puppet can no longer find puppet:// resources after ruby2.7 CVE Update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
ruby2.7 (Ubuntu) |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
Ubuntu 20.04 Focal
Package change: `ruby2.7`
`Changes from 2.7.0-5ubuntu1.8 to 2.7.0-5ubuntu1.9`
https:/
Breaks Puppet apply / masterless puppet, by causing the agent to attempt to connect to 0.0.0.0
`URI.parse(
Puppet expects the above to return `nil`, and your patch explicitly says it should return an empty string. Empty strings are "truthy" values, compared to nil, a "falsy" value
Puppet's behavior changes when `host` is present, and tries to connect to the puppet master, using that host. In the above case, it ends up trying to connect to 0.0.0.0.
This naturally doesn't work, the puppet agent is unable to "find" the required resource and then the puppet run fails.
```
# broken
irb(main):001:0> URI.parse(
(irb):1: warning: URI.escape is obsolete
=> ""
```
```
# Working 2.7, before the CVE
irb(main):001:0> RUBY_VERSION
=> "2.7.0"
irb(main):002:0> URI.parse(
(irb):2: warning: URI.escape is obsolete
=> nil
```
```
# Ruby 3.0 working
irb(main):001:0> require 'uri'
=> true
irb(main):002:0> URI.parse(
=> nil
```
note:
`sin_addr=
from the `strace` of a similar file:
```
[pid 2205534] socket(AF_INET, SOCK_STREAM|
[pid 2205534] connect(
[pid 2205534] close(5<
...
[pid 2205534] writev(
[pid 2208271] futex(0x7fde740
[pid 2204312] <... read resumed>
```
CVE References
tags: | added: regression-update |
information type: | Public → Public Security |
Status changed to 'Confirmed' because the bug affects multiple users.