Hello community, here is the log from the commit of package puppet for openSUSE:11.3 checked in at Tue Nov 1 15:30:28 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/puppet/puppet.changes 2011-10-05 16:43:00.000000000 +0200 +++ 11.3/puppet/puppet.changes 2011-11-01 11:54:32.000000000 +0100 @@ -1,0 +2,12 @@ +Tue Nov 1 10:04:55 UTC 2011 - [email protected] + +- fix for CVE-2011-3872 (bnc#726372) + +------------------------------------------------------------------- +Mon Oct 31 10:00:39 UTC 2011 - [email protected] + +- fixes for several security bugs: + CVE-2011-3869, CVE-2011-3870, CVE-2011-3871 + (bnc#727024, bnc#727025) + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- 0.25-9792-Predictable-temporary-filename-in-ralsh.patch 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch puppet-0.25.4-CVE-2011-3870.patch puppet-0.25.4-CVE-2011-3872.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ puppet.spec ++++++ --- /var/tmp/diff_new_pack.zIVBmJ/_old 2011-11-01 15:28:13.000000000 +0100 +++ /var/tmp/diff_new_pack.zIVBmJ/_new 2011-11-01 15:28:13.000000000 +0100 @@ -21,7 +21,7 @@ Name: puppet Version: 0.25.4 -Release: 4.<RELEASE2> +Release: 4.<RELEASE5> License: GPLv2+ Group: Productivity/Networking/System Url: http://reductivelabs.com/projects/puppet/ @@ -32,7 +32,17 @@ Patch: %{name}-%{version}-yumconf.diff Patch1: %{name}-%{version}-init.diff Patch2: %{name}-%{version}-zypper.diff +# PATCH-FIX-UPSTREAM bnc#721139 CVE-2011-3848 Patch3: puppet-0.25.4-CVE-2011-3848.patch +# PATCH-FIX-UPSTREAM bnc#727025 CVE-2011-3870 +Patch4: puppet-0.25.4-CVE-2011-3870.patch +# PATCH-FIX-UPSTREAM CVE-2011-3871 +Patch5: 0.25-9792-Predictable-temporary-filename-in-ralsh.patch +# PATCH-FIX-UPSTREAM bnc#727024 CVE-2011-3869 +Patch7: 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch +# PATCH-FIX-UPSTREAM bnc#726372 CVE-2011-3872 +Patch8: puppet-0.25.4-CVE-2011-3872.patch + Requires: ruby >= 1.8.1 Requires: facter >= 1.1.4 PreReq: pwdutils %insserv_prereq %fillup_prereq @@ -71,6 +81,10 @@ %patch1 %patch2 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch7 -p1 +%patch8 -p1 sed -i 's#/usr/local/bin/ruby#/usr/bin/ruby#' lib/puppet/external/nagios.rb %build ++++++ 0.25-9792-Predictable-temporary-filename-in-ralsh.patch ++++++ >From 21b7192320dbb79a8cfe1fd3e06d0d399c964c0f Mon Sep 17 00:00:00 2001 From: Daniel Pittman <[email protected]> Date: Wed, 28 Sep 2011 23:23:55 -0700 Subject: [PATCH] (#9792) Predictable temporary filename in ralsh. When ralsh is used in edit mode the temporary filename is in a shared directory, and is absolutely predictable. Worse, it won't be touched until well after the startup of the command. It can be tricked into writing through a symlink to edit any file on the system, or to create through it, but worse - the file is reopened with the same name later, so it can have the target replaced between edit and operate... The only possible mitigation comes from the system editor and the behaviour it has around editing through symbolic links, which is very weak. This improves this to prefer the current working directory for the temporary file, and to be somewhat less predictable and more safe in conjuring it into being. Signed-off-by: Daniel Pittman <[email protected]> --- lib/puppet/application/ralsh.rb | 27 +++++++++++++++++---------- 1 files changed, 17 insertions(+), 10 deletions(-) diff --git a/lib/puppet/application/ralsh.rb b/lib/puppet/application/ralsh.rb index b9f7a58..593d3c1 100644 --- a/lib/puppet/application/ralsh.rb +++ b/lib/puppet/application/ralsh.rb @@ -119,18 +119,25 @@ Puppet::Application.new(:ralsh) do end.compact.join("\n") if options[:edit] - file = "/tmp/x2puppet-#{Process.pid}.pp" + require 'tempfile' + # Prefer the current directory, which is more likely to be secure + # and, in the case of interactive use, accessible to the user. + tmpfile = Tempfile.new('x2puppet', Dir.pwd) begin - File.open(file, "w") do |f| - f.puts text - end - ENV["EDITOR"] ||= "vi" - system(ENV["EDITOR"], file) - system("puppet -v " + file) + # sync write, so nothing buffers before we invoke the editor. + tmpfile.sync = true + tmpfile.puts text + + # edit the content + system(ENV["EDITOR"] || 'vi', tmpfile.path) + + # ...and, now, pass that file to puppet to apply. Because + # many editors rename or replace the original file we need to + # feed the pathname, not the file content itself, to puppet. + system('puppet -v ' + tmpfile.path) ensure - #if FileTest.exists? file - # File.unlink(file) - #end + # The temporary file will be safely removed. + tmpfile.close(true) end else puts text -- 1.7.6.4 ++++++ 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch ++++++ >From a4333c110ad084f205605708eaab52ad243d6c86 Mon Sep 17 00:00:00 2001 From: Daniel Pittman <[email protected]> Date: Thu, 29 Sep 2011 00:26:13 -0700 Subject: [PATCH] (#9794) k5login can overwrite arbitrary files as root The k5login type is typically used to manage a file in the home directory of a user; the explicit purpose of the files is to allow access to other users. It writes to the target file directly, as root, without doing anything to secure the file. That would allow the owner of the home directory to symlink to anything on the system, and have it replaced with the correct content of the file. Which is a fairly obvious escalation to root the next time Puppet runs. Now, instead, fix that to securely write the target file in a predictable and secure fashion, using the `secure_open` helper. Signed-off-by: Daniel Pittman <[email protected]> --- lib/puppet/type/k5login.rb | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/lib/puppet/type/k5login.rb b/lib/puppet/type/k5login.rb index 5526fda..b13b34d 100644 --- a/lib/puppet/type/k5login.rb +++ b/lib/puppet/type/k5login.rb @@ -81,7 +81,9 @@ Puppet::Type.newtype(:k5login) do private def write(value) - File.open(@resource[:name], "w") { |f| f.puts value.join("\n") } + Puppet::Util.secure_open(@resource[:name], "w") do |f| + f.puts value.join("\n") + end end end end -- 1.7.6.4 ++++++ puppet-0.25.4-CVE-2011-3870.patch ++++++ --- puppet-0.25.4.orig/lib/puppet/provider/ssh_authorized_key/parsed.rb +++ puppet-0.25.4/lib/puppet/provider/ssh_authorized_key/parsed.rb @@ -62,36 +62,24 @@ end def flush - # As path expansion had to be moved in the provider, we cannot generate new file - # resources and thus have to chown and chmod here. It smells hackish. - - # Create target's parent directory if nonexistant - if target - dir = File.dirname(target) - if not File.exist? dir - Puppet.debug("Creating directory %s which did not exist" % dir) - Dir.mkdir(dir, dir_perm) - end + raise Puppet::Error, "Cannot write SSH authorized keys without user" unless user + raise Puppet::Error, "User '#{user}' does not exist" unless uid = Puppet::Util.uid(user) + # ParsedFile usually calls backup_target much later in the flush process, + # but our SUID makes that fail to open filebucket files for writing. + # Fortunately, there's already logic to make sure it only ever happens once, + # so calling it here supresses the later attempt by our superclass's flush method. + self.class.backup_target(target) + + Puppet::Util::SUIDManager.asuser(@resource.should(:user)) do + unless File.exist?(dir = File.dirname(target)) + Puppet.debug "Creating #{dir}" + Dir.mkdir(dir, dir_perm) end - # Generate the file super - # Ensure correct permissions - if target and user - uid = Puppet::Util.uid(user) - - if uid - File.chown(uid, nil, dir) - File.chown(uid, nil, target) - else - raise Puppet::Error, "Specified user does not exist" - end - end - - if target - File.chmod(file_perm, target) - end + File.chmod(file_perm, target) + end end # parse sshv2 option strings, wich is a comma separated list of ++++++ puppet-0.25.4-CVE-2011-3872.patch ++++++ --- puppet-0.25.4.orig/lib/puppet/defaults.rb +++ puppet-0.25.4/lib/puppet/defaults.rb @@ -222,9 +222,21 @@ to the fully qualified domain name.", :call_on_define => true, # Call our hook with the default value, so we're always downcased :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }}, - :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list. - If it's anything other than an empty string, it will be used as an alias in the created - certificate. By default, only the server gets an alias set up, and only for 'puppet'."], + :certdnsnames => {:default => '', + :desc => "The DNS names on the Server certificate as a + colon-separated list. If it's anything other than an empty string, + it will be used as an alias in the created certificate. By + default, only the server gets an alias set up, and only for + 'puppet'.", + :hook => proc { |value| + msg = <<WARN +The `certdnsnames` setting is no longer functional, after CVE-2011-3872. We +ignore the value completely. See http://puppetlabs.com/security/cve/3872 for +more information" +WARN + puts msg if value and value != '' + } + }, :certdir => { :default => "$ssldir/certs", :owner => "service", --- puppet-0.25.4.orig/lib/puppet/sslcertificates.rb +++ puppet-0.25.4/lib/puppet/sslcertificates.rb @@ -57,16 +57,7 @@ key_usage = %w{cRLSign keyCertSign} when :server basic_constraint = "CA:FALSE" - dnsnames = Puppet[:certdnsnames] name = hash[:name].to_s.sub(%r{/CN=},'') - if dnsnames != "" - dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d } - subject_alt_name << 'DNS:' + name # Add the fqdn as an alias - elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server - subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias - subject_alt_name << 'DNS:' + name # Add the fqdn as an alias - subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias - end key_usage = %w{digitalSignature keyEncipherment} ext_key_usage = %w{serverAuth clientAuth emailProtection} when :ocsp continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
