puppet: CVE-2013-3567

Debian Bug report logs - #712745
puppet: CVE-2013-3567

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: puppet: CVE-2013-3567

Date: Wed, 19 Jun 2013 07:17:00 +0200

Package: puppet
Severity: grave
Tags: security

Please see http://puppetlabs.com/security/cve/cve-2013-3567/ for more information.

Cheers,
        Moritz

Message #12 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 712745@bugs.debian.org

Subject: Re: Bug#7712745: puppet: CVE-2013-3567

Date: Wed, 19 Jun 2013 19:57:22 +0200

Hi,

Upstream provided me with the following gist against 2.6.18 that fixes
this vulnerability:

https://gist.github.com/stahnma/d7598b49a4abc07845b9

Haven't checked how much backporting is needed.

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #17 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 712745@bugs.debian.org

Subject: Re: Bug#7712745: puppet: CVE-2013-3567

Date: Thu, 20 Jun 2013 12:21:11 +0200

[Message part 1 (text/plain, inline)]

Hi,

Attached patch is an untested backport.

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[CVE-2013-3567.patch (application/octet-stream, attachment)]

Message #22 received at 712745-close@bugs.debian.org (full text, mbox, reply):

From: Stig Sandbeck Mathisen <ssm@debian.org>

To: 712745-close@bugs.debian.org

Subject: Bug#712745: fixed in puppet 3.2.2-1

Date: Thu, 20 Jun 2013 13:18:30 +0000

Source: puppet
Source-Version: 3.2.2-1

We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 712745@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stig Sandbeck Mathisen <ssm@debian.org> (supplier of updated puppet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 Jun 2013 11:45:46 +0200
Source: puppet
Binary: puppet-common puppet puppetmaster-common puppetmaster puppetmaster-passenger vim-puppet puppet-el puppet-testsuite
Architecture: source all
Version: 3.2.2-1
Distribution: unstable
Urgency: high
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Stig Sandbeck Mathisen <ssm@debian.org>
Description: 
 puppet     - Centralized configuration management - agent startup and compatib
 puppet-common - Centralized configuration management
 puppet-el  - syntax highlighting for puppet manifests in emacs
 puppet-testsuite - Centralized configuration management - test suite
 puppetmaster - Centralized configuration management - master startup and compati
 puppetmaster-common - Puppet master common scripts
 puppetmaster-passenger - Centralised configuration management - master setup to run under
 vim-puppet - syntax highlighting for puppet manifests in vim
Closes: 675409 709636 712745
Changes: 
 puppet (3.2.2-1) unstable; urgency=high
 .
   * New upstream version (Closes: #712745, CVE-2013-3567)
     - use packaged ruby-safe-yaml instead of the vendored gem
   * Support apache 2.4 (Closes: #675409)
   * Remove dependency on rails (Closes: #709636)
   * Remove build dependency on ruby-rspec
   * add dep8 tests
   * puppetmaster-passenger.postinst: check if puppet.conf can be parsed on
     install.
     Thanks to Ubuntu
Checksums-Sha1: 
 f79ccb4e58b8856672aeb2acf5f493ea4eda7634 1780 puppet_3.2.2-1.dsc
 095afefd4562882e36b926707ed1c78e50402651 1784340 puppet_3.2.2.orig.tar.gz
 8053ab74d17894ac8bc6871917ebfd329f8ce436 34312 puppet_3.2.2-1.debian.tar.gz
 f23eab1973a63efe27d15abf36a0aaf5a4fc4e5f 958792 puppet-common_3.2.2-1_all.deb
 ce8e35c65ca69f4a8e3334a3534cf9fc6271edda 24922 puppet_3.2.2-1_all.deb
 32caae8efe75fd76c74136c65589f25a7598327b 25178 puppetmaster-common_3.2.2-1_all.deb
 c38cd20e9adf58904b0de403d9606144db2a958a 24150 puppetmaster_3.2.2-1_all.deb
