Remote directory traversal, allows write to arbitrary locations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Hardy |
Won't Fix
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Jamie Strandboge | ||
Maverick |
Fix Released
|
High
|
Jamie Strandboge | ||
Natty |
Fix Released
|
High
|
Jamie Strandboge | ||
Oneiric |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.
# Commit message for fix #
I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.
Author: Daniel Pittman <<email address hidden>: Sat Sep
24 12:44:20 2011 -0700
Resist directory traversal attacks through indirections.
In various versions of Puppet it was possible to cause a directory
traversal attack through the SSLFile indirection base class.
This was variously triggered through the user-supplied key, or
the Subject of the certificate, in the code.
Now, we detect bad patterns down in the base class for our
indirections, and fail hard on them. This reduces the attack
surface with as little disruption to the overall codebase as
possible, making it suitable to deploy as part of older, stable
versions of Puppet.
In the long term we will also address this higher up the stack,
to prevent these problems from reoccurring, but for now this
will suffice.
Huge thanks to Kristian Erik Hermansen <email address hidden>
for the responsible disclosure, and useful analysis, around
this defect.
Signed-off-by: Daniel Pittman <email address hidden>
Changed in puppet (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in puppet (Ubuntu Maverick): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in puppet (Ubuntu Natty): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in puppet (Ubuntu Oneiric): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in puppet (Ubuntu Hardy): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in puppet (Ubuntu Oneiric): | |
milestone: | none → ubuntu-11.10 |
description: | updated |
visibility: | private → public |
Changed in puppet (Ubuntu Hardy): | |
status: | Confirmed → Fix Committed |
tags: | removed: verification-needed |
tags: | removed: removal-candidate |
Hardy is in universe and is community supported. I was going to prepare the update for it, but the patch does not apply cleanly (0.24.4). Based on the files that are missing, I don't think it supports ssl, but I haven't looked at this at all.
Marc, if you are interested, feel free to investigate Hardy and prepare a patch if necessary.