[Pkg-puppet-devel] Bug#1035674: pre-approval: unblock: puppetserver/7.9.5-2
Jérôme Charaoui
jerome at riseup.net
Sun May 7 16:47:23 BST 2023
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-puppet-devel at alioth-lists.debian.net
Control: affects -1 + src:puppetserver
I would like to request an unblock to upload puppetserver/7.9.5-2 which
fixes two bugs using targeted fixes.
- #1032241 puppetserver - service unit fails to realize the main
process died
- #1035541 puppetserver: CVE-2023-1894
[ Reason ]
The main reason is to fix the denial-of-service security issue prior to
the release. The second fix has been in the source repository's main
branch for some time, awaiting release.
[ Impact ]
Accepting this release should not have any impact beyond puppetserver
itself.
[ Tests ]
Build and autopkgtest are passing. The service unit fix has been applied
locally on my production system for several weeks.
[ Risks ]
There is a (low) risk that the patches introduce new bugs.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Thanks!
-- Jérôme
-------------- next part --------------
diff -Nru puppetserver-7.9.5/debian/changelog puppetserver-7.9.5/debian/changelog
--- puppetserver-7.9.5/debian/changelog 2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/changelog 2023-05-07 11:09:17.000000000 -0400
@@ -1,3 +1,10 @@
+puppetserver (7.9.5-2) unstable; urgency=medium
+
+ * abort service start/reload if mainpid dies (Closes: #1032241)
+ * add patch fixing CVE-2023-1894 (Closes: #1035541)
+
+ -- Jérôme Charaoui <jerome at riseup.net> Sun, 07 May 2023 11:09:17 -0400
+
puppetserver (7.9.5-1) unstable; urgency=medium
* