Hello community, here is the log from the commit of package puppet for openSUSE:11.3 checked in at Wed Oct 5 16:44:47 CEST 2011.
-------- --- old-versions/11.3/all/puppet/puppet.changes 2010-03-02 17:32:57.000000000 +0100 +++ 11.3/puppet/puppet.changes 2011-10-05 16:43:00.032891000 +0200 @@ -1,0 +2,11 @@ +Tue Oct 4 15:20:41 UTC 2011 - vci...@suse.com + +- Resist directory traversal attacks through indirections + CVE-2011-3848 (bnc#721139) + +------------------------------------------------------------------- +Thu Jul 22 16:10:22 CEST 2010 - ani...@suse.cz + +- create user puppet not only for server package (bnc#623884) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/puppet Destination is old-versions/11.3/UPDATES/all/puppet calling whatdependson for 11.3-i586 New: ---- puppet-0.25.4-CVE-2011-3848.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ puppet.spec ++++++ --- /var/tmp/diff_new_pack.zaYwun/_old 2011-10-05 16:44:24.000000000 +0200 +++ /var/tmp/diff_new_pack.zaYwun/_new 2011-10-05 16:44:24.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package puppet (Version 0.25.4) +# spec file for package puppet # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: puppet Version: 0.25.4 -Release: 1 +Release: 4.<RELEASE2> License: GPLv2+ Group: Productivity/Networking/System Url: http://reductivelabs.com/projects/puppet/ @@ -32,6 +32,7 @@ Patch: %{name}-%{version}-yumconf.diff Patch1: %{name}-%{version}-init.diff Patch2: %{name}-%{version}-zypper.diff +Patch3: puppet-0.25.4-CVE-2011-3848.patch Requires: ruby >= 1.8.1 Requires: facter >= 1.1.4 PreReq: pwdutils %insserv_prereq %fillup_prereq @@ -69,6 +70,7 @@ %patch %patch1 %patch2 +%patch3 -p1 sed -i 's#/usr/local/bin/ruby#/usr/bin/ruby#' lib/puppet/external/nagios.rb %build @@ -96,7 +98,7 @@ %clean rm -rf $RPM_BUILD_ROOT -%pre server +%pre getent group puppet >/dev/null || /usr/sbin/groupadd -o -r puppet getent passwd puppet >/dev/null || /usr/sbin/useradd -r -g puppet -d /var/lib/puppet -s /bin/false -c "Puppet daemon" puppet ++++++ puppet-0.25.4-CVE-2011-3848.patch ++++++ >From 6e5a821cbf94b220dfc021ff7ebad0831c60e207 Mon Sep 17 00:00:00 2001 From: Daniel Pittman <dan...@puppetlabs.com> Date: Sat, 24 Sep 2011 12:44:20 -0700 Subject: [PATCH] Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen <kristian.herman...@gmail.com> for the responsible disclosure, and useful analysis, around this defect. Signed-off-by: Daniel Pittman <dan...@puppetlabs.com> --- lib/puppet/indirector.rb | 8 +++++++- lib/puppet/indirector/ssl_file.rb | 5 +++++ lib/puppet/indirector/yaml.rb | 5 +++++ spec/unit/indirector/ssl_file.rb | 19 +++++++++++++++++++ spec/unit/indirector/yaml.rb | 15 +++++++++++++++ 5 files changed, 51 insertions(+), 1 deletions(-) diff --git a/lib/puppet/indirector.rb b/lib/puppet/indirector.rb index 61ef2db..20a460d 100644 --- a/lib/puppet/indirector.rb +++ b/lib/puppet/indirector.rb @@ -31,7 +31,13 @@ module Puppet::Indirector @indirection end - module ClassMethods + # Helper definition for indirections that handle filenames. + BadNameRegexp = Regexp.union(/^\.\./, + %r{[\\/]}, + "\0", + /(?i)^[a-z]:/) + + module ClassMethods attr_reader :indirection def cache_class=(klass) diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb index fc1e65d..9defcb5 100644 --- a/lib/puppet/indirector/ssl_file.rb +++ b/lib/puppet/indirector/ssl_file.rb @@ -54,6 +54,11 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus # Use a setting to determine our path. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + if ca?(name) and ca_location ca_location elsif collection_directory diff --git a/lib/puppet/indirector/yaml.rb b/lib/puppet/indirector/yaml.rb index 782112e..a119b86 100644 --- a/lib/puppet/indirector/yaml.rb +++ b/lib/puppet/indirector/yaml.rb @@ -50,6 +50,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus # Return the path to a given node's file. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + File.join(base, self.class.indirection_name.to_s, name.to_s + ".yaml") end diff --git a/spec/unit/indirector/ssl_file.rb b/spec/unit/indirector/ssl_file.rb index 7a9d629..077ccc2 100755 --- a/spec/unit/indirector/ssl_file.rb +++ b/spec/unit/indirector/ssl_file.rb @@ -89,6 +89,25 @@ describe Puppet::Indirector::SslFile do end end + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @searcher.path(input) }.to raise_error + end + end + + # REVISIT: Should probably test MS-DOS reserved names here, too, since + # they would represent a vulnerability on a Win32 system, should we ever + # support that path. Don't forget that 'CON.foo' == 'CON' + # --daniel 2011-09-24 + describe "when finding certificates on disk" do describe "and no certificate is present" do before do diff --git a/spec/unit/indirector/yaml.rb b/spec/unit/indirector/yaml.rb index 0e70708..c5d357f 100755 --- a/spec/unit/indirector/yaml.rb +++ b/spec/unit/indirector/yaml.rb @@ -50,6 +50,21 @@ describe Puppet::Indirector::Yaml, " when choosing file location" do it "should use the object's name to determine the file name" do @store.path(:me).should =~ %r{me.yaml$} end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @store.path(input) }.to raise_error + end + end + end describe Puppet::Indirector::Yaml, " when storing objects as YAML" do -- 1.7.4.4 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
