Hello community,
here is the log from the commit of package rubygem-puppet for openSUSE:Factory
checked in at 2017-07-17 09:12:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-puppet (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puppet.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-puppet"
Mon Jul 17 09:12:14 2017 rev:12 rq:510322 version:3.8.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-puppet/rubygem-puppet.changes
2016-10-04 15:59:38.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-puppet.new/rubygem-puppet.changes
2017-07-17 09:12:17.218397846 +0200
@@ -1,0 +2,8 @@
+Fri Jul 14 13:18:28 UTC 2017 - kstreit...@suse.com
+
+- add puppet-CVE-2017-2295.patch to fix a security vulnerability
+ where an attacker could force YAML deserialization in an unsafe
+ manner, which would lead to remote code execution
+ [bsc#1040151], [CVE-2017-2295]
+
+-------------------------------------------------------------------
New:
----
puppet-CVE-2017-2295.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-puppet.spec ++++++
--- /var/tmp/diff_new_pack.DumdKZ/_old 2017-07-17 09:12:17.870306021 +0200
+++ /var/tmp/diff_new_pack.DumdKZ/_new 2017-07-17 09:12:17.874305458 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-puppet
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -60,7 +60,7 @@
BuildRequires: %{rubygem rdoc > 3.10}
BuildRequires: update-alternatives
Url: https://github.com/puppetlabs/puppet
-Source: http://rubygems.org/gems/%{mod_full_name}.gem
+Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: puppetmaster.fw
Source2: puppet.fw
Source3: puppetmaster-unicorn.service
@@ -73,6 +73,7 @@
Patch2: %{mod_name}-ruby-2_2.patch
Patch3: %{mod_name}-systemd-default-on-new-suse.patch
Patch4: %{mod_name}-non_ASCII_user_comment.patch
+Patch5: %{mod_name}-CVE-2017-2295.patch
# /MANUAL
Summary: A network tool for managing many disparate systems
License: Apache-2.0
@@ -92,6 +93,7 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
find -type f -print0 | xargs -0 touch -r %{S:0}
%gem_build
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.DumdKZ/_old 2017-07-17 09:12:17.914299825 +0200
+++ /var/tmp/diff_new_pack.DumdKZ/_new 2017-07-17 09:12:17.914299825 +0200
@@ -18,6 +18,7 @@
'%{mod_name}-ruby-2_2.patch': -p1
'%{mod_name}-systemd-default-on-new-suse.patch': -p1
'%{mod_name}-non_ASCII_user_comment.patch': -p1
+ '%{mod_name}-CVE-2017-2295.patch': -p1
:main:
:preamble: |-
Provides: %{mod_name} = %{version}-%{release}
++++++ puppet-CVE-2017-2295.patch ++++++
>From 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea Mon Sep 17 00:00:00 2001
From: Josh Cooper <j...@puppet.com>
Date: Fri, 28 Apr 2017 12:09:11 -0700
Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
Previously, an authenticated user could cause the master to execute
YAML.load on user-specified input, as well as MessagePack.unpack if the
msgpack gem was installed.
Since 3.2.2, agents have always sent facts as PSON. There is no reason
to support other formats, so reject all fact formats except PSON.
---
Index: puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/indirector/catalog/compiler.rb
+++ puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
@@ -22,9 +22,11 @@ class Puppet::Resource::Catalog::Compile
# in Network::HTTP::Handler will automagically deserialize the value.
if text_facts.is_a?(Puppet::Node::Facts)
facts = text_facts
- else
+ elsif format == 'pson'
# We unescape here because the corresponding code in
Puppet::Configurer::FactHandler escapes
- facts = Puppet::Node::Facts.convert_from(format,
CGI.unescape(text_facts))
+ facts = Puppet::Node::Facts.convert_from('pson',
CGI.unescape(text_facts))
+ else
+ raise ArgumentError, "Unsupported facts format"
end
unless facts.name == request.key
