diff -u puppet-0.25.4/debian/changelog puppet-0.25.4/debian/changelog --- puppet-0.25.4/debian/changelog +++ puppet-0.25.4/debian/changelog @@ -1,3 +1,17 @@ +puppet (0.25.4-2ubuntu6.2) lucid-security; urgency=low + + * SECURITY UPDATE: unauthenticated directory traversal allows writing of + arbitrary files as puppet master (LP: #861182) + - update lib/puppet/indirector.rb, lib/puppet/indirector/ssl_file.rb, + lib/puppet/indirector/yaml.rb, spec/unit/indirector/ssl_file.rb and + spec/unit/indirector/yaml.rb to perform proper input validation. + Patch from upstream (Daniel Pittman ) + 6e5a821cbf94b220dfc021ff7ebad0831c60e207 + - CVE-2011-3848 + - LP: #861182 + + -- Jamie Strandboge Wed, 28 Sep 2011 08:30:14 -0500 + puppet (0.25.4-2ubuntu6.1) lucid-proposed; urgency=low * Work around a bug in Ruby that causes meaningful error messages to be only in patch2: unchanged: --- puppet-0.25.4.orig/lib/puppet/indirector.rb +++ puppet-0.25.4/lib/puppet/indirector.rb @@ -31,7 +31,13 @@ @indirection end - module ClassMethods + # Helper definition for indirections that handle filenames. + BadNameRegexp = Regexp.union(/^\.\./, + %r{[\\/]}, + "\0", + /(?i)^[a-z]:/) + + module ClassMethods attr_reader :indirection def cache_class=(klass) only in patch2: unchanged: --- puppet-0.25.4.orig/lib/puppet/indirector/yaml.rb +++ puppet-0.25.4/lib/puppet/indirector/yaml.rb @@ -50,6 +50,11 @@ # Return the path to a given node's file. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + File.join(base, self.class.indirection_name.to_s, name.to_s + ".yaml") end only in patch2: unchanged: --- puppet-0.25.4.orig/lib/puppet/indirector/ssl_file.rb +++ puppet-0.25.4/lib/puppet/indirector/ssl_file.rb @@ -54,6 +54,11 @@ # Use a setting to determine our path. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + if ca?(name) and ca_location ca_location elsif collection_directory only in patch2: unchanged: --- puppet-0.25.4.orig/spec/unit/indirector/yaml.rb +++ puppet-0.25.4/spec/unit/indirector/yaml.rb @@ -50,6 +50,21 @@ it "should use the object's name to determine the file name" do @store.path(:me).should =~ %r{me.yaml$} end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @store.path(input) }.to raise_error + end + end + end describe Puppet::Indirector::Yaml, " when storing objects as YAML" do only in patch2: unchanged: --- puppet-0.25.4.orig/spec/unit/indirector/ssl_file.rb +++ puppet-0.25.4/spec/unit/indirector/ssl_file.rb @@ -89,6 +89,25 @@ end end + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @searcher.path(input) }.to raise_error + end + end + + # REVISIT: Should probably test MS-DOS reserved names here, too, since + # they would represent a vulnerability on a Win32 system, should we ever + # support that path. Don't forget that 'CON.foo' == 'CON' + # --daniel 2011-09-24 + describe "when finding certificates on disk" do describe "and no certificate is present" do before do