Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Antoine Beaupré]

On 2017-06-27 21:02:21, Jens Korte wrote:
> On Tue, 27 Jun 2017 14:35:09 -0400
> Antoine Beaupré  wrote:
>
>> On 2017-06-27 21:17:33, Apollon Oikonomopoulos wrote:
>> > On 20:08 Tue 27 Jun , Guido Günther wrote:
>> >> That sounds good to me especially if it's possible to toggle this so 
>> >> one
>> >> can e.g. first update all clients then disable accepting YAML on the
>> >> server.
>> >
>> > My thoughts exactly, it will be great if there's a configuration option 
>> > for turning off YAML.
>> 
>> Unfortunately, this is completely hardcoded in the source code, even in
>> newer releases. I would think it unwise to allow such a configuration in
>> wheezy since it would be ignored in later release.
>
> How about introducing a second package that provides the same as puppet but 
> without YAML? It would not break the configuration later on and people can 
> choose to install the old package with higher security.

That would be more inconvenient than fixing the actual YAML issue. It
would also break upgrades.

I would not support such a solution.

A.

-- 
Le péché est né avant la vertu, comme le moteur avant le frein.
 - Jean-Paul Sartre

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Jens Korte]

On Tue, 27 Jun 2017 14:35:09 -0400
Antoine Beaupré  wrote:

> On 2017-06-27 21:17:33, Apollon Oikonomopoulos wrote:
> > On 20:08 Tue 27 Jun , Guido Günther wrote:
> >> That sounds good to me especially if it's possible to toggle this so 
> >> one
> >> can e.g. first update all clients then disable accepting YAML on the
> >> server.
> >
> > My thoughts exactly, it will be great if there's a configuration option 
> > for turning off YAML.
> 
> Unfortunately, this is completely hardcoded in the source code, even in
> newer releases. I would think it unwise to allow such a configuration in
> wheezy since it would be ignored in later release.

How about introducing a second package that provides the same as puppet but 
without YAML? It would not break the configuration later on and people can 
choose to install the old package with higher security.

> 
> Basically, once you update the clients to the new version, you turn off
> YAML. :) PSON works with an unpatched server, so that's your
> "configuration option"...
> 
> A.
> 
> -- 
> If I can't dance, I don't want to be part of your revolution.
> - Emma Goldman
> 


-- 
Jens Korte 

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Apollon Oikonomopoulos]

On 20:08 Tue 27 Jun , Guido Günther wrote:
> That sounds good to me especially if it's possible to toggle this so 
> one
> can e.g. first update all clients then disable accepting YAML on the
> server.

My thoughts exactly, it will be great if there's a configuration option 
for turning off YAML.

Thanks for taking care of this,
Apollon

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Antoine Beaupré]

On 2017-06-27 20:08:07, Guido Günther wrote:
> On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote:
>> On 2017-06-27 11:53:24, Antoine Beaupré wrote:
>> > Are you sure of this? From what I can tell agents haven't been sending
>> > YAML in a long time. If I understand things correctly, facts are sent in
>> > a format defined by the `preferred_serialization_format`, which
>> > currently (in wheezy) defaults to `pson`. It has been that way since
>> > upstream 1a89455499 (2009-06-03) which seems to have been shipped in
>> > puppet-0.24.5-rc4.
>> >
>> > My assertion, at this point, is that clients send facts in PSON, not
>> > YAML, and it's safe to disable other formats. This means, of course,
>> > that *older* clients (!) will break, but I think that's a fair move to
>> > do at this point.
>> >
>> > I will work on a package update based on that assumption.
>> 
>> And after testing this live, it turns out I was wrong: 2.7 does send
>> YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as
>> b64_zlib_yaml.
>> 
>> So one thing I am considering at this stage is to simply add a patch for
>> *clients* to start sending PSON facts while disabling non-PSON facts on
>> the server. This breaks backwards compatibility, but I think this may be
>> a better approach than the status quo (abandoning 2.7) or the
>> alternative (hot-patching ruby YAML library).
>> 
>> I am concerned that the previously proposed approach of patching the
>> YAML libraries to be "safe" will be a lot of work and may be
>> incomplete.
>> 
>> I'm testing another patchset now that also updates clients, would that
>> solution be acceptable?
>
> That sounds good to me especially if it's possible to toggle this so one
> can e.g. first update all clients then disable accepting YAML on the
> server.

