[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1035674: marked as done (pre-approval: unblock: puppetserver/7.9.5-2)

Your message dated Sun, 14 May 2023 21:19:01 +0200
with message-id <2332c8fd-f657-4852-15f1-5940e64ae385@debian.org>
and subject line Re: Bug#1035674: pre-approval: unblock: puppetserver/7.9.5-2
has caused the Debian Bug report #1035674,
regarding pre-approval: unblock: puppetserver/7.9.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035674
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-puppet-devel@alioth-lists.debian.net
Control: affects -1 + src:puppetserver
I would like to request an unblock to upload puppetserver/7.9.5-2 which fixes two bugs using targeted fixes.
- #1032241 puppetserver - service unit fails to realize the main process died 
- #1035541 puppetserver: CVE-2023-1894

[ Reason ]
The main reason is to fix the denial-of-service security issue prior to the release. The second fix has been in the source repository's main branch for some time, awaiting release. 

[ Impact ]
Accepting this release should not have any impact beyond puppetserver itself. 

[ Tests ]
Build and autopkgtest are passing. The service unit fix has been applied locally on my production system for several weeks. 

[ Risks ]
There is a (low) risk that the patches introduce new bugs.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


Thanks!

-- Jérôme
diff -Nru puppetserver-7.9.5/debian/changelog puppetserver-7.9.5/debian/changelog
--- puppetserver-7.9.5/debian/changelog	2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/changelog	2023-05-07 11:09:17.000000000 -0400
@@ -1,3 +1,10 @@
+puppetserver (7.9.5-2) unstable; urgency=medium
+
+  * abort service start/reload if mainpid dies (Closes: #1032241)
+  * add patch fixing CVE-2023-1894 (Closes: #1035541)
+
+ -- Jérôme Charaoui <jerome@riseup.net>  Sun, 07 May 2023 11:09:17 -0400
+
 puppetserver (7.9.5-1) unstable; urgency=medium
 
