Ubuntu
puppet package

Remote directory traversal, allows write to arbitrary locations

Bug #861182 reported by Dave Walker
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu ubuntu-11.10
Hardy
Won't Fix
High
Unassigned
Lucid
Fix Released
High
Jamie Strandboge
Maverick
Fix Released
High
Jamie Strandboge
Natty
Fix Released
High
Jamie Strandboge
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu ubuntu-11.10

Bug Description

There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.

# Commit message for fix #

I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.

  Author: Daniel Pittman <<email address hidden>: Sat Sep
  24 12:44:20 2011 -0700

  Resist directory traversal attacks through indirections.

  In various versions of Puppet it was possible to cause a directory
  traversal attack through the SSLFile indirection base class.
  This was variously triggered through the user-supplied key, or
  the Subject of the certificate, in the code.

  Now, we detect bad patterns down in the base class for our
  indirections, and fail hard on them. This reduces the attack
  surface with as little disruption to the overall codebase as
  possible, making it suitable to deploy as part of older, stable
  versions of Puppet.

  In the long term we will also address this higher up the stack,
  to prevent these problems from reoccurring, but for now this
  will suffice.

  Huge thanks to Kristian Erik Hermansen <email address hidden>
  for the responsible disclosure, and useful analysis, around
  this defect.

  Signed-off-by: Daniel Pittman <email address hidden>

See original description
Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Natty):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in puppet (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Hardy is in universe and is community supported. I was going to prepare the update for it, but the patch does not apply cleanly (0.24.4). Based on the files that are missing, I don't think it supports ssl, but I haven't looked at this at all.

Marc, if you are interested, feel free to investigate Hardy and prepare a patch if necessary.

Changed in puppet (Ubuntu Hardy):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Incomplete
importance: High → Undecided
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Updated packages have been uploaded to the security PPA for lucid-oneiric and are building now.

Changed in puppet (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in puppet (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in puppet (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in puppet (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I just attached the debdiffs used in the upload. Please test and comment.

Revision history for this message
Marc Cluet (lynxman) wrote :

Test passes on Oneiric both 2.7.1 and 2.7.3 once patched

# rake test
/usr/bin/ruby1.8 -I"lib:lib:../lib" -I"/var/lib/gems/1.8/gems/rake-0.9.2/lib" "/usr/share/puppet-testsuite/test/lib/rake/puppet_test_loader.rb" "language/parser.rb" "language/transportable.rb" "language/snippets.rb" "language/ast.rb" "language/scope.rb" "language/ast/variable.rb" "language/functions.rb" "rails/rails.rb" "rails/railsparameter.rb" "puppet/tc_suidmanager.rb" "puppet/errortest.rb" "puppet/defaults.rb" "ral/manager/attributes.rb" "ral/manager/type.rb" "ral/manager/instances.rb" "ral/manager/provider.rb" "ral/manager/manager.rb" "ral/providers/cron/crontab.rb" "ral/providers/sshkey/parsed.rb" "ral/providers/group.rb" "ral/providers/port/parsed.rb" "ral/providers/nameservice.rb" "ral/providers/mailalias/aliases.rb" "ral/providers/user.rb" "ral/providers/host/parsed.rb" "ral/providers/user/useradd.rb" "ral/providers/package/aptitude.rb" "ral/providers/package/aptrpm.rb" "ral/providers/provider.rb" "ral/providers/service/base.rb" "ral/providers/package.rb" "ral/providers/parsedfile.rb" "ral/type/zone.rb" "ral/type/sshkey.rb" "ral/type/mailalias.rb" "ral/type/exec.rb" "ral/type/yumrepo.rb" "ral/type/service.rb" "ral/type/cron.rb" "ral/type/user.rb" "ral/type/file/target.rb" "ral/type/file.rb" "ral/type/resources.rb" "ral/type/host.rb" "ral/type/filesources.rb" "ral/type/fileignoresource.rb" "ral/type/port.rb" "certmgr/inventory.rb" "certmgr/support.rb" "certmgr/certmgr.rb" "util/log.rb" "util/subclass_loader.rb" "util/execution.rb" "util/storage.rb" "util/fileparsing.rb" "util/instance_loader.rb" "util/pidlock.rb" "util/metrics.rb" "util/utiltest.rb" "util/inifile.rb" "util/package.rb" "util/settings.rb" "util/classgen.rb" "network/client/ca.rb" "network/client/dipper.rb" "network/authstore.rb" "network/xmlrpc/server.rb" "network/xmlrpc/client.rb" "network/xmlrpc/webrick_servlet.rb" "network/xmlrpc/processor.rb" "network/authorization.rb" "network/handler/ca.rb" "network/handler/report.rb" "network/handler/master.rb" "network/handler/runner.rb" "network/handler/fileserver.rb" "network/client_request.rb" "network/server/webrick.rb" "network/server/mongrel_test.rb" "network/rights.rb" "network/authconfig.rb" "other/transactions.rb" "other/report.rb" "other/relationships.rb" "other/puppet.rb" "other/provider.rb"
Install RRD for metric reporting tests
Loaded suite /usr/share/puppet-testsuite/test/lib/rake/puppet_test_loader
Started
..........................................................."/tmp/puppettesting21082/configdir59/ssl/private_keys/ONEIRIC.LOCALDOMAIN.pem"
.....................................F.....................E..........E........F.....................................................................FF...................................................F...................................................................................................................................................E..........E.....................................................................................F.E.F.F........................................
Finished in 133.144193 seconds.

