[Pkg-puppet-devel] Bug#712745: Bug#712745: Bug#712745: puppet: CVE-2013-3567
Chris Boot
debian at bootc.net
Tue Aug 20 09:31:08 UTC 2013
On 20/08/13 10:22, Chris Boot wrote:
> On 20/08/13 10:02, Raphael Geissert wrote:
>> Hi again,
>>
>> On 31 July 2013 17:43, Chris Boot <crb at tiger-computing.co.uk> wrote:
>>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
>>> had to roll our own update internally that includes the patch in order
>>> to correctly process reports from other servers.
>>
>> Are you sure that this issue wasn't already present before the security update?
>> After reviewing all the fields I don't see any extra being added or
>> deleted. There is one issue, however, where the report format wasn't
>> bumped to version 3 but this comes from upstream:
>> http://projects.puppetlabs.com/issues/15739
>>
>> You could check if that is the issue by modifying
>> transaction/report.rb's initialize to @report_format = 3.
>
> Apologies for not sending the debdiff like I said I would. I'll get onto
> this now.
Here is the source debdiff for the package that we are carrying
internally. This has been tested on our Puppet master server as well as
all our wheezy Puppet slave machines.
HTH,
Chris
--
Chris Boot
debian at bootc.net
GPG: 1DE8 6AB0 1897 A330 D973 D77C 50DD 5A29 FB09 9999
-------------- next part --------------
diff -Nru puppet-2.7.18/debian/changelog puppet-2.7.18/debian/changelog
--- puppet-2.7.18/debian/changelog 2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/changelog 2013-07-30 16:13:24.000000000 +0100
@@ -1,3 +1,10 @@
+puppet (2.7.18-5+tcl1) wheezy; urgency=low
+
+ * Add CVE-2013-3567.fixup-for-v3.patch to fix report generation. See
+ #712745 for more information.
+
+ -- Chris Boot <crb at tiger-computing.co.uk> Tue, 30 Jul 2013 16:13:04 +0100
+
puppet (2.7.18-5) wheezy-security; urgency=high
* Import upstream patch to fix YAML loading vulnerability (CVE-2013-3567)
diff -Nru puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
--- puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch 1970-01-01 01:00:00.000000000 +0100
+++ puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch 2013-07-30 15:56:56.000000000 +0100
@@ -0,0 +1,66 @@
+--- a/lib/puppet/resource/status.rb
++++ b/lib/puppet/resource/status.rb
+@@ -73,14 +73,13 @@
+ end
+
+ def initialize_from_hash(data)
+- @resource_type = data['resource_type']
+- @title = data['title']
++ @source_description = data['source_description']
++ @version = data['version']
+ @resource = data['resource']
+ @file = data['file']
+ @line = data['line']
+ @evaluation_time = data['evaluation_time']
+ @change_count = data['change_count']
+- @out_of_sync_count = data['out_of_sync_count']
+ @tags = data['tags']
+ @time = data['time']
+ @out_of_sync = data['out_of_sync']
+--- a/lib/puppet/transaction/report.rb
++++ b/lib/puppet/transaction/report.rb
+@@ -90,17 +90,12 @@
+ end
+
+ def initialize_from_hash(data)
+- @puppet_version = data['puppet_version']
+- @report_format = data['report_format']
+- @configuration_version = data['configuration_version']
+- @environment = data['environment']
+- @status = data['status']
++ @external_times = data['external_times']
+ @host = data['host']
+ @time = data['time']
+ if @time.is_a? String
+ @time = Time.parse(@time)
+ end
+- @kind = data['kind']
+
+ @metrics = {}
+ data['metrics'].each do |name, hash|
+--- a/lib/puppet/transaction/event.rb
++++ b/lib/puppet/transaction/event.rb
+@@ -30,16 +30,21 @@
+ end
+
+ def initialize_from_hash(data)
+- @audited = data['audited']
+ @property = data['property']
+ @previous_value = data['previous_value']
+ @desired_value = data['desired_value']
+- @historical_value = data['historical_value']
+ @message = data['message']
+ @name = data['name'].intern
+ @status = data['status']
+ @time = data['time']
+ @time = Time.parse(@time) if @time.is_a? String
++ @file = data['file']
++ @line = data['line']
++ @resource = data['resource']
++ @tags = data['tags']
++ @source_description = data['source_description']
++ @version = data['version']
++ @default_log_level = data['default_log_level']
+ end
+
+ def property=(prop)
diff -Nru puppet-2.7.18/debian/patches/series puppet-2.7.18/debian/patches/series
--- puppet-2.7.18/debian/patches/series 2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/patches/series 2013-07-30 15:56:45.000000000 +0100
@@ -7,3 +7,4 @@
apache2-passenger-template
fix_logcheck
2.7.21-Patch-for-CVE-2013-3567.patch
+CVE-2013-3567.fixup-for-v3.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130820/3abdeeed/attachment-0001.sig>
More information about the Pkg-puppet-devel
mailing list