 4df85b788131361122d56882cff02cc1892b7319 25574 puppetmaster-passenger_3.2.2-1_all.deb
 91876b1c8fa7891a40c50b7968b647c6b1f50b44 25142 vim-puppet_3.2.2-1_all.deb
 50a3198450fd1239f996b7b89d5e9fb53e3bcb5c 26514 puppet-el_3.2.2-1_all.deb
 db88a3163391edd1b49994cb080cd6699bb864ab 771166 puppet-testsuite_3.2.2-1_all.deb
Checksums-Sha256: 
 70637575ef176a5d9538f98fde71dd7abafcf6c7eee8477f5cbe06de85cc665d 1780 puppet_3.2.2-1.dsc
 c47745aa73912b2cb1a20b07e8741b8af37a920b9bc8dc8afb14b23d8df7d13d 1784340 puppet_3.2.2.orig.tar.gz
 b1e26261bffe2c199e612334471a229f4f0b978e9f2a6eefd3fb6a5b530243bd 34312 puppet_3.2.2-1.debian.tar.gz
 c892aae59ceb09526c560aa7837f6686383facd4f3923055d6702a715c8a7ac9 958792 puppet-common_3.2.2-1_all.deb
 3e0493a75db8e8c94889c43409af67f12309ea95404ba41d3893c5ffec72158c 24922 puppet_3.2.2-1_all.deb
 4ab0910c615a361c67dd45e7d7a517fb1bfae9c4e3190cf562525e2b4c707a0b 25178 puppetmaster-common_3.2.2-1_all.deb
 88ec84863b87ca3ce87654b65fa074184e207d368a8bb673f425c2885add7792 24150 puppetmaster_3.2.2-1_all.deb
 14fe9d233e72ed90f447e64eb67452b91dda7df8cabf6e5e3c4d2f75a349fb7a 25574 puppetmaster-passenger_3.2.2-1_all.deb
 cbb14f0f6d1f9e897a70972fc1ffa81f897d767d40cf7230c9c6a6bf92928b28 25142 vim-puppet_3.2.2-1_all.deb
 7bcef49eb942b3274a0c19a970652dd5870e3c72e0c0fe03c65be9a6b904b1df 26514 puppet-el_3.2.2-1_all.deb
 f1a891f67e00a1e45fccd99cdae331d54a9d52ba2e6f0e175be4f897746ffe98 771166 puppet-testsuite_3.2.2-1_all.deb
Files: 
 e487763fad42e34e589ebf422a77ea54 1780 admin optional puppet_3.2.2-1.dsc
 318de47ab9e7d41cce98c1cbc5d33cc1 1784340 admin optional puppet_3.2.2.orig.tar.gz
 8838bc4981f36a1df7175a91138110c0 34312 admin optional puppet_3.2.2-1.debian.tar.gz
 bc4587914696322ab7bf215655cd8702 958792 admin optional puppet-common_3.2.2-1_all.deb
 1f8313e1a85c09d2dbbbdd2b83cf4ab2 24922 admin optional puppet_3.2.2-1_all.deb
 c261154f73893b51464905ff6847e2d3 25178 admin optional puppetmaster-common_3.2.2-1_all.deb
 a1f66b2e976b5d8ce8b6a331c3f1d8fc 24150 admin optional puppetmaster_3.2.2-1_all.deb
 7dd83d29a4aee4f560ecf7ab161b606a 25574 admin optional puppetmaster-passenger_3.2.2-1_all.deb
 0586fa1543baa23b34964ea4d3e912e8 25142 admin optional vim-puppet_3.2.2-1_all.deb
 050d9b82a386057c85c73bea45ea3a1a 26514 admin optional puppet-el_3.2.2-1_all.deb
 7600b4961c91e51dcbb60ab70df93039 771166 admin optional puppet-testsuite_3.2.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHC/LQACgkQQONU2fom4u4kWgCeIMF1jPTWEPKXWZGY08gaD4La
HicAmwYc6VZI24r6XKijlQ+kp9RsA6VI
=X5U2
-----END PGP SIGNATURE-----

Message #27 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 712745@bugs.debian.org

Subject: Re: Bug#7712745: puppet: CVE-2013-3567

Date: Thu, 20 Jun 2013 16:42:11 +0200

[Message part 1 (text/plain, inline)]

On 20 June 2013 12:21, Raphael Geissert <geissert@debian.org> wrote:
> Attached patch is an untested backport.

Less broken version attached, but there are still a couple of bugs left.

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[CVE-2013-3567.v2.patch (application/octet-stream, attachment)]

Message #32 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Stig Sandbeck Mathisen <ssm@debian.org>

To: Raphael Geissert <geissert@debian.org>, 712745@bugs.debian.org

Subject: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Thu, 20 Jun 2013 21:40:37 +0200

On Thu, Jun 20, 2013 at 04:42:11PM +0200, Raphael Geissert wrote:
> On 20 June 2013 12:21, Raphael Geissert <geissert@debian.org> wrote:
> > Attached patch is an untested backport.
> 
> Less broken version attached, but there are still a couple of bugs left.

