On 20/08/13 10:22, Chris Boot wrote: > On 20/08/13 10:02, Raphael Geissert wrote: >> Hi again, >> >> On 31 July 2013 17:43, Chris Boot <c...@tiger-computing.co.uk> wrote: >>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've >>> had to roll our own update internally that includes the patch in order >>> to correctly process reports from other servers. >> >> Are you sure that this issue wasn't already present before the security >> update? >> After reviewing all the fields I don't see any extra being added or >> deleted. There is one issue, however, where the report format wasn't >> bumped to version 3 but this comes from upstream: >> http://projects.puppetlabs.com/issues/15739 >> >> You could check if that is the issue by modifying >> transaction/report.rb's initialize to @report_format = 3. > > Apologies for not sending the debdiff like I said I would. I'll get onto > this now.
Here is the source debdiff for the package that we are carrying internally. This has been tested on our Puppet master server as well as all our wheezy Puppet slave machines. HTH, Chris -- Chris Boot deb...@bootc.net GPG: 1DE8 6AB0 1897 A330 D973 D77C 50DD 5A29 FB09 9999
diff -Nru puppet-2.7.18/debian/changelog puppet-2.7.18/debian/changelog
--- puppet-2.7.18/debian/changelog 2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/changelog 2013-07-30 16:13:24.000000000 +0100
@@ -1,3 +1,10 @@
+puppet (2.7.18-5+tcl1) wheezy; urgency=low
+
+ * Add CVE-2013-3567.fixup-for-v3.patch to fix report generation. See
+ #712745 for more information.
+
+ -- Chris Boot <c...@tiger-computing.co.uk> Tue, 30 Jul 2013 16:13:04 +0100
+
puppet (2.7.18-5) wheezy-security; urgency=high
* Import upstream patch to fix YAML loading vulnerability (CVE-2013-3567)
diff -Nru puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
--- puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
1970-01-01 01:00:00.000000000 +0100
+++ puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
2013-07-30 15:56:56.000000000 +0100
@@ -0,0 +1,66 @@
+--- a/lib/puppet/resource/status.rb
++++ b/lib/puppet/resource/status.rb
+@@ -73,14 +73,13 @@
+ end
+
+ def initialize_from_hash(data)
+- @resource_type = data['resource_type']
+- @title = data['title']
++ @source_description = data['source_description']
++ @version = data['version']
+ @resource = data['resource']
+ @file = data['file']
+ @line = data['line']
+ @evaluation_time = data['evaluation_time']
+ @change_count = data['change_count']
+- @out_of_sync_count = data['out_of_sync_count']
+ @tags = data['tags']
+ @time = data['time']
+ @out_of_sync = data['out_of_sync']
+--- a/lib/puppet/transaction/report.rb
++++ b/lib/puppet/transaction/report.rb
+@@ -90,17 +90,12 @@
+ end
+
+ def initialize_from_hash(data)
+- @puppet_version = data['puppet_version']
+- @report_format = data['report_format']
+- @configuration_version = data['configuration_version']
+- @environment = data['environment']
+- @status = data['status']
++ @external_times = data['external_times']
+ @host = data['host']
+ @time = data['time']
+ if @time.is_a? String
+ @time = Time.parse(@time)
+ end
+- @kind = data['kind']
+
+ @metrics = {}
+ data['metrics'].each do |name, hash|
+--- a/lib/puppet/transaction/event.rb
++++ b/lib/puppet/transaction/event.rb
+@@ -30,16 +30,21 @@
+ end
+
+ def initialize_from_hash(data)
+- @audited = data['audited']
+ @property = data['property']
+ @previous_value = data['previous_value']
+ @desired_value = data['desired_value']
+- @historical_value = data['historical_value']
+ @message = data['message']
+ @name = data['name'].intern
+ @status = data['status']
+ @time = data['time']
+ @time = Time.parse(@time) if @time.is_a? String
++ @file = data['file']
++ @line = data['line']
++ @resource = data['resource']
++ @tags = data['tags']
++ @source_description = data['source_description']
++ @version = data['version']
++ @default_log_level = data['default_log_level']
+ end
+
+ def property=(prop)
diff -Nru puppet-2.7.18/debian/patches/series
puppet-2.7.18/debian/patches/series
--- puppet-2.7.18/debian/patches/series 2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/patches/series 2013-07-30 15:56:45.000000000 +0100
@@ -7,3 +7,4 @@
apache2-passenger-template
fix_logcheck
2.7.21-Patch-for-CVE-2013-3567.patch
+CVE-2013-3567.fixup-for-v3.patch
signature.asc
Description: OpenPGP digital signature
