Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

2013-08-20 Thread Chris Boot 
On 20/08/13 10:02, Raphael Geissert wrote:
 Hi again,
 
 On 31 July 2013 17:43, Chris Boot c...@tiger-computing.co.uk wrote:
 This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
 had to roll our own update internally that includes the patch in order
 to correctly process reports from other servers.
 
 Are you sure that this issue wasn't already present before the security 
 update?
 After reviewing all the fields I don't see any extra being added or
 deleted. There is one issue, however, where the report format wasn't
 bumped to version 3 but this comes from upstream:
 http://projects.puppetlabs.com/issues/15739
 
 You could check if that is the issue by modifying
 transaction/report.rb's initialize to @report_format = 3.

Apologies for not sending the debdiff like I said I would. I'll get onto
this now.

We were running 2.7.18-3~bpo60+1 on squeeze without issues. Following
the wheezy upgrade (and going straight to 2.7.18-5) we started seeing
the issues with reports not being processed correctly. The only change I
can attribute this to is the fix for CVE-2013-3567.

The issue was causing reports from squeeze machines (running
2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
version of Puppet, causing invalid reports to be stored to disk and sent
to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
master causes valid reports to be stored on disk and sent to Dashboard
with no changes to the slave nodes.

HTH,
Chris

-- 
Chris Boot
Tiger Computing Ltd
Linux for Business

Tel: 01600 483 484
Web: http://www.tiger-computing.co.uk
Follow us on Facebook: http://www.facebook.com/TigerComputing

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

2013-08-20 Thread Chris Boot 
On 20/08/13 10:22, Chris Boot wrote:
 On 20/08/13 10:02, Raphael Geissert wrote:
 Hi again,

 On 31 July 2013 17:43, Chris Boot c...@tiger-computing.co.uk wrote:
 This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
 had to roll our own update internally that includes the patch in order
 to correctly process reports from other servers.

 Are you sure that this issue wasn't already present before the security 
 update?
 After reviewing all the fields I don't see any extra being added or
 deleted. There is one issue, however, where the report format wasn't
 bumped to version 3 but this comes from upstream:
 http://projects.puppetlabs.com/issues/15739

 You could check if that is the issue by modifying
 transaction/report.rb's initialize to @report_format = 3.
 
 Apologies for not sending the debdiff like I said I would. I'll get onto
 this now.

Here is the source debdiff for the package that we are carrying
internally. This has been tested on our Puppet master server as well as
all our wheezy Puppet slave machines.

HTH,
Chris

-- 
Chris Boot
deb...@bootc.net
GPG: 1DE8 6AB0 1897 A330 D973  D77C 50DD 5A29 FB09 
diff -Nru puppet-2.7.18/debian/changelog puppet-2.7.18/debian/changelog
--- puppet-2.7.18/debian/changelog  2013-06-23 12:11:59.0 +0100
+++ puppet-2.7.18/debian/changelog  2013-07-30 16:13:24.0 +0100
@@ -1,3 +1,10 @@
+puppet (2.7.18-5+tcl1) wheezy; urgency=low
+
+  * Add CVE-2013-3567.fixup-for-v3.patch to fix report generation. See
+#712745 for more information.
+
+ -- Chris Boot c...@tiger-computing.co.uk  Tue, 30 Jul 2013 16:13:04 +0100
+
 puppet (2.7.18-5) wheezy-security; urgency=high
 
   * Import upstream patch to fix YAML loading vulnerability (CVE-2013-3567)
diff -Nru puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch 
puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
--- puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch   
1970-01-01 01:00:00.0 +0100
+++ puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch   
2013-07-30 15:56:56.0 +0100
@@ -0,0 +1,66 @@
+--- a/lib/puppet/resource/status.rb
 b/lib/puppet/resource/status.rb
+@@ -73,14 +73,13 @@
+   end
+ 
+   def initialize_from_hash(data)
+-@resource_type = data['resource_type']
+-@title = data['title']
++@source_description = data['source_description']
++@version = data['version']
+ @resource = data['resource']
+ @file = data['file']
+ @line = data['line']
+ @evaluation_time = data['evaluation_time']
+ @change_count = data['change_count']
+-@out_of_sync_count = data['out_of_sync_count']
+ @tags = data['tags']
+ @time = data['time']
+ @out_of_sync = data['out_of_sync']
+--- a/lib/puppet/transaction/report.rb
 b/lib/puppet/transaction/report.rb
+@@ -90,17 +90,12 @@
+   end
+ 
+   def initialize_from_hash(data)
+-@puppet_version = data['puppet_version']
+-@report_format = data['report_format']
+-@configuration_version = data['configuration_version']
+-@environment = data['environment']
+-@status = data['status']
++@external_times = data['external_times']
+ @host = data['host']
+ @time = data['time']
+ if @time.is_a? String
+   @time = Time.parse(@time)
+ end
+-@kind = data['kind']
+ 
+ @metrics = {}
+ data['metrics'].each do |name, hash|
+--- a/lib/puppet/transaction/event.rb
 b/lib/puppet/transaction/event.rb
+@@ -30,16 +30,21 @@
+   end
+ 
+   def initialize_from_hash(data)
+-@audited = data['audited']
+ @property = data['property']
+ @previous_value = data['previous_value']
+ @desired_value = data['desired_value']
+-@historical_value = data['historical_value']
+ @message = data['message']
+ @name = data['name'].intern
+ @status = data['status']
+ @time = data['time']
+ @time = Time.parse(@time) if @time.is_a? String
++@file = data['file']
++@line = data['line']
++@resource = data['resource']
++@tags = data['tags']
++@source_description = data['source_description']
++@version = data['version']
++@default_log_level = data['default_log_level']
+   end
+ 
+   def property=(prop)
diff -Nru puppet-2.7.18/debian/patches/series 
puppet-2.7.18/debian/patches/series
--- puppet-2.7.18/debian/patches/series 2013-06-23 12:11:59.0 +0100
+++ puppet-2.7.18/debian/patches/series 2013-07-30 15:56:45.0 +0100
@@ -7,3 +7,4 @@
 apache2-passenger-template
 fix_logcheck
 2.7.21-Patch-for-CVE-2013-3567.patch
+CVE-2013-3567.fixup-for-v3.patch


signature.asc
Description: OpenPGP digital signature

Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567

2013-08-20 Thread Raphael Geissert 
Hi Chris,

On 20 August 2013 11:22, Chris Boot c...@tiger-computing.co.uk wrote:
 The issue was causing reports from squeeze machines (running
 2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
 version of Puppet, causing invalid reports to be stored to disk and sent
 to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
 master causes valid reports to be stored on disk and sent to Dashboard
 with no changes to the slave nodes.

Er, that's a weird combination of versions, but in any case with the
patch you sent you are downgrading puppet 2.7's report format from
version 2 (3 actually) to version 1.

I personally don't think this has anything to do with the security
update and I'd rather look into the consumer of the reports (puppet
dashboard in this case). Temporarily downgrading to the version prior
the DSA could allow you to confirm whether this is in fact a
regression.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org