I also tried manually, it looks good

Revision history for this message
Michael Stahnke (stahnma) wrote :

0.24.x certainly had SSL support. Is there any chance you could bump the version of Puppet in Hardy?

Revision history for this message
Marc Cluet (lynxman) wrote :
Download full text (3.6 KiB)

Test passes in Lucid, both unit test and manual test

# rake unit
(in /usr/share/puppet-testsuite)
cd test; rake
(in /usr/share/puppet-testsuite/test)
/usr/bin/ruby1.8 -I"lib:lib:../lib" "/usr/share/puppet-testsuite/test/lib/rake/puppet_test_loader.rb" "executables/puppetmodule.rb" "certmgr/certmgr.rb" "certmgr/support.rb" "certmgr/inventory.rb" "certmgr/ca.rb" "language/snippets.rb" "language/resource.rb" "language/transportable.rb" "language/ast.rb" "language/parser.rb" "language/ast/resource.rb" "language/ast/selector.rb" "language/ast/variable.rb" "language/ast/resource_reference.rb" "language/ast/casestatement.rb" "language/scope.rb" "language/functions.rb" "ral/type/yumrepo.rb" "ral/type/user.rb" "ral/type/zone.rb" "ral/type/fileignoresource.rb" "ral/type/resources.rb" "ral/type/host.rb" "ral/type/service.rb" "ral/type/exec.rb" "ral/type/mailalias.rb" "ral/type/group.rb" "ral/type/sshkey.rb" "ral/type/cron.rb" "ral/type/port.rb" "ral/type/file/target.rb" "ral/type/filesources.rb" "ral/type/file.rb" "ral/manager/provider.rb" "ral/manager/instances.rb" "ral/manager/type.rb" "ral/manager/manager.rb" "ral/manager/attributes.rb" "ral/providers/package/aptrpm.rb" "ral/providers/package/aptitude.rb" "ral/providers/user/useradd.rb" "ral/providers/user.rb" "ral/providers/provider.rb" "ral/providers/sshkey/parsed.rb" "ral/providers/host/parsed.rb" "ral/providers/mailalias/aliases.rb" "ral/providers/cron/crontab.rb" "ral/providers/group.rb" "ral/providers/port/parsed.rb" "ral/providers/nameservice.rb" "ral/providers/service/base.rb" "ral/providers/service/debian.rb" "ral/providers/package.rb" "ral/providers/parsedfile.rb" "rails/rails.rb" "rails/railsparameter.rb" "puppet/tc_suidmanager.rb" "puppet/defaults.rb" "puppet/errortest.rb" "other/dsl.rb" "other/provider.rb" "other/events.rb" "other/relationships.rb" "other/transactions.rb" "other/report.rb" "other/puppet.rb" "util/utiltest.rb" "util/storage.rb" "util/execution.rb" "util/classgen.rb" "util/fileparsing.rb" "util/pidlock.rb" "util/settings.rb" "util/metrics.rb" "util/instance_loader.rb" "util/package.rb" "util/subclass_loader.rb" "util/inifile.rb" "util/log.rb" "network/xmlrpc/client.rb" "network/xmlrpc/server.rb" "network/xmlrpc/processor.rb" "network/xmlrpc/webrick_servlet.rb" "network/authconfig.rb" "network/handler/resource.rb" "network/handler/master.rb" "network/handler/fileserver.rb" "network/handler/bucket.rb" "network/handler/ca.rb" "network/handler/runner.rb" "network/handler/report.rb" "network/rights.rb" "network/authstore.rb" "network/client/resource.rb" "network/client/ca.rb" "network/client/dipper.rb" "network/client_request.rb" "network/authorization.rb" "network/server/webrick.rb" "network/server/mongrel_test.rb"
You must be a member of more than one group to test transactions
Install RRD for metric reporting tests
Loaded suite /usr/share/puppet-testsuite/test/lib/rake/puppet_test_loader
Started
....................................................................................................F............FF.......F........................E..................................................................................................Not testing attr members of group
....

