Hello community, here is the log from the commit of package puppet for openSUSE:11.4 checked in at Wed Oct 5 16:52:45 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/puppet/puppet.changes 2011-05-20 09:54:54.000000000 +0200 +++ 11.4/puppet/puppet.changes 2011-10-04 17:25:46.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Oct 4 15:25:27 UTC 2011 - [email protected] + +- Resist directory traversal attacks through indirections + CVE-2011-3848 (bnc#721139) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- puppet-2.6-CVE-2011-3848.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ puppet.spec ++++++ --- /var/tmp/diff_new_pack.4XtDaG/_old 2011-10-05 16:49:03.000000000 +0200 +++ /var/tmp/diff_new_pack.4XtDaG/_new 2011-10-05 16:49:03.000000000 +0200 @@ -21,7 +21,7 @@ Name: puppet Version: 2.6.4 -Release: 4.<RELEASE5> +Release: 4.<RELEASE7> License: GPLv2+ Group: Productivity/Networking/System Url: http://reductivelabs.com/projects/puppet/ @@ -32,6 +32,7 @@ Source4: puppetmasterd.sysconfig Patch: %{name}-%{version}-yumconf.diff Patch1: %{name}-%{version}-init.diff +Patch2: puppet-2.6-CVE-2011-3848.patch Requires: ruby >= 1.8.1 Requires: facter >= 1.1.4 PreReq: pwdutils %insserv_prereq %fillup_prereq @@ -68,6 +69,7 @@ %setup -q %patch %patch1 +%patch2 -p1 sed -i 's#/usr/local/bin/ruby#/usr/bin/ruby#' lib/puppet/external/nagios.rb %build ++++++ puppet-2.6-CVE-2011-3848.patch ++++++ >From 0a92a70a22b7e85ef60ed9b4d4070433b5ec3220 Mon Sep 17 00:00:00 2001 From: Daniel Pittman <[email protected]> Date: Sat, 24 Sep 2011 12:44:20 -0700 Subject: [PATCH] Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen <[email protected]> for the responsible disclosure, and useful analysis, around this defect. Signed-off-by: Daniel Pittman <[email protected]> --- lib/puppet/indirector.rb | 7 +++++++ lib/puppet/indirector/ssl_file.rb | 6 +++++- lib/puppet/indirector/yaml.rb | 5 +++++ spec/unit/indirector/ssl_file_spec.rb | 19 +++++++++++++++++++ spec/unit/indirector/yaml_spec.rb | 14 ++++++++++++++ 5 files changed, 50 insertions(+), 1 deletions(-) diff --git a/lib/puppet/indirector.rb b/lib/puppet/indirector.rb index e6472f4..fd6bf30 100644 --- a/lib/puppet/indirector.rb +++ b/lib/puppet/indirector.rb @@ -68,4 +68,11 @@ module Puppet::Indirector self.class.indirection.save key, self end end + + + # Helper definition for indirections that handle filenames. + BadNameRegexp = Regexp.union(/^\.\./, + %r{[\\/]}, + "\0", + /(?i)^[a-z]:/) end diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb index 531180f..4510499 100644 --- a/lib/puppet/indirector/ssl_file.rb +++ b/lib/puppet/indirector/ssl_file.rb @@ -52,8 +52,12 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus (collection_directory || file_location) or raise Puppet::DevError, "No file or directory setting provided; terminus #{self.class.name} cannot function" end - # Use a setting to determine our path. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + if ca?(name) and ca_location ca_location elsif collection_directory diff --git a/lib/puppet/indirector/yaml.rb b/lib/puppet/indirector/yaml.rb index 23997e9..4c488da 100644 --- a/lib/puppet/indirector/yaml.rb +++ b/lib/puppet/indirector/yaml.rb @@ -43,6 +43,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus # Return the path to a given node's file. def path(name,ext='.yaml') + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + base = Puppet.run_mode.master? ? Puppet[:yamldir] : Puppet[:clientyamldir] File.join(base, self.class.indirection_name.to_s, name.to_s + ext) end diff --git a/spec/unit/indirector/ssl_file_spec.rb b/spec/unit/indirector/ssl_file_spec.rb index 37098a7..4760bd7 100755 --- a/spec/unit/indirector/ssl_file_spec.rb +++ b/spec/unit/indirector/ssl_file_spec.rb @@ -87,6 +87,25 @@ describe Puppet::Indirector::SslFile do it "should set them in the setting directory, with the certificate name plus '.pem', if a directory setting is available" do @searcher.path(@cert.name).should == @certpath end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @searcher.path(input) }.to raise_error + end + end + + # REVISIT: Should probably test MS-DOS reserved names here, too, since + # they would represent a vulnerability on a Win32 system, should we ever + # support that path. Don't forget that 'CON.foo' == 'CON' + # --daniel 2011-09-24 end describe "when finding certificates on disk" do diff --git a/spec/unit/indirector/yaml_spec.rb b/spec/unit/indirector/yaml_spec.rb index 86c13c5..c8fadf7 100755 --- a/spec/unit/indirector/yaml_spec.rb +++ b/spec/unit/indirector/yaml_spec.rb @@ -63,6 +63,20 @@ describe Puppet::Indirector::Yaml, " when choosing file location" do it "should use the object's name to determine the file name" do @store.path(:me).should =~ %r{me.yaml$} end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @store.path(input) }.to raise_error + end + end end describe Puppet::Indirector::Yaml, " when storing objects as YAML" do -- 1.7.4.4 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
