diff -Nru puppet-2.6.4/debian/changelog puppet-2.6.4/debian/changelog --- puppet-2.6.4/debian/changelog 2011-03-01 11:22:36.000000000 -0600 +++ puppet-2.6.4/debian/changelog 2011-09-28 13:38:16.000000000 -0500 @@ -1,3 +1,18 @@ +puppet (2.6.4-2ubuntu2.2) natty-security; urgency=low + + * SECURITY UPDATE: unauthenticated directory traversal allows writing of + arbitrary files as puppet master + - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb, + lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb, + spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to + perform proper input validation. + - CVE-2011-3848 + - LP: #861182 + * debian/patches/fix-rake-spec-missing-require.patch: allow 'rake spec' + to run again + + -- Jamie Strandboge Wed, 28 Sep 2011 08:26:38 -0500 + puppet (2.6.4-2ubuntu2) natty; urgency=low * debian/puppetmaster.default diff -Nru puppet-2.6.4/debian/patches/CVE-2011-3848.patch puppet-2.6.4/debian/patches/CVE-2011-3848.patch --- puppet-2.6.4/debian/patches/CVE-2011-3848.patch 1969-12-31 18:00:00.000000000 -0600 +++ puppet-2.6.4/debian/patches/CVE-2011-3848.patch 2011-09-28 08:26:06.000000000 -0500 @@ -0,0 +1,135 @@ +From 0a92a70a22b7e85ef60ed9b4d4070433b5ec3220 Mon Sep 17 00:00:00 2001 +From: Daniel Pittman +Date: Sat, 24 Sep 2011 12:44:20 -0700 +Subject: [PATCH] Resist directory traversal attacks through indirections. + +In various versions of Puppet it was possible to cause a directory traversal +attack through the SSLFile indirection base class. This was variously +triggered through the user-supplied key, or the Subject of the certificate, in +the code. + +Now, we detect bad patterns down in the base class for our indirections, and +fail hard on them. This reduces the attack surface with as little disruption +to the overall codebase as possible, making it suitable to deploy as part of +older, stable versions of Puppet. + +In the long term we will also address this higher up the stack, to prevent +these problems from reoccurring, but for now this will suffice. + +Huge thanks to Kristian Erik Hermansen for the +responsible disclosure, and useful analysis, around this defect. + +Signed-off-by: Daniel Pittman +--- + lib/puppet/indirector.rb | 7 +++++++ + lib/puppet/indirector/ssl_file.rb | 6 +++++- + lib/puppet/indirector/yaml.rb | 5 +++++ + spec/unit/indirector/ssl_file_spec.rb | 19 +++++++++++++++++++ + spec/unit/indirector/yaml_spec.rb | 14 ++++++++++++++ + 5 files changed, 50 insertions(+), 1 deletions(-) + +Index: puppet-2.6.4/lib/puppet/indirector.rb +=================================================================== +--- puppet-2.6.4.orig/lib/puppet/indirector.rb 2010-12-07 01:52:27.000000000 -0600 ++++ puppet-2.6.4/lib/puppet/indirector.rb 2011-09-28 08:25:59.000000000 -0500 +@@ -64,4 +64,11 @@ + self.class.indirection.save key, self + end + end ++ ++ ++ # Helper definition for indirections that handle filenames. ++ BadNameRegexp = Regexp.union(/^\.\./, ++ %r{[\\/]}, ++ "\0", ++ /(?i)^[a-z]:/) + end +Index: puppet-2.6.4/lib/puppet/indirector/ssl_file.rb +=================================================================== +--- puppet-2.6.4.orig/lib/puppet/indirector/ssl_file.rb 2010-12-07 01:52:27.000000000 -0600 ++++ puppet-2.6.4/lib/puppet/indirector/ssl_file.rb 2011-09-28 08:25:59.000000000 -0500 +@@ -52,8 +52,12 @@ + (collection_directory || file_location) or raise Puppet::DevError, "No file or directory setting provided; terminus #{self.class.name} cannot function" + end + +- # Use a setting to determine our path. + def path(name) ++ if name =~ Puppet::Indirector::BadNameRegexp then ++ Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") ++ raise ArgumentError, "invalid key" ++ end ++ + if ca?