Issue #15561 has been updated by Jeff McCune.
Matt Wise wrote:
> Jeff,
> This bug is still sitting open and affects all versions of Puppet after
> 2.7.18. Here I am trying to upgrade to 3.0.1, and I find the bug still
> exists. This has been sitting for 5 months now. Not fixing a bug as serious
> as this (that is, that it blocks upgrades to any newer version of Puppet)
> after this long does not instill confidence for businesses that are using
> this tool to manage their infrastructures.
I'm really sorry you can't upgrade to Puppet 3, the fact that this bug is still
open really bothers me too. I wish I had a better answer for you but not much
has changed since I closed the pull request.
Here's where we're at; Unfortunately, we can't simply allow /'s in certificate
names because doing so without also making substantial changes to the way the
indirection subsystem works would re-open CVE-2012-3867 Daniel confirmed this
in the pull request discussion:
> To be clear, my review was "-1, this is not acceptable to merge without
> substantial changes".
> The changes are to address, as Jeff notes, the internal assumptions in Puppet
> (in lib/puppet/indirector/{file,cert*/*,key/*}.rb) that the CN and the
> filename on disk match in any meaningful way.
> That includes making sure that, eg, "search" operations still work, etc.
This means this isn't a matter of simply changing the regular expression. If
we do change just the regular expression without also addressing the core
issues in the indirector subsystem, then we're back to a gaping security hole.
> When will this be fixed? We are really not happy being so far behind on our
> Puppet versions, especially given the security fixes that have gone into
> Puppet in the last few months.
As much as I'd like to, I cannot provide you with any new information about
when this will be fixed. There are no plans to make substantial changes to the
indirector subsystem that I am aware of. I wish I had something better to tell
you regarding this issue.
Perhaps Eric will have some ideas regarding how best to get this issue
prioritized higher than it currently is, but honestly I just don't think it's
affecting as many users as some of the other fundamental issues we're currently
wrestling with. Settings and code loading affect nearly every Puppet user for
example. As far as I know this issue is primarily affecting users who have an
external CA, which is a much smaller population.
Knowing that this issue is a blocker for you upgrading to Puppet 3.0 is
valuable impact data. Do you have a sense of how many sites are unable to
upgrade to Puppet 3 because of this issue?
Sorry I don't have better news for you at this time...
-Jeff
----------------------------------------
Bug #15561: Fix for CVE-2012-3867 is too restrictive
https://projects.puppetlabs.com/issues/15561#change-78251
Author: Dustin Mitchell
Status: Accepted
Priority: Urgent
Assignee:
Category: SSL
Target version: 2.7.x
Affected Puppet version: 2.7.18
Keywords: certificate
Branch: https://github.com/puppetlabs/puppet/pull/1101
The fix for CVE-2012-3867 involves checking certificate subjects for "weird"
characters. From my read of the CVE entry, this is to filter out characters
that would cause the name to display in a manner visually indistinguishable
from a valid hostname.
However, the check is too restrictive:
Could not retrieve catalog from remote server: Certname "puppetagain base
ca/[email protected]/ou=release engineering/o=mozilla, inc."
must not contain unprintable or non-ASCII characters
In particular, / is a very common character in subjects, and should be allowed.
Puppet is seeing this subject on my base CA - I'm using certificate chaining.
The fix is one character, so I haven't included a patch, but I'm happy to make
a pull req if necessary.
Another fix would be to only verify certificate subjects for the leaf
certificate, and not any of the certs in its signing chain, but that seems less
secure.
It's also worth noting that the regex is overly broad, since it downcases the
string, then accepts A-Z among other characters.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
