(CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408,3864,3865,3866,3867})

[distro-maint] New Security Vulnerabilities in Puppet [ Confidential ]
gentoo
 x
Moses Mendoza <email address hidden>

Jul 5 (1 day ago)

to distro-maintai.
Internal and external security audits initiated by Puppet Labs have
returned five vulnerabilities (two high, one moderate, and two low) in
puppet. We have requested four CVEs for vulnerabilities 1 - 4, and
will send an update once we have received them from Mitre. We are
working with distribution maintainers and key customers to ensure
we are able to patch the vulnerabilities before any are exploited.

The vulnerabilities discussed in this email have not been publicly
disclosed. One of the attack vectors of vulnerability #1 was
temporarily made public in our ticket tracker. This was addressed but
the vulnerability may have leaked.

We appreciate your consideration to the sensitivity of this information,
and respectfully ask that you refrain from publicly disclosing the contents
of this email until our planned disclosure date, Tuesday, July 10, 2012
at 5:00 PM Pacific Time. On this date we plan to release updated packages
along with a public disclosure.

We have included patches for the following versions of puppet in the
2.6.x and 2.7.x series:
2.6.4
2.6.16
2.7.9
2.7.17

We have tested that the 2.6.17 patch applies cleanly to 2.6.9, and
the 2.7.17 patch applies to 2.7.12. If you have any trouble applying
these or need help with patches for additional Puppet versions, please
let us know. We would be glad to help.

We are currently packaging new releases of Puppet addressing the
vulnerabilities. This will result in the following new Puppet versions:
 * Puppet 2.6.17
 * Puppet 2.7.18
 * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, 1.2.4, and
   2.0.3.
 * For users of Puppet Enterprise 2.5.x, updated packages will be
   included with the forthcoming release of Puppet Enterprise 2.5.2.

# Vulnerability Summary #

Vulnerability 1 (CVE TBD)
 Arbitrary file read on the puppet master from authenticated clients (high)
 *Affected/Patched Versions: 2.7.x, 2.6.x
    It is possible to construct an HTTP get request from an authenticated
    client with a valid certificate that will return the contents of an arbitrary
    file on the Puppet master that the master has read-access to.
Vulnerability 2 (CVE TBD) Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high)
*Affected/Patched Versions: 2.7.x, 2.6.x
Given a Puppet master with the "Delete" directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.
Vulnerability 3 (CVE TBD)
last_run_report.yaml is world readable (medium)
*Affected/Patched Versions: 2.7.x
The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Pu...

Thanks for the report, Matthew.

*** Bug 425846 has been marked as a duplicate of this bug. ***

sorry for delay.
2.7.18 in cvs. please mark stable 2.7.18.

(In reply to comment #3)
> sorry for delay.
> 2.7.18 in cvs. please mark stable 2.7.18.

Thanks.

Arches, please test and mark stable:
=app-admin/puppet-2.7.18
Target Keywords: "amd64 hppa ppc sparc x86"

x86 stable

Stable for HPPA.

amd64 stable

CVE-2012-3867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3867):
  lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x
  before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly
  restrict the characters in the Common Name field of a Certificate Signing
  Request (CSR), which makes it easier for user-assisted remote attackers to
  trick administrators into signing a crafted agent certificate via ANSI
  control sequences.

CVE-2012-3866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3866):
  lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise
  before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows
  local users to obtain sensitive configuration information by leveraging
  access to the puppet master server to read this file.

CVE-2012-3865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3865):
  Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet
  before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2,
  when Delete is enabled in auth.conf, allows remote authenticated users to
  delete arbitrary files on the puppet master server via a .. (dot dot) in a
  node name.

CVE-2012-3864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3864):
  Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before
  2.5.2, allows remote authenticated users to read arbitrary files on the
  puppet master server by leveraging an arbitrary user's certificate and
  private key in a GET request.

are you sure its stable?

vv@crusader /var/db/pkg $ emerge -pvt puppet

These are the packages that would be merged, in reverse order:

Calculating dependencies |

!!! Problem resolving dependencies for app-admin/puppet
... done!

!!! The ebuild selected to satisfy "puppet" has unmet requirements.
- app-admin/puppet-2.7.18::gentoo USE="-augeas -diff -doc -emacs -ldap -minimal -rrdtool (-selinux) -shadow -sqlite3 -test -vim-syntax -xemacs" RUBY_TARGETS="-ruby18"

  The following REQUIRED_USE flag constraints are unsatisfied:
    ruby_targets_ruby18

  The above constraints are a subset of the following complete expression:
    any-of ( ruby_targets_ruby18 )

vv@crusader /var/db/pkg $

(In reply to comment #9)
> are you sure its stable?
>
>
> vv@crusader /var/db/pkg $ emerge -pvt puppet
>
> These are the packages that would be merged, in reverse order:
>
> Calculating dependencies |
>
> !!! Problem resolving dependencies for app-admin/puppet
> ... done!
>
> !!! The ebuild selected to satisfy "puppet" has unmet requirements.
> - app-admin/puppet-2.7.18::gentoo USE="-augeas -diff -doc -emacs -ldap
> -minimal -rrdtool (-selinux) -shadow -sqlite3 -test -vim-syntax -xemacs"
> RUBY_TARGETS="-ruby18"
>
> The following REQUIRED_USE flag constraints are unsatisfied:
> ruby_targets_ruby18
>
> The above constraints are a subset of the following complete expression:
> any-of ( ruby_targets_ruby18 )
>
> vv@crusader /var/db/pkg $

same with all puppet ebuilds.

stable does not mean what you say and viceversa.

THe error is clear:
> The following REQUIRED_USE flag constraints are unsatisfied:
> ruby_targets_ruby18

So you need to enable ruby18

(In reply to comment #11)
> stable does not mean what you say and viceversa.
>
> THe error is clear:
> > The following REQUIRED_USE flag constraints are unsatisfied:
> > ruby_targets_ruby18
>
> So you need to enable ruby18

I had to read emerge messages carefully. Sorry for bothering all crowd

ppc stable.

sparc stable

Thanks, folks. GLSA Vote: no.

GLSA vote: no.

Closing noglsa.