That was the case during our tests.

A.

-- 
Il faut respecter le noir. Rien ne le prostitue. Il est agent de
l'esprit bien plus que la belle couleur de la palette ou du prisme.
- Odilon Redon

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Guido Günther]

On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote:
> On 2017-06-27 11:53:24, Antoine Beaupré wrote:
> > Are you sure of this? From what I can tell agents haven't been sending
> > YAML in a long time. If I understand things correctly, facts are sent in
> > a format defined by the `preferred_serialization_format`, which
> > currently (in wheezy) defaults to `pson`. It has been that way since
> > upstream 1a89455499 (2009-06-03) which seems to have been shipped in
> > puppet-0.24.5-rc4.
> >
> > My assertion, at this point, is that clients send facts in PSON, not
> > YAML, and it's safe to disable other formats. This means, of course,
> > that *older* clients (!) will break, but I think that's a fair move to
> > do at this point.
> >
> > I will work on a package update based on that assumption.
> 
> And after testing this live, it turns out I was wrong: 2.7 does send
> YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as
> b64_zlib_yaml.
> 
> So one thing I am considering at this stage is to simply add a patch for
> *clients* to start sending PSON facts while disabling non-PSON facts on
> the server. This breaks backwards compatibility, but I think this may be
> a better approach than the status quo (abandoning 2.7) or the
> alternative (hot-patching ruby YAML library).
> 
> I am concerned that the previously proposed approach of patching the
> YAML libraries to be "safe" will be a lot of work and may be
> incomplete.
> 
> I'm testing another patchset now that also updates clients, would that
> solution be acceptable?

That sounds good to me especially if it's possible to toggle this so one
can e.g. first update all clients then disable accepting YAML on the
server.
Cheers,
 -- Guido

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Antoine Beaupré]

On 2017-06-27 11:53:24, Antoine Beaupré wrote:
> Are you sure of this? From what I can tell agents haven't been sending
> YAML in a long time. If I understand things correctly, facts are sent in
> a format defined by the `preferred_serialization_format`, which
> currently (in wheezy) defaults to `pson`. It has been that way since
> upstream 1a89455499 (2009-06-03) which seems to have been shipped in
> puppet-0.24.5-rc4.
>
> My assertion, at this point, is that clients send facts in PSON, not
> YAML, and it's safe to disable other formats. This means, of course,
> that *older* clients (!) will break, but I think that's a fair move to
> do at this point.
>
> I will work on a package update based on that assumption.

And after testing this live, it turns out I was wrong: 2.7 does send
YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as
b64_zlib_yaml.

So one thing I am considering at this stage is to simply add a patch for
*clients* to start sending PSON facts while disabling non-PSON facts on
the server. This breaks backwards compatibility, but I think this may be
a better approach than the status quo (abandoning 2.7) or the
alternative (hot-patching ruby YAML library).

I am concerned that the previously proposed approach of patching the
YAML libraries to be "safe" will be a lot of work and may be
incomplete.

I'm testing another patchset now that also updates clients, would that
solution be acceptable?

A.

-- 
Instead of worrying about what somebody else is going to do, which is
not under your control, the important thing is, what are you going to
decide about what is under your control?
 - Richard Stallman

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Apollon Oikonomopoulos]

Hi pabs,

On 18:30 Wed 24 May , Paul Wise wrote:
> On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
> 
> > In Python/Perl YAML libraries there are ways to safely load YAML
> > files, does Ruby not have the same possibilities?
> 
> After a bit of searching, I wonder if copying the ruby-safe-yaml
> package from wheezy-backports to wheezy and then patching puppet to
> use that might be a good solution.

