Bug#863237: marked as done (unblock: puppet/4.8.2-5)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#863237: marked as done (unblock: puppet/4.8.2-5)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 24 May 2017 16:51:06 +0000
Message-id: <[🔎] handler.863237.D863237.149564448112620.ackdone@bugs.debian.org>
References: <E1dDZS1-0004G8-7p@respighi.debian.org> <[🔎] 20170524093846.6bds2zw7hepk5nqr@marvin.dmesg.gr>

Your message dated Wed, 24 May 2017 16:47:57 +0000
with message-id <E1dDZS1-0004G8-7p@respighi.debian.org>
and subject line unblock puppet
has caused the Debian Bug report #863237,
regarding unblock: puppet/4.8.2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863237: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863237
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: puppet/4.8.2-5
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Wed, 24 May 2017 12:38:47 +0300
Message-id: <[🔎] 20170524093846.6bds2zw7hepk5nqr@marvin.dmesg.gr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package puppet.

The version in unstable fixes a security issue (remote code execution), 
please see #863212 for more details.

Full source debdiff attached.

Thanks,
Apollon

unblock puppet/4.8.2-5

diff -Nru puppet-4.8.2/debian/changelog puppet-4.8.2/debian/changelog
--- puppet-4.8.2/debian/changelog	2017-04-28 17:38:26.000000000 +0300
+++ puppet-4.8.2/debian/changelog	2017-05-23 23:17:46.000000000 +0300
@@ -1,3 +1,10 @@
+puppet (4.8.2-5) unstable; urgency=high
+
+  * master: accept facts only in PSON format (CVE-2017-2295) (Closes:
+    #863212).
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org>  Tue, 23 May 2017 23:17:46 +0300
+
 puppet (4.8.2-4) unstable; urgency=medium
 
   * Handle creation and removal of /var/cache/puppet/state (Closes: #855923)
diff -Nru puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch
--- puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch	1970-01-01 02:00:00.000000000 +0200
+++ puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch	2017-05-22 10:47:55.000000000 +0300
@@ -0,0 +1,101 @@
+From b29fd533913786ef1e7de421c6128239b839fb5f Mon Sep 17 00:00:00 2001
+From: Josh Cooper <josh@puppet.com>
+Date: Fri, 28 Apr 2017 12:09:11 -0700
+Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
+
+Previously, an authenticated user could cause the master to execute
+YAML.load on user-specified input, as well as MessagePack.unpack if the
+msgpack gem was installed.
+
+Since 3.2.2, agents have always sent facts as PSON. There is no reason
+to support other formats, so reject all fact formats except PSON.
+
+(cherry picked from commit 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea)
+---
+ lib/puppet/indirector/catalog/compiler.rb     |  6 +++--
+ spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
+index e4e60ce54..16c83533e 100644
+--- a/lib/puppet/indirector/catalog/compiler.rb
++++ b/lib/puppet/indirector/catalog/compiler.rb
+@@ -25,9 +25,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
+       # in Network::HTTP::Handler will automagically deserialize the value.
+       if text_facts.is_a?(Puppet::Node::Facts)
+         facts = text_facts
+-      else
++      elsif format == 'pson'
+         # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
+-        facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
++        facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
++      else
++        raise ArgumentError, "Unsupported facts format"
+       end
+ 
+       unless facts.name == request.key
+diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
+index b134c9094..d31eaeeef 100644
+--- a/spec/unit/indirector/catalog/compiler_spec.rb
++++ b/spec/unit/indirector/catalog/compiler_spec.rb
+@@ -255,10 +255,10 @@ describe Puppet::Resource::Catalog::Compiler do
+       @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
+     end
+ 
+-    def a_request_that_contains(facts)
++    def a_request_that_contains(facts, format = :pson)
+       request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
+-      request.options[:facts_format] = "pson"
+-      request.options[:facts] = CGI.escape(facts.render(:pson))
++      request.options[:facts_format] = format.to_s
++      request.options[:facts] = CGI.escape(facts.render(format))
+       request
+     end
+ 
+@@ -277,7 +277,7 @@ describe Puppet::Resource::Catalog::Compiler do
+       expect(facts.timestamp).to eq(time)
+     end
+ 
+-    it "should convert the facts into a fact instance and save it" do
++    it "accepts PSON facts" do
+       request = a_request_that_contains(@facts)
+ 
+       options = {
+@@ -289,6 +289,34 @@ describe Puppet::Resource::Catalog::Compiler do
+ 
+       @compiler.extract_facts_from_request(request)
+     end
++
++    it "rejects YAML facts" do
++      request = a_request_that_contains(@facts, :yaml)
++
++      options = {
++        :environment => request.environment,
++        :transaction_uuid => request.options[:transaction_uuid],
++      }
++
++      expect {
++        @compiler.extract_facts_from_request(request)
++      }.to raise_error(ArgumentError, /Unsupported facts format/)
++    end
++
++    it "rejects unknown fact formats" do
++      request = a_request_that_contains(@facts)
++      request.options[:facts_format] = 'unknown-format'
++
++      options = {
++        :environment => request.environment,
++        :transaction_uuid => request.options[:transaction_uuid],
++      }
++
++      expect {
++        @compiler.extract_facts_from_request(request)
++      }.to raise_error(ArgumentError, /Unsupported facts format/)
++    end
++
+   end
+ 
+   describe "when finding nodes" do
+-- 
+2.11.0
+
diff -Nru puppet-4.8.2/debian/patches/series puppet-4.8.2/debian/patches/series
--- puppet-4.8.2/debian/patches/series	2017-03-27 21:32:20.000000000 +0300
+++ puppet-4.8.2/debian/patches/series	2017-05-22 10:48:29.000000000 +0300
@@ -5,3 +5,4 @@
 0005-use-systemd-as-the-default-service-provider.patch
 0006-debian-service-provider-use-service.patch
 0007-Fix-service-listing-and-enable-disable-in-Debian.patch
+0008-CVE-2017-2295.patch

--- End Message ---

--- Begin Message ---

To: 863237-done@bugs.debian.org

Subject: unblock puppet

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Wed, 24 May 2017 16:47:57 +0000

Message-id: <E1dDZS1-0004G8-7p@respighi.debian.org>
Unblocked puppet.
--- End Message ---

Reply to:

References:
- Bug#863237: unblock: puppet/4.8.2-5
  - From: Apollon Oikonomopoulos <apoikos@debian.org>

Prev by Date: Bug#863268: unblock: samba/2:4.5.8+dfsg-2
Next by Date: Bug#863238: marked as done (unblock: mash/1.1.1-2)
Previous by thread: Bug#863237: unblock: puppet/4.8.2-5
Next by thread: Bug#863238: unblock: mash/1.1.1-2
Index(es):
- Date
- Thread