Wonderful, thanks.  I'll review and test, and see what else needs to
be included.

-- 
Stig

Message #41 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Stig Sandbeck Mathisen <ssm@debian.org>

Cc: 712745@bugs.debian.org

Subject: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Fri, 21 Jun 2013 17:07:56 +0200

[Message part 1 (text/plain, inline)]

On 20 June 2013 21:40, Stig Sandbeck Mathisen <ssm@debian.org> wrote:
> Wonderful, thanks.  I'll review and test, and see what else needs to
> be included.

As promised via IRC, attached patch is a version that actually works.

Notes:
* There is some code that I backported that remains unused in
squeeze's version. It could be removed to make the diff cleaner.
* I haven't run upstream's test suite on the resulting code.

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[CVE-2013-3567.v3.patch (application/octet-stream, attachment)]

Message #48 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Stig Sandbeck Mathisen <ssm@debian.org>

Cc: 712745@bugs.debian.org

Subject: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Tue, 25 Jun 2013 18:36:45 +0200

[Message part 1 (text/plain, inline)]

On 21 June 2013 17:07, Raphael Geissert <geissert@debian.org> wrote:
> As promised via IRC, attached patch is a version that actually works.

And now a patch to be applied on top of it to restore the
compatibility of the reports.

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[CVE-2013-3567.fixup-for-v3.patch (application/octet-stream, attachment)]

Message #55 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <crb@tiger-computing.co.uk>

To: Raphael Geissert <geissert@debian.org>

Cc: Stig Sandbeck Mathisen <ssm@debian.org>, 712745@bugs.debian.org

Subject: Re: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Wed, 31 Jul 2013 16:43:29 +0100

On 25/06/13 17:36, Raphael Geissert wrote:
> On 21 June 2013 17:07, Raphael Geissert <geissert@debian.org> wrote:
>> As promised via IRC, attached patch is a version that actually works.
> 
> And now a patch to be applied on top of it to restore the
> compatibility of the reports.

This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
had to roll our own update internally that includes the patch in order
to correctly process reports from other servers.

Are there any plans to push out a 2.7.18-6 update that includes
CVE-2013-3567.fixup-for-v3.patch? Would a source debdiff to do this be
welcome?

Best regards,
Chris

-- 
Chris Boot
Tiger Computing Ltd
"Linux for Business"

Tel: 01600 483 484
Web: http://www.tiger-computing.co.uk
Follow us on Facebook: http://www.facebook.com/TigerComputing

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR

Message #60 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Chris Boot <crb@tiger-computing.co.uk>

Cc: Stig Sandbeck Mathisen <ssm@debian.org>, 712745@bugs.debian.org

Subject: Re: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Mon, 5 Aug 2013 10:41:45 +0200

Hi Stig, Chris,

Stig: Have you been able to check the report?

I haven't taken a proper look at it, but I think there's at least one
extra field that doesn't correspond to the format version.

On 31 July 2013 17:43, Chris Boot <crb@tiger-computing.co.uk> wrote:
> On 25/06/13 17:36, Raphael Geissert wrote:
>> On 21 June 2013 17:07, Raphael Geissert <geissert@debian.org> wrote:
>>> As promised via IRC, attached patch is a version that actually works.
>>
>> And now a patch to be applied on top of it to restore the
>> compatibility of the reports.
>
> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
> had to roll our own update internally that includes the patch in order
> to correctly process reports from other servers.
>
> Are there any plans to push out a 2.7.18-6 update that includes
> CVE-2013-3567.fixup-for-v3.patch? Would a source debdiff to do this be
> welcome?

Yes, that would be great and help speed things up.

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #65 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Chris Boot <crb@tiger-computing.co.uk>

Cc: 712745@bugs.debian.org

Subject: Re: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567

Date: Tue, 20 Aug 2013 11:02:53 +0200

Hi again,

On 31 July 2013 17:43, Chris Boot <crb@tiger-computing.co.uk> wrote:
> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
> had to roll our own update internally that includes the patch in order
> to correctly process reports from other servers.

