[Pkg-puppet-devel] Bug#712745: Bug#712745: Bug#712745: puppet: CVE-2013-3567

Chris Boot debian at bootc.net
Tue Aug 20 09:31:08 UTC 2013 

On 20/08/13 10:22, Chris Boot wrote:
> On 20/08/13 10:02, Raphael Geissert wrote:
>> Hi again,
>>
>> On 31 July 2013 17:43, Chris Boot <crb at tiger-computing.co.uk> wrote:
>>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
>>> had to roll our own update internally that includes the patch in order
>>> to correctly process reports from other servers.
>>
>> Are you sure that this issue wasn't already present before the security update?
>> After reviewing all the fields I don't see any extra being added or
>> deleted. There is one issue, however, where the report format wasn't
>> bumped to version 3 but this comes from upstream:
>> http://projects.puppetlabs.com/issues/15739
>>
>> You could check if that is the issue by modifying
>> transaction/report.rb's initialize to @report_format = 3.
> 
> Apologies for not sending the debdiff like I said I would. I'll get onto
> this now.

Here is the source debdiff for the package that we are carrying
internally. This has been tested on our Puppet master server as well as
all our wheezy Puppet slave machines.

HTH,
Chris

-- 
Chris Boot
debian at bootc.net
GPG: 1DE8 6AB0 1897 A330 D973  D77C 50DD 5A29 FB09 9999
-------------- next part --------------
diff -Nru puppet-2.7.18/debian/changelog puppet-2.7.18/debian/changelog
--- puppet-2.7.18/debian/changelog	2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/changelog	2013-07-30 16:13:24.000000000 +0100
@@ -1,3 +1,10 @@
+puppet (2.7.18-5+tcl1) wheezy; urgency=low
+
+  * Add CVE-2013-3567.fixup-for-v3.patch to fix report generation. See
+    #712745 for more information.
+
+ -- Chris Boot <crb at tiger-computing.co.uk>  Tue, 30 Jul 2013 16:13:04 +0100
+
 puppet (2.7.18-5) wheezy-security; urgency=high
 
   * Import upstream patch to fix YAML loading vulnerability (CVE-2013-3567)
diff -Nru puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch
--- puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch	1970-01-01 01:00:00.000000000 +0100
+++ puppet-2.7.18/debian/patches/CVE-2013-3567.fixup-for-v3.patch	2013-07-30 15:56:56.000000000 +0100
@@ -0,0 +1,66 @@
+--- a/lib/puppet/resource/status.rb
++++ b/lib/puppet/resource/status.rb
+@@ -73,14 +73,13 @@
+       end
+ 
+       def initialize_from_hash(data)
+-        @resource_type = data['resource_type']
+-        @title = data['title']
++        @source_description = data['source_description']
++        @version = data['version']
+         @resource = data['resource']
+         @file = data['file']
+         @line = data['line']
+         @evaluation_time = data['evaluation_time']
+         @change_count = data['change_count']
+-        @out_of_sync_count = data['out_of_sync_count']
+         @tags = data['tags']
+         @time = data['time']
+         @out_of_sync = data['out_of_sync']
+--- a/lib/puppet/transaction/report.rb
++++ b/lib/puppet/transaction/report.rb
+@@ -90,17 +90,12 @@
+   end
+ 
+   def initialize_from_hash(data)
+-    @puppet_version = data['puppet_version']
+-    @report_format = data['report_format']
+-    @configuration_version = data['configuration_version']
+-    @environment = data['environment']
+-    @status = data['status']
++    @external_times = data['external_times']
+     @host = data['host']
+     @time = data['time']
+     if @time.is_a? String
+       @time = Time.parse(@time)
+     end
+-    @kind = data['kind']
+ 
+     @metrics = {}
+     data['metrics'].each do |name, hash|
+--- a/lib/puppet/transaction/event.rb
++++ b/lib/puppet/transaction/event.rb
+@@ -30,16 +30,21 @@
+   end
+ 
+   def initialize_from_hash(data)
+-    @audited = data['audited']
+     @property = data['property']
+     @previous_value = data['previous_value']
+     @desired_value = data['desired_value']
+-    @historical_value = data['historical_value']
+     @message = data['message']
+     @name = data['name'].intern
+     @status = data['status']
+     @time = data['time']
+     @time = Time.parse(@time) if @time.is_a? String
++    @file = data['file']
++    @line = data['line']
++    @resource = data['resource']
++    @tags = data['tags']
++    @source_description = data['source_description']
++    @version = data['version']
++    @default_log_level = data['default_log_level']
+   end
+ 
+   def property=(prop)
diff -Nru puppet-2.7.18/debian/patches/series puppet-2.7.18/debian/patches/series
--- puppet-2.7.18/debian/patches/series	2013-06-23 12:11:59.000000000 +0100
+++ puppet-2.7.18/debian/patches/series	2013-07-30 15:56:45.000000000 +0100
@@ -7,3 +7,4 @@
 apache2-passenger-template
 fix_logcheck
 2.7.21-Patch-for-CVE-2013-3567.patch
+CVE-2013-3567.fixup-for-v3.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130820/3abdeeed/attachment-0001.sig>

More information about the Pkg-puppet-devel mailing list