Issue #19777 has been updated by Adrien Thebo.
https://github.com/puppetlabs/puppet/pull/1575 mitigates this and https://github.com/puppetlabs/puppet/pull/1580 adds logging to warn on cases like this. ---------------------------------------- Bug #19777: CVE-2013-1653 broke the indirection reference https://projects.puppetlabs.com/issues/19777#change-88011 * Author: Nick Fagerlund * Status: Accepted * Priority: Normal * Assignee: Patrick Carlisle * Category: * Target version: 3.1.x * Affected Puppet version: 3.1.1 * Keywords: * Branch: ---------------------------------------- The indirection reference is busted in 3.1.1 and 2.7.21. (It blows up more explosively in 2.7 than in 3.1.) Git bisect on the 3.1 series found this: commit f877cf5d63ea4b6d3bc110af6212e5187f900ee9 Author: Patrick Carlisle <[email protected]> Date: Thu Feb 21 15:10:35 2013 -0800 (#19392) (CVE-2013-1653) Validate instances passed to indirector This adds a general validation method to check that only valid instances can be passed into the indirector. Since access control is based on the URI but many operations directly use the serialized instance passed in, it was possible to bypass restrictions by passing in a custom object. Specifically it was possible to cause the puppet kick indirection to execute arbitrary code by passing in an instance of the wrong class. This validates that the instance is of the correct type and that the name matches the key that was used to authorize the request. This reference is generated with the command `puppet doc --reference indirection. It is used to generate pages like <http://docs.puppetlabs.com/references/latest/indirection.html>. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
