Ubuntu
puppet package

[Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989

Bug #978708 reported by Tyler Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

I've updated the stable releases but will need a sponsor if this is deemed urgent enough to make the Precise release.

Links to Puppet Labs advisories:

http://puppetlabs.com/security/cve/cve-2012-1906/
http://puppetlabs.com/security/cve/cve-2012-1986/
http://puppetlabs.com/security/cve/cve-2012-1987/
http://puppetlabs.com/security/cve/cve-2012-1988/
http://puppetlabs.com/security/cve/cve-2012-1989/

Also, while testing, I noticed that 'rake spec' aborts immediately. I traced it down to debian/patches/puppet-12844 being incomplete in comparison to the upstream commit but did not dig down much deeper than that.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This debdiff was tested with a local build. It passed the 'umt compare-log', 'umt compare-bin', and 'umt check' verifications. It was also tested with 'cd /usr/share/puppet-testsuite && rake spec unit'.

It fixes a very early failure in 'rake spec' and now allows the testsuite to finish. I noticed that debian/patches/puppet-12844 was not complete in comparison to the upstream patch. I downloaded the complete patch from:

https://github.com/puppetlabs/puppet/commit/62738187b8a1ba1bd2b5e0737836741b8019a924.patch

Then I did the necessary touch-ups to the patch and replaced the old puppet-12844 with the new, more complete version.

If the partial import of 62738187 was intentional, then this debdiff may not be acceptable. However, it looked like it may have simply been the result of an import error or possibly a non-final version of the upstream patch. Hopefully Marc Cluet can comment on this.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The output of 'cd /usr/share/puppet-testsuite && rake spec unit' with puppet-2.7.11-1ubuntu1

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The diff between the output of 'cd /usr/share/puppet-testsuite && rake spec unit' ran under puppet-2.7.11-1ubuntu1 and puppet-2.7.11-1ubuntu2 (which is simply the debdiff attached above applied).

Note that there are many false positives from failed Windows tests. I'm not sure why these tests are being ran, but it looks like Puppet.features.microsoft_windows is not testing out to be false.

visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff, uploaded to Precise.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.11-1ubuntu2

---------------
puppet (2.7.11-1ubuntu2) precise; urgency=low

  * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
    appdmg and pkgdmg providers (LP: #978708)
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1906
  * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1986
  * SECURITY UPDATE: Denial of service via Filebucket text/marshall support
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1987
  * SECURITY UPDATE: Arbitrary code execution via Filebucket requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1988
  * SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
    filename
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1989
  * debian/patches/puppet-12844: Re-fetch the patch from upstream since some
    missing pieces cause 'rake spec' to abort immediately
 -- Tyler Hicks <email address hidden> Wed, 11 Apr 2012 03:55:10 -0500

Changed in puppet (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.