[Puppet - Bug #19777] (Accepted) CVE-2013-1653 broke the indirection reference

Mon, 18 Mar 2013 11:20:09 -0700 

Issue #19777 has been reported by Nick Fagerlund.

----------------------------------------
Bug #19777: CVE-2013-1653 broke the indirection reference
https://projects.puppetlabs.com/issues/19777

* Author: Nick Fagerlund
* Status: Accepted
* Priority: Normal
* Assignee: Patrick Carlisle
* Category: 
* Target version: 3.1.x
* Affected Puppet version: 3.1.1
* Keywords: 
* Branch: 
----------------------------------------
The indirection reference is busted in 3.1.1 and 2.7.21. (It blows up more 
explosively in 2.7 than in 3.1.) Git bisect on the 3.1 series found this: 

    commit f877cf5d63ea4b6d3bc110af6212e5187f900ee9
    Author: Patrick Carlisle <[email protected]>
    Date:   Thu Feb 21 15:10:35 2013 -0800

    (#19392) (CVE-2013-1653) Validate instances passed to indirector

    This adds a general validation method to check that only valid instances can
    be passed into the indirector. Since access control is based on the URI but
    many operations directly use the serialized instance passed in, it was
    possible to bypass restrictions by passing in a custom object. Specifically 
it
    was possible to cause the puppet kick indirection to execute arbitrary code 
by
    passing in an instance of the wrong class. This validates that the instance 
is
    of the correct type and that the name matches the key that was used to
    authorize the request.

This reference is generated with the command `puppet doc --reference 
indirection. It is used to generate pages like 
<http://docs.puppetlabs.com/references/latest/indirection.html>. 


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to