(name) and ca_location + ca_location + elsif collection_directory +Index: puppet-2.6.4/lib/puppet/indirector/yaml.rb +=================================================================== +--- puppet-2.6.4.orig/lib/puppet/indirector/yaml.rb 2010-12-07 01:52:27.000000000 -0600 ++++ puppet-2.6.4/lib/puppet/indirector/yaml.rb 2011-09-28 08:25:59.000000000 -0500 +@@ -43,6 +43,11 @@ + + # Return the path to a given node's file. + def path(name,ext='.yaml') ++ if name =~ Puppet::Indirector::BadNameRegexp then ++ Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") ++ raise ArgumentError, "invalid key" ++ end ++ + base = Puppet.run_mode.master? ? Puppet[:yamldir] : Puppet[:clientyamldir] + File.join(base, self.class.indirection_name.to_s, name.to_s + ext) + end +Index: puppet-2.6.4/spec/unit/indirector/ssl_file_spec.rb +=================================================================== +--- puppet-2.6.4.orig/spec/unit/indirector/ssl_file_spec.rb 2010-12-07 01:52:27.000000000 -0600 ++++ puppet-2.6.4/spec/unit/indirector/ssl_file_spec.rb 2011-09-28 08:25:59.000000000 -0500 +@@ -87,6 +87,25 @@ + it "should set them in the setting directory, with the certificate name plus '.pem', if a directory setting is available" do + @searcher.path(@cert.name).should == @certpath + end ++ ++ ['../foo', '..\\foo', './../foo', '.\\..\\foo', ++ '/foo', '//foo', '\\foo', '\\\\goo', ++ "test\0/../bar", "test\0\\..\\bar", ++ "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", ++ " / bar", " /../ bar", " \\..\\ bar", ++ "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", ++ "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", ++ "//?/c:/foo", ++ ].each do |input| ++ it "should resist directory traversal attacks (#{input.inspect})" do ++ expect { @searcher.path(input) }.to raise_error ++ end ++ end ++ ++ # REVISIT: Should probably test MS-DOS reserved names here, too, since ++ # they would represent a vulnerability on a Win32 system, should we ever ++ # support that path. Don't forget that 'CON.foo' == 'CON' ++ # --daniel 2011-09-24 + end + + describe "when finding certificates on disk" do +Index: puppet-2.6.4/spec/unit/indirector/yaml_spec.rb +=================================================================== +--- puppet-2.6.4.orig/spec/unit/indirector/yaml_spec.rb 2010-12-07 01:52:27.000000000 -0600 ++++ puppet-2.6.4/spec/unit/indirector/yaml_spec.rb 2011-09-28 08:25:59.000000000 -0500 +@@ -63,6 +63,20 @@ + it "should use the object's name to determine the file name" do + @store.path(:me).should =~ %r{me.yaml$} + end ++ ++ ['../foo', '..\\foo', './../foo', '.\\..\\foo', ++ '/foo', '//foo', '\\foo', '\\\\goo', ++ "test\0/../bar", "test\0\\..\\bar", ++ "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", ++ " / bar", " /../ bar", " \\..\\ bar", ++ "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", ++ "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", ++ "//?/c:/foo", ++ ].each do |input| ++ it "should resist directory traversal attacks (#{input.inspect})" do ++ expect { @store.path(input) }.to raise_error ++ end ++ end + end + + describe Puppet::Indirector::Yaml, " when storing objects as YAML" do diff -Nru puppet-2.6.4/debian/patches/fix-rake-spec-missing-require.patch puppet-2.6.4/debian/patches/fix-rake-spec-missing-require.patch --- puppet-2.6.4/debian/patches/fix-rake-spec-missing-require.patch 1969-12-31 18:00:00.000000000 -0600 +++ puppet-2.6.4/debian/patches/fix-rake-spec-missing-require.patch 2011-09-28 13:37:28.000000000 -0500 @@ -0,0 +1,12 @@ +Origin: f3cd668b51bd98c7eee32222b550ed1160502b0e +Description: maint: Fix a test that was missing a require +Index: puppet-2.6.4/spec/unit/network/xmlrpc/client_spec.rb +=================================================================== +--- puppet-2.6.4.orig/spec/unit/network/xmlrpc/client_spec.rb 2011-09-28 13:36:24.000000000 -0500 ++++ puppet-2.6.4/spec/unit/network/xmlrpc/client_spec.rb 2011-09-28 13:36:37.000000000 -0500 +@@ -1,4 +1,5 @@ + #!/usr/bin/env ruby ++require 'puppet/network/client' + + Dir.chdir(File.dirname(__FILE__)) { (s = lambda { |f| File.exist?(f) ? require(f) : Dir.chdir("..") { s.call(f) } }).call("spec/spec_helper.rb") } + diff -Nru puppet-2.6.4/debian/patches/series puppet-2.6.4/debian/patches/series --- puppet-2.6.4/debian/patches/series 2011-03-01 11:18:49.000000000 -0600 +++ puppet-2.6.4/debian/patches/series 2011-09-28 13:36:12.000000000 -0500 @@ -1,2 +1,4 @@ debian-changes-2.6.4-2 debian-changes-2.6.4-2ubuntu1 +CVE-2011-3848.patch +fix-rake-spec-missing-require.patch