Read more...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Michael, we typically only backport fixes to older releases and upgrading to a new version would require an SRU (Stable Release Update) and would be outside of the security update process. I did a debdiff between hardy and lucid, and the delta appears massive with 169983 lines of diff. Perhaps someone here wants to drive this using the https://wiki.ubuntu.com/StableReleaseUpdates process?

Changed in puppet (Ubuntu Hardy):
status: Incomplete → Confirmed
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm actually going to use this debdiff for natty, since it allows 'rake spec' to run.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Natty passes.
Lucid and Maverick pass but I sometimes get test failures in test_parse_line(TestCronParsedProvider) (via 'cd /usr/share/puppet-testsuite ; sudo rake unit'). I think this test may be racy, cause I have seen it in unpatched Maverick and patched Lucid. The failure (from Lucid) is:

  2) Failure:
test_parse_line(TestCronParsedProvider)
    [./ral/providers/cron/crontab.rb:76:in `assert_record_equal'
     ./ral/providers/cron/crontab.rb:123:in `test_parse_line'
     ./ral/providers/cron/crontab.rb:122:in `each'
     ./ral/providers/cron/crontab.rb:122:in `test_parse_line'
     /usr/lib/ruby/1.8/mocha/integration/test_unit/ruby_version_186_and_above.rb:19:in `__send__'
     /usr/lib/ruby/1.8/mocha/integration/test_unit/ruby_version_186_and_above.rb:19:in `run']:
not an instance of a hash in record for {:record_type=>:blank, :line=>""} in full match.
<nil> expected to be an instance of
<Hash> but was
<NilClass>.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Michael, what is the expected time of upstream's release?

Revision history for this message
Michael Stahnke (stahnma) wrote :

I am in the process of releasing now. I will update the bug when complete. (two hours or so)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, yes test_parse_line(TestCronParsedProvider) is non-deterministic. I ran 'rake unit' in a loop with the patched versions and saw sometimes it failed and sometimes passed, so I am ignoring that failure.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unembargoing since the tarballs are live and based on Marc's correspondence with Michael.

Revision history for this message
Michael Stahnke (stahnma) wrote : Re: [Bug 861182] Re: Remote directory traversal, allows write to arbitrary locations

Yes, please do. I missed this bug in my updates, and attempts to
communicate with everybody.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Michael, I think Marc mentioned this to you already, but feel free to add <email address hidden> to your list of contacts for the future. Thanks for all your help on this! :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.1-1ubuntu2

---------------
puppet (2.7.1-1ubuntu2) oneiric; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden> Wed, 28 Sep 2011 07:55:44 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.6.4-2ubuntu2.2

---------------
puppet (2.6.4-2ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
  * debian/patches/fix-rake-spec-missing-require.patch: allow 'rake spec'
    to run again
 -- Jamie Strandboge <email address hidden> Wed, 28 Sep 2011 08:26:38 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.6.1-0ubuntu2.1

---------------
puppet (2.6.1-0ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden> Wed, 28 Sep 2011 08:28:21 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 0.25.4-2ubuntu6.2

---------------
puppet (0.25.4-2ubuntu6.2) lucid-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master (LP: #861182)
    - update lib/puppet/indirector.rb, lib/puppet/indirector/ssl_file.rb,
      lib/puppet/indirector/yaml.rb, spec/unit/indirector/ssl_file.rb and
      spec/unit/indirector/yaml.rb to perform proper input validation.
      Patch from upstream (Daniel Pittman <email address hidden>)
      6e5a821cbf94b220dfc021ff7ebad0831c60e207
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden> Wed, 28 Sep 2011 08:30:14 -0500

Changed in puppet (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in puppet (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in puppet (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in puppet (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
visibility: private → public
Changed in puppet (Ubuntu Hardy):
status: Confirmed → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking bug as public, since the issue is public now. I have uploaded untested hardy packages for this and the other CVE that affects hardy to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages. These patches came from upstream and applied cleanly. Since this is in universe, can somebody test these on Hardy? Once this is done, I will be happy to push it to hardy-security.

tags: added: security-verification
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Pocket copied puppet to hardy-proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
removed: security-verification
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Revision history for this message
Martin Pitt (pitti) wrote :

Can anyone test the hardy update?

Revision history for this message
Brian Murray (brian-murray) wrote : [puppet/hardy] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for hardy for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Brian Murray (brian-murray) wrote :

The version of puppet in hardy-proposed has been removed as the bugs it was fixing (including this one) were not verified in a timely fashion.

Changed in puppet (Ubuntu Hardy):
status: Fix Committed → Triaged
Brian Murray (brian-murray)
tags: removed: verification-needed
tags: removed: removal-candidate
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against hardy is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in puppet (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.