Are you sure that this issue wasn't already present before the security update?
After reviewing all the fields I don't see any extra being added or
deleted. There is one issue, however, where the report format wasn't
bumped to version 3 but this comes from upstream:
http://projects.puppetlabs.com/issues/15739

You could check if that is the issue by modifying
transaction/report.rb's initialize to @report_format = 3.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #70 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <crb@tiger-computing.co.uk>

To: Raphael Geissert <geissert@debian.org>

Cc: 712745@bugs.debian.org

Subject: Re: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

Date: Tue, 20 Aug 2013 10:22:28 +0100

On 20/08/13 10:02, Raphael Geissert wrote:
> Hi again,
> 
> On 31 July 2013 17:43, Chris Boot <crb@tiger-computing.co.uk> wrote:
>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
>> had to roll our own update internally that includes the patch in order
>> to correctly process reports from other servers.
> 
> Are you sure that this issue wasn't already present before the security update?
> After reviewing all the fields I don't see any extra being added or
> deleted. There is one issue, however, where the report format wasn't
> bumped to version 3 but this comes from upstream:
> http://projects.puppetlabs.com/issues/15739
> 
> You could check if that is the issue by modifying
> transaction/report.rb's initialize to @report_format = 3.

Apologies for not sending the debdiff like I said I would. I'll get onto
this now.

We were running 2.7.18-3~bpo60+1 on squeeze without issues. Following
the wheezy upgrade (and going straight to 2.7.18-5) we started seeing
the issues with reports not being processed correctly. The only change I
can attribute this to is the fix for CVE-2013-3567.

The issue was causing reports from squeeze machines (running
2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
version of Puppet, causing invalid reports to be stored to disk and sent
to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
master causes valid reports to be stored on disk and sent to Dashboard
with no changes to the slave nodes.

HTH,
Chris

-- 
Chris Boot
Tiger Computing Ltd
"Linux for Business"

Tel: 01600 483 484
Web: http://www.tiger-computing.co.uk
Follow us on Facebook: http://www.facebook.com/TigerComputing

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR

Message #75 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <debian@bootc.net>

To: 712745@bugs.debian.org

Cc: Raphael Geissert <geissert@debian.org>

Subject: Re: Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

Date: Tue, 20 Aug 2013 10:31:08 +0100

[Message part 1 (text/plain, inline)]

On 20/08/13 10:22, Chris Boot wrote:
> On 20/08/13 10:02, Raphael Geissert wrote:
>> Hi again,
>>
>> On 31 July 2013 17:43, Chris Boot <crb@tiger-computing.co.uk> wrote:
>>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
>>> had to roll our own update internally that includes the patch in order
>>> to correctly process reports from other servers.
>>
>> Are you sure that this issue wasn't already present before the security update?
>> After reviewing all the fields I don't see any extra being added or
>> deleted. There is one issue, however, where the report format wasn't
>> bumped to version 3 but this comes from upstream:
>> http://projects.puppetlabs.com/issues/15739
>>
>> You could check if that is the issue by modifying
>> transaction/report.rb's initialize to @report_format = 3.
> 
> Apologies for not sending the debdiff like I said I would. I'll get onto
> this now.

Here is the source debdiff for the package that we are carrying
internally. This has been tested on our Puppet master server as well as
all our wheezy Puppet slave machines.

HTH,
Chris

-- 
Chris Boot
debian@bootc.net
GPG: 1DE8 6AB0 1897 A330 D973  D77C 50DD 5A29 FB09 9999

[puppet_2.7.18-5+tcl1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #80 received at 712745@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Chris Boot <crb@tiger-computing.co.uk>

Cc: 712745@bugs.debian.org

Subject: Re: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

Date: Tue, 20 Aug 2013 12:18:00 +0200

Hi Chris,

On 20 August 2013 11:22, Chris Boot <crb@tiger-computing.co.uk> wrote:
> The issue was causing reports from squeeze machines (running
> 2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
> version of Puppet, causing invalid reports to be stored to disk and sent
> to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
> master causes valid reports to be stored on disk and sent to Dashboard
> with no changes to the slave nodes.

Er, that's a weird combination of versions, but in any case with the
patch you sent you are downgrading puppet 2.7's report format from
version 2 (3 actually) to version 1.

I personally don't think this has anything to do with the security
update and I'd rather look into the consumer of the reports (puppet
dashboard in this case). Temporarily downgrading to the version prior
the DSA could allow you to confirm whether this is in fact a
regression.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #81 received at 712745-done@bugs.debian.org (full text, mbox, reply):

From: Stig Sandbeck Mathisen <ssm@debian.org>

To: 712745-done@bugs.debian.org

Subject: Closing bug

Date: Fri, 20 Sep 2013 22:43:09 +0200

I'm closing this bug on CVE-2013-3567.

If there is still an issue regarding report formats, please report that
as a new bug.

-- 
Stig Sandbeck Mathisen

Send a report that this bug log contains spam.