   * New upstream version 7.9.5
diff -Nru puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
--- puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch	1969-12-31 19:00:00.000000000 -0500
+++ puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch	2023-05-07 11:09:17.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?b?SsOpcsO0bWUgQ2hhcmFvdWk=?= <jerome@riseup.net>
+Date: Sun, 7 May 2023 11:00:09 -0400
+Subject: Backport fix for CVE-2023-1894
+
+Forwarded: not-needed
+Bug: https://tickets.puppetlabs.com/browse/PE-35786
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541
+Origin:
+  commit, https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc
+  backport, https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2
+---
+ .../puppetserver/certificate_authority.clj         | 33 +++++++++++++++++---
+ .../puppetserver/certificate_authority_test.clj    | 36 ++++++++++++++--------
+ 2 files changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+index 46429f4..16ab834 100644
+--- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
++++ b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+@@ -787,6 +787,11 @@
+       (utils/subject-alt-names {:dns-name (conj default-alt-names host-name)} false)
+       (utils/subject-alt-names (update alt-names-list :dns-name conj host-name) false))))
+ 
++
++(def pattern-match-dot #"\.")
++(def pattern-starts-with-alphanumeric-or-underscore #"^[\p{Alnum}_].*")
++(def pattern-matches-alphanumeric-with-symbols-string #"^[\p{Alnum}\-_]*[\p{Alnum}_]$")
++
+ (schema/defn validate-subject!
+   "Validate the CSR or certificate's subject name.  The subject name must:
+     * match the hostname specified in the HTTP request (the `subject` parameter)
+@@ -795,12 +800,16 @@
+     * not contain the wildcard character (*)"
+   [hostname :- schema/Str
+    subject :- schema/Str]
++  (log/debug (i18n/trs "Checking \"{0}\" for validity" subject))
++
+   (when-not (= hostname subject)
++    (log/infof "Rejecting subject \"%s\" because it doesn't match hostname \"%s\"" subject hostname)
+     (sling/throw+
+       {:kind :hostname-mismatch
+-       :msg  (i18n/tru "Instance name \"{0}\" does not match requested key \"{1}\"" subject hostname)}))
++       :msg  (format "Instance name \"%s\" does not match requested key \"%s\"" subject hostname)}))
+ 
+   (when (contains-uppercase? hostname)
++    (log/info (i18n/tru "Rejecting subject \"{0}\" because all characters must be lowercase" subject))
+     (sling/throw+
+       {:kind :invalid-subject-name
+        :msg  (i18n/tru "Certificate names must be lower case.")}))
+@@ -809,11 +818,25 @@
+     (sling/throw+
+       {:kind :invalid-subject-name
+        :msg  (i18n/tru "Subject contains a wildcard, which is not allowed: {0}" subject)}))
+-  
+-  (when-not (re-matches #"^([a-z0-9](?:(?:[a-z0-9\-_]*|(?<!-)\.(?![\-.]))*[a-z0-9]+)?)$" subject)
++
++  (when (str/ends-with? subject "-")
++    (log/info (i18n/tru "Rejecting subject \"{0}\" as it ends with an invalid character" subject))
+     (sling/throw+
+-      {:kind :invalid-subject-name
+-       :msg  (i18n/tru "Subject hostname format is invalid")})))
++     {:kind :invalid-subject-name
++      :msg  (i18n/tru "Subject hostname format is invalid")}))
++
++  (let [segments (str/split subject pattern-match-dot)]
++    (when-not (re-matches pattern-starts-with-alphanumeric-or-underscore (first segments))
++      (log/info (i18n/tru "Rejecting subject \"{0}\" as it starts with an invalid character" subject))
++      (sling/throw+
++        {:kind :invalid-subject-name
++         :msg  (i18n/tru "Subject hostname format is invalid")}))
++
++    (when-not (every? #(re-matches pattern-matches-alphanumeric-with-symbols-string %) segments)
++      (log/info (i18n/tru "Rejecting subject \"{0}\" because it contains invalid characters" subject))
++      (sling/throw+
++        {:kind :invalid-subject-name
++         :msg  (i18n/tru "Subject hostname format is invalid")}))))
+ 
+ (schema/defn allowed-extension?
+   "A predicate that answers if an extension is allowed or not.
+diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+index 7df5e75..c8d4c7a 100644
+--- a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
++++ b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+@@ -1635,19 +1635,31 @@
+          (validate-subject!
+           "" ""))))
+ 
+-  (testing "an exception is thrown when the hostnames contain multiple dots in a row"
+-    (is (thrown+?
+-         [:kind :invalid-subject-name
+-          :msg "Subject hostname format is invalid"]
+-         (validate-subject!
+-          "rootca..example.org" "rootca..example.org"))))
++  (testing "subjects that end end in dot are valid"
++    (is (nil?
++          (validate-subject!
++           "rootca." "rootca."))))
+ 
+-  (testing "an exception is thrown when the hostnames end in dot"
+-    (is (thrown+?
+-         [:kind :invalid-subject-name
+-          :msg "Subject hostname format is invalid"]
+-         (validate-subject!
+-          "rootca." "rootca."))))
++  (testing "subjects that end in an underscore are valid"
++    (is (nil?
++          (validate-subject!
++            "rootca_" "rootca_"))))
++
++  (testing "subjects that start in an underscore are valid"
++    (is (nil?
++          (validate-subject!
++            "_x-puppet._tcp.example.com" "_x-puppet._tcp.example.com"))))
++
++  (testing "single letter segments are valid"
++    (is (nil?
++          (validate-subject!
++            "a.example.com" "a.example.com")))
++    (is (nil?
++          (validate-subject!
++            "_.example.com" "_.example.com")))
++    (is (nil?
++          (validate-subject!
++            "foo.a.example.com" "foo.a.example.com"))))
+ 
+   (testing "Single word hostnames are allowed"
+     (is (nil?
diff -Nru puppetserver-7.9.5/debian/patches/series puppetserver-7.9.5/debian/patches/series
--- puppetserver-7.9.5/debian/patches/series	2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/patches/series	2023-05-07 11:09:17.000000000 -0400
@@ -7,3 +7,4 @@
 0007-Adapt-JRuby-environment-test-for-Debian.patch
 0008-Adjust-defaults-paths.patch
 0009-Remove-call-to-symlink-cadir.patch
+0010-Backport-fix-for-CVE-2023-1894.patch
diff -Nru puppetserver-7.9.5/debian/puppetserver.service puppetserver-7.9.5/debian/puppetserver.service
--- puppetserver-7.9.5/debian/puppetserver.service	2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/puppetserver.service	2023-03-12 11:08:38.000000000 -0400
@@ -15,6 +15,10 @@
 
 UMask=027
 
+# the startup and reload commands rely on the trapperkeeper
+# restartfile to sync with the process' internal readiness
+# if the mainpid dies while loading, it will abort
+
 ExecStartPre=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
 ExecStart=/usr/bin/java $JAVA_ARGS \
     -Djruby.lib=/usr/share/jruby/lib \
@@ -25,12 +29,11 @@
     --bootstrap-config /etc/puppet/puppetserver/services.d \
     --restart-file ${RUNTIME_DIRECTORY}/restart \
     $TK_ARGS
-ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done"
+ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
 
-ExecReload=sh -c " \
-    echo -n 0 > ${RUNTIME_DIRECTORY}/restart; \
-    kill -HUP $MAINPID; \
-    while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done"
+ExecReload=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
+ExecReload=kill -HUP $MAINPID
+ExecReload=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
 
 SuccessExitStatus=143

--- End Message ---
--- Begin Message --- 
Hi,

On 11-05-2023 17:36, Jérôme Charaoui wrote:

Uploaded to unstable. Thanks!


and unblocked and aged.

Paul
PS: while not a regression, the autopkgtest fails on armel. Have you checked why that is?

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: