Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 2017-06-27 21:02:21, Jens Korte wrote: > On Tue, 27 Jun 2017 14:35:09 -0400 > Antoine Beaupréwrote: > >> On 2017-06-27 21:17:33, Apollon Oikonomopoulos wrote: >> > On 20:08 Tue 27 Jun , Guido Günther wrote: >> >> That sounds good to me especially if it's possible to toggle this so >> >> one >> >> can e.g. first update all clients then disable accepting YAML on the >> >> server. >> > >> > My thoughts exactly, it will be great if there's a configuration option >> > for turning off YAML. >> >> Unfortunately, this is completely hardcoded in the source code, even in >> newer releases. I would think it unwise to allow such a configuration in >> wheezy since it would be ignored in later release. > > How about introducing a second package that provides the same as puppet but > without YAML? It would not break the configuration later on and people can > choose to install the old package with higher security. That would be more inconvenient than fixing the actual YAML issue. It would also break upgrades. I would not support such a solution. A. -- Le péché est né avant la vertu, comme le moteur avant le frein. - Jean-Paul Sartre
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On Tue, 27 Jun 2017 14:35:09 -0400 Antoine Beaupréwrote: > On 2017-06-27 21:17:33, Apollon Oikonomopoulos wrote: > > On 20:08 Tue 27 Jun , Guido Günther wrote: > >> That sounds good to me especially if it's possible to toggle this so > >> one > >> can e.g. first update all clients then disable accepting YAML on the > >> server. > > > > My thoughts exactly, it will be great if there's a configuration option > > for turning off YAML. > > Unfortunately, this is completely hardcoded in the source code, even in > newer releases. I would think it unwise to allow such a configuration in > wheezy since it would be ignored in later release. How about introducing a second package that provides the same as puppet but without YAML? It would not break the configuration later on and people can choose to install the old package with higher security. > > Basically, once you update the clients to the new version, you turn off > YAML. :) PSON works with an unpatched server, so that's your > "configuration option"... > > A. > > -- > If I can't dance, I don't want to be part of your revolution. > - Emma Goldman > -- Jens Korte
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 20:08 Tue 27 Jun , Guido Günther wrote: > That sounds good to me especially if it's possible to toggle this so > one > can e.g. first update all clients then disable accepting YAML on the > server. My thoughts exactly, it will be great if there's a configuration option for turning off YAML. Thanks for taking care of this, Apollon
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 2017-06-27 20:08:07, Guido Günther wrote: > On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote: >> On 2017-06-27 11:53:24, Antoine Beaupré wrote: >> > Are you sure of this? From what I can tell agents haven't been sending >> > YAML in a long time. If I understand things correctly, facts are sent in >> > a format defined by the `preferred_serialization_format`, which >> > currently (in wheezy) defaults to `pson`. It has been that way since >> > upstream 1a89455499 (2009-06-03) which seems to have been shipped in >> > puppet-0.24.5-rc4. >> > >> > My assertion, at this point, is that clients send facts in PSON, not >> > YAML, and it's safe to disable other formats. This means, of course, >> > that *older* clients (!) will break, but I think that's a fair move to >> > do at this point. >> > >> > I will work on a package update based on that assumption. >> >> And after testing this live, it turns out I was wrong: 2.7 does send >> YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as >> b64_zlib_yaml. >> >> So one thing I am considering at this stage is to simply add a patch for >> *clients* to start sending PSON facts while disabling non-PSON facts on >> the server. This breaks backwards compatibility, but I think this may be >> a better approach than the status quo (abandoning 2.7) or the >> alternative (hot-patching ruby YAML library). >> >> I am concerned that the previously proposed approach of patching the >> YAML libraries to be "safe" will be a lot of work and may be >> incomplete. >> >> I'm testing another patchset now that also updates clients, would that >> solution be acceptable? > > That sounds good to me especially if it's possible to toggle this so one > can e.g. first update all clients then disable accepting YAML on the > server. That was the case during our tests. A. -- Il faut respecter le noir. Rien ne le prostitue. Il est agent de l'esprit bien plus que la belle couleur de la palette ou du prisme. - Odilon Redon
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote: > On 2017-06-27 11:53:24, Antoine Beaupré wrote: > > Are you sure of this? From what I can tell agents haven't been sending > > YAML in a long time. If I understand things correctly, facts are sent in > > a format defined by the `preferred_serialization_format`, which > > currently (in wheezy) defaults to `pson`. It has been that way since > > upstream 1a89455499 (2009-06-03) which seems to have been shipped in > > puppet-0.24.5-rc4. > > > > My assertion, at this point, is that clients send facts in PSON, not > > YAML, and it's safe to disable other formats. This means, of course, > > that *older* clients (!) will break, but I think that's a fair move to > > do at this point. > > > > I will work on a package update based on that assumption. > > And after testing this live, it turns out I was wrong: 2.7 does send > YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as > b64_zlib_yaml. > > So one thing I am considering at this stage is to simply add a patch for > *clients* to start sending PSON facts while disabling non-PSON facts on > the server. This breaks backwards compatibility, but I think this may be > a better approach than the status quo (abandoning 2.7) or the > alternative (hot-patching ruby YAML library). > > I am concerned that the previously proposed approach of patching the > YAML libraries to be "safe" will be a lot of work and may be > incomplete. > > I'm testing another patchset now that also updates clients, would that > solution be acceptable? That sounds good to me especially if it's possible to toggle this so one can e.g. first update all clients then disable accepting YAML on the server. Cheers, -- Guido
