Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, Please unblock package puppet. The version in unstable fixes a security issue (remote code execution), please see #863212 for more details. Full source debdiff attached. Thanks, Apollon unblock puppet/4.8.2-5
diff -Nru puppet-4.8.2/debian/changelog puppet-4.8.2/debian/changelog --- puppet-4.8.2/debian/changelog 2017-04-28 17:38:26.000000000 +0300 +++ puppet-4.8.2/debian/changelog 2017-05-23 23:17:46.000000000 +0300 @@ -1,3 +1,10 @@ +puppet (4.8.2-5) unstable; urgency=high + + * master: accept facts only in PSON format (CVE-2017-2295) (Closes: + #863212). + + -- Apollon Oikonomopoulos <apoi...@debian.org> Tue, 23 May 2017 23:17:46 +0300 + puppet (4.8.2-4) unstable; urgency=medium * Handle creation and removal of /var/cache/puppet/state (Closes: #855923) diff -Nru puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch --- puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch 1970-01-01 02:00:00.000000000 +0200 +++ puppet-4.8.2/debian/patches/0008-CVE-2017-2295.patch 2017-05-22 10:47:55.000000000 +0300 @@ -0,0 +1,101 @@ +From b29fd533913786ef1e7de421c6128239b839fb5f Mon Sep 17 00:00:00 2001 +From: Josh Cooper <j...@puppet.com> +Date: Fri, 28 Apr 2017 12:09:11 -0700 +Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON + +Previously, an authenticated user could cause the master to execute +YAML.load on user-specified input, as well as MessagePack.unpack if the +msgpack gem was installed. + +Since 3.2.2, agents have always sent facts as PSON. There is no reason +to support other formats, so reject all fact formats except PSON. + +(cherry picked from commit 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea) +--- + lib/puppet/indirector/catalog/compiler.rb | 6 +++-- + spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++--- + 2 files changed, 36 insertions(+), 6 deletions(-) + +diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb +index e4e60ce54..16c83533e 100644 +--- a/lib/puppet/indirector/catalog/compiler.rb ++++ b/lib/puppet/indirector/catalog/compiler.rb +@@ -25,9 +25,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code + # in Network::HTTP::Handler will automagically deserialize the value. + if text_facts.is_a?(Puppet::Node::Facts) + facts = text_facts +- else ++ elsif format == 'pson' + # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes +- facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts)) ++ facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts)) ++ else ++ raise ArgumentError, "Unsupported facts format" + end + + unless facts.name == request.key +diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb +index b134c9094..d31eaeeef 100644 +--- a/spec/unit/indirector/catalog/compiler_spec.rb ++++ b/spec/unit/indirector/catalog/compiler_spec.rb +@@ -255,10 +255,10 @@ describe Puppet::Resource::Catalog::Compiler do + @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386") + end + +- def a_request_that_contains(facts) ++ def a_request_that_contains(facts, format = :pson) + request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil) +- request.options[:facts_format] = "pson" +- request.options[:facts] = CGI.escape(facts.render(:pson)) ++ request.options[:facts_format] = format.to_s ++ request.options[:facts] = CGI.escape(facts.render(format)) + request + end + +@@ -277,7 +277,7 @@ describe Puppet::Resource::Catalog::Compiler do + expect(facts.timestamp).to eq(time) + end + +- it "should convert the facts into a fact instance and save it" do ++ it "accepts PSON facts" do + request = a_request_that_contains(@facts) + + options = { +@@ -289,6 +289,34 @@ describe Puppet::Resource::Catalog::Compiler do + + @compiler.extract_facts_from_request(request) + end ++ ++ it "rejects YAML facts" do ++ request = a_request_that_contains(@facts, :yaml) ++ ++ options = { ++ :environment => request.environment, ++ :transaction_uuid => request.options[:transaction_uuid], ++ } ++ ++ expect { ++ @compiler.extract_facts_from_request(request) ++ }.to raise_error(ArgumentError, /Unsupported facts format/) ++ end ++ ++ it "rejects unknown fact formats" do ++ request = a_request_that_contains(@facts) ++ request.options[:facts_format] = 'unknown-format' ++ ++ options = { ++ :environment => request.environment, ++ :transaction_uuid => request.options[:transaction_uuid], ++ } ++ ++ expect { ++ @compiler.extract_facts_from_request(request) ++ }.to raise_error(ArgumentError, /Unsupported facts format/) ++ end ++ + end + + describe "when finding nodes" do +-- +2.11.0 + diff -Nru puppet-4.8.2/debian/patches/series puppet-4.8.2/debian/patches/series --- puppet-4.8.2/debian/patches/series 2017-03-27 21:32:20.000000000 +0300 +++ puppet-4.8.2/debian/patches/series 2017-05-22 10:48:29.000000000 +0300 @@ -5,3 +5,4 @@ 0005-use-systemd-as-the-default-service-provider.patch 0006-debian-service-provider-use-service.patch 0007-Fix-service-listing-and-enable-disable-in-Debian.patch +0008-CVE-2017-2295.patch