On 20/08/13 10:22, Chris Boot wrote:
On 20/08/13 10:02, Raphael Geissert wrote:
Hi again,
On 31 July 2013 17:43, Chris Boot c...@tiger-computing.co.uk wrote:
This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
had to roll our own update internally that includes the patch in order
to correctly process reports from other servers.
Are you sure that this issue wasn't already present before the security
update?
After reviewing all the fields I don't see any extra being added or
deleted. There is one issue, however, where the report format wasn't
bumped to version 3 but this comes from upstream:
http://projects.puppetlabs.com/issues/15739
You could check if that is the issue by modifying
transaction/report.rb's initialize to @report_format = 3.
Apologies for not sending the debdiff like I said I would. I'll get onto
this now.
Here is the source debdiff for the package that we are carrying
internally. This has been tested on our Puppet master server as well as
all our wheezy Puppet slave machines.
HTH,
Chris
--
Chris Boot
deb...@bootc.net
GPG: 1DE8 6AB0 1897 A330 D973 D77C 50DD 5A29 FB09
diff -Nru puppet-2.7.18/debian/changelog puppet-2.7.18/debian/changelog
--- puppet-2.7.18/debian/changelog 2013-06-23 12:11:59.0 +0100
+++ puppet-2.7.18/debian/changelog 2013-07-30 16:13:24.0 +0100
@@ -1,3 +1,10 @@
+puppet (2.7.18-5+tcl1) wheezy; urgency=low
+
+ * Add CVE-2013-3567.fixup-for-v3.patch to fix report generation. See
+#712745 for more information.
+
+ -- Chris Boot c...@tiger-computing.co.uk Tue, 30 Jul 2013 16:13:04 +0100
+
puppet (2.7.18-5) wheezy-security; urgency=high
* Import upstream patch to fix YAML loading vulnerability (CVE-2013-3567)
diff -Nru puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
--- puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
1970-01-01 01:00:00.0 +0100
+++ puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
2013-07-30 15:56:56.0 +0100
@@ -0,0 +1,66 @@
+--- a/lib/puppet/resource/status.rb
b/lib/puppet/resource/status.rb
+@@ -73,14 +73,13 @@
+ end
+
+ def initialize_from_hash(data)
+-@resource_type = data['resource_type']
+-@title = data['title']
++@source_description = data['source_description']
++@version = data['version']
+ @resource = data['resource']
+ @file = data['file']
+ @line = data['line']
+ @evaluation_time = data['evaluation_time']
+ @change_count = data['change_count']
+-@out_of_sync_count = data['out_of_sync_count']
+ @tags = data['tags']
+ @time = data['time']
+ @out_of_sync = data['out_of_sync']
+--- a/lib/puppet/transaction/report.rb
b/lib/puppet/transaction/report.rb
+@@ -90,17 +90,12 @@
+ end
+
+ def initialize_from_hash(data)
+-@puppet_version = data['puppet_version']
+-@report_format = data['report_format']
+-@configuration_version = data['configuration_version']
+-@environment = data['environment']
+-@status = data['status']
++@external_times = data['external_times']
+ @host = data['host']
+ @time = data['time']
+ if @time.is_a? String
+ @time = Time.parse(@time)
+ end
+-@kind = data['kind']
+
+ @metrics = {}
+ data['metrics'].each do |name, hash|
+--- a/lib/puppet/transaction/event.rb
b/lib/puppet/transaction/event.rb
+@@ -30,16 +30,21 @@
+ end
+
+ def initialize_from_hash(data)
+-@audited = data['audited']
+ @property = data['property']
+ @previous_value = data['previous_value']
+ @desired_value = data['desired_value']
+-@historical_value = data['historical_value']
+ @message = data['message']
+ @name = data['name'].intern
+ @status = data['status']
+ @time = data['time']
+ @time = Time.parse(@time) if @time.is_a? String
++@file = data['file']
++@line = data['line']
++@resource = data['resource']
++@tags = data['tags']
++@source_description = data['source_description']
++@version = data['version']
++@default_log_level = data['default_log_level']
+ end
+
+ def property=(prop)
diff -Nru puppet-2.7.18/debian/patches/series
puppet-2.7.18/debian/patches/series
--- puppet-2.7.18/debian/patches/series 2013-06-23 12:11:59.0 +0100
+++ puppet-2.7.18/debian/patches/series 2013-07-30 15:56:45.0 +0100
@@ -7,3 +7,4 @@
apache2-passenger-template
fix_logcheck
2.7.21-Patch-for-CVE-2013-3567.patch
+CVE-2013-3567.fixup-for-v3.patch
signature.asc
Description: OpenPGP digital signature