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 2017-06-27 11:53:24, Antoine Beaupré wrote: > Are you sure of this? From what I can tell agents haven't been sending > YAML in a long time. If I understand things correctly, facts are sent in > a format defined by the `preferred_serialization_format`, which > currently (in wheezy) defaults to `pson`. It has been that way since > upstream 1a89455499 (2009-06-03) which seems to have been shipped in > puppet-0.24.5-rc4. > > My assertion, at this point, is that clients send facts in PSON, not > YAML, and it's safe to disable other formats. This means, of course, > that *older* clients (!) will break, but I think that's a fair move to > do at this point. > > I will work on a package update based on that assumption. And after testing this live, it turns out I was wrong: 2.7 does send YAML. :( This is hardcoded in lib/puppet/configurer/fact_handler.rb as b64_zlib_yaml. So one thing I am considering at this stage is to simply add a patch for *clients* to start sending PSON facts while disabling non-PSON facts on the server. This breaks backwards compatibility, but I think this may be a better approach than the status quo (abandoning 2.7) or the alternative (hot-patching ruby YAML library). I am concerned that the previously proposed approach of patching the YAML libraries to be "safe" will be a lot of work and may be incomplete. I'm testing another patchset now that also updates clients, would that solution be acceptable? A. -- Instead of worrying about what somebody else is going to do, which is not under your control, the important thing is, what are you going to decide about what is under your control? - Richard Stallman
Re: [Pkg-puppet-devel] Wheezy update of puppet?
Hi pabs, On 18:30 Wed 24 May , Paul Wise wrote: > On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote: > > > In Python/Perl YAML libraries there are ways to safely load YAML > > files, does Ruby not have the same possibilities? > > After a bit of searching, I wonder if copying the ruby-safe-yaml > package from wheezy-backports to wheezy and then patching puppet to > use that might be a good solution. Just a couple of notes here: - Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed provides a safe_load method. In short, YAML engine is something to be aware of. - YAML safe loading depends on deserializing only known-safe types. We need to make sure that this will not break the application. In theory it shouldn't, as the facts in 2.x are plain strings. Cheers, Apollon
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote: > In Python/Perl YAML libraries there are ways to safely load YAML > files, does Ruby not have the same possibilities? After a bit of searching, I wonder if copying the ruby-safe-yaml package from wheezy-backports to wheezy and then patching puppet to use that might be a good solution. -- bye, pabs https://wiki.debian.org/PaulWise
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On Wed, May 24, 2017 at 5:51 PM, Apollon Oikonomopoulos wrote: > So, from my understanding the version in Wheezy cannot be fixed: the 2.7 > agents only use YAML to send out facts and upstream's fix is to simply > not accept anything other than PSON. Whitelisting YAML defeats the > purpose, as it's YAML's deserialization of untrusted data that leads to > remote code execution. In Python/Perl YAML libraries there are ways to safely load YAML files, does Ruby not have the same possibilities? -- bye, pabs https://wiki.debian.org/PaulWise
Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 23:44 Mon 22 May , Apollon Oikonomopoulos wrote: > On 22:53 Sun 21 May , Ola Lundqvist wrote: > > Dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of puppet: > > https://security-tracker.debian.org/tracker/CVE-2017-2295 > > > > Would you like to take care of this yourself? > > > > If yes, please follow the workflow we have defined here: > > https://wiki.debian.org/LTS/Development > > > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via a debdiff, or with an URL pointing to the source package, > > or even with a pointer to your packaging repository), and the members > > of the LTS team will take care of the rest. Indicate clearly whether you > > have tested the updated package or not. > > > > If you don't want to take care of this update, it's not a problem, we > > will do our best with your package. Just let us know whether you would > > like to review and/or test the updated package before it gets released. > > Thanks for bringing the issue to our attention! > > I'll address the issue soon for Sid/Stretch and Jessie, and will try to > fix Wheezy as well. Unfortunately, it looks like the fix for wheezy > might not be trivial; we need to check if the agent will still be able > to send facts to the server, as PSON is not the default format in Puppet > 2.7. So, from my understanding the version in Wheezy cannot be fixed: the 2.7 agents only use YAML to send out facts and upstream's fix is to simply not accept anything other than PSON. Whitelisting YAML defeats the purpose, as it's YAML's deserialization of untrusted data that leads to remote code execution. Any ideas welcome here, but I seriously doubt there's much we can do to be completely safe, other than encourage people to move to 3.7 from wheezy-backports. Puppet 2.7 has been EOL for way too long anyway. Regards, Apollon
Re: [Pkg-puppet-devel] Wheezy update of puppet?
Dear Ola, On 22:53 Sun 21 May , Ola Lundqvist wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of puppet: > https://security-tracker.debian.org/tracker/CVE-2017-2295 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. Thanks for bringing the issue to our attention! I'll address the issue soon for Sid/Stretch and Jessie, and will try to fix Wheezy as well. Unfortunately, it looks like the fix for wheezy might not be trivial; we need to check if the agent will still be able to send facts to the server, as PSON is not the default format in Puppet 2.7. Regards, Apollon