Just a couple of notes here:

 - Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck
   YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed 
   provides a safe_load method. In short, YAML engine is something to be 
   aware of.

 - YAML safe loading depends on deserializing only known-safe types. We 
   need to make sure that this will not break the application. In theory 
   it shouldn't, as the facts in 2.x are plain strings.

Cheers,
Apollon

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Paul Wise]

On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:

> In Python/Perl YAML libraries there are ways to safely load YAML
> files, does Ruby not have the same possibilities?

After a bit of searching, I wonder if copying the ruby-safe-yaml
package from wheezy-backports to wheezy and then patching puppet to
use that might be a good solution.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Paul Wise]

On Wed, May 24, 2017 at 5:51 PM, Apollon Oikonomopoulos wrote:

> So, from my understanding the version in Wheezy cannot be fixed: the 2.7
> agents only use YAML to send out facts and upstream's fix is to simply
> not accept anything other than PSON. Whitelisting YAML defeats the
> purpose, as it's YAML's deserialization of untrusted data that leads to
> remote code execution.

In Python/Perl YAML libraries there are ways to safely load YAML
files, does Ruby not have the same possibilities?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Apollon Oikonomopoulos]

On 23:44 Mon 22 May , Apollon Oikonomopoulos wrote:
> On 22:53 Sun 21 May , Ola Lundqvist wrote:
> > Dear maintainer(s),
> > 
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of puppet:
> > https://security-tracker.debian.org/tracker/CVE-2017-2295
> > 
> > Would you like to take care of this yourself?
> > 
> > If yes, please follow the workflow we have defined here:
> > https://wiki.debian.org/LTS/Development
> > 
> > If that workflow is a burden to you, feel free to just prepare an
> > updated source package and send it to debian-lts@lists.debian.org
> > (via a debdiff, or with an URL pointing to the source package,
> > or even with a pointer to your packaging repository), and the members
> > of the LTS team will take care of the rest. Indicate clearly whether you
> > have tested the updated package or not.
> > 
> > If you don't want to take care of this update, it's not a problem, we
> > will do our best with your package. Just let us know whether you would
> > like to review and/or test the updated package before it gets released.
> 
> Thanks for bringing the issue to our attention!
> 
> I'll address the issue soon for Sid/Stretch and Jessie, and will try to 
> fix Wheezy as well. Unfortunately, it looks like the fix for wheezy 
> might not be trivial; we need to check if the agent will still be able 
> to send facts to the server, as PSON is not the default format in Puppet 
> 2.7.

So, from my understanding the version in Wheezy cannot be fixed: the 2.7 
agents only use YAML to send out facts and upstream's fix is to simply 
not accept anything other than PSON. Whitelisting YAML defeats the 
purpose, as it's YAML's deserialization of untrusted data that leads to 
remote code execution.

Any ideas welcome here, but I seriously doubt there's much we can do to 
be completely safe, other than encourage people to move to 3.7 from 
wheezy-backports. Puppet 2.7 has been EOL for way too long anyway.

Regards,
Apollon

Re: [Pkg-puppet-devel] Wheezy update of puppet?

[Apollon Oikonomopoulos]

Dear Ola,

On 22:53 Sun 21 May , Ola Lundqvist wrote:
> Dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of puppet:
> https://security-tracker.debian.org/tracker/CVE-2017-2295
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Thanks for bringing the issue to our attention!

I'll address the issue soon for Sid/Stretch and Jessie, and will try to 
fix Wheezy as well. Unfortunately, it looks like the fix for wheezy 
might not be trivial; we need to check if the agent will still be able 
to send facts to the server, as PSON is not the default format in Puppet 
2.7.

Regards,
Apollon