource::Catalog::Compiler do
+ @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
+ end
+
+- def a_request_that_contains(facts)
++ def a_request_that_contains(facts, format = :pson)
+ request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
+- request.options[:facts_format] = "pson"
+- request.options[:facts] = CGI.escape(facts.render(:pson))
++ request.options[:facts_format] = format.to_s
++ request.options[:facts] = CGI.escape(facts.render(format))
+ request
+ end
+
+@@ -277,7 +277,7 @@ describe Puppet::Resource::Catalog::Compiler do
+ expect(facts.timestamp).to eq(time)
+ end
+
+- it "should convert the facts into a fact instance and save it" do
++ it "accepts PSON facts" do
+ request = a_request_that_contains(@facts)
+
+ options = {
+@@ -289,6 +289,34 @@ describe Puppet::Resource::Catalog::Compiler do
+
+ @compiler.extract_facts_from_request(request)
+ end
++
++ it "rejects YAML facts" do
++ request = a_request_that_contains(@facts, :yaml)
++
++ options = {
++ :environment => request.environment,
++ :transaction_uuid => request.options[:transaction_uuid],
++ }
++
++ expect {
++ @compiler.extract_facts_from_request(request)
++ }.to raise_error(ArgumentError, /Unsupported facts format/)
++ end
++
++ it "rejects unknown fact formats" do
++ request = a_request_that_contains(@facts)
++ request.options[:facts_format] = 'unknown-format'
++
++ options = {
++ :environment => request.environment,
++ :transaction_uuid => request.options[:transaction_uuid],
++ }
++
++ expect {
++ @compiler.extract_facts_from_request(request)
++ }.to raise_error(ArgumentError, /Unsupported facts format/)
++ end
++
+ end
+
+ describe "when finding nodes" do
+--
+2.11.0
+
diff -Nru puppet-4.8.2/debian/patches/series puppet-4.8.2/debian/patches/series
--- puppet-4.8.2/debian/patches/series 2017-03-27 21:32:20.000000000 +0300
+++ puppet-4.8.2/debian/patches/series 2017-05-22 10:48:29.000000000 +0300
@@ -5,3 +5,4 @@
0005-use-systemd-as-the-default-service-provider.patch
0006-debian-service-provider-use-service.patch
0007-Fix-service-listing-and-enable-disable-in-Debian.patch
+0008-CVE-2017-2295.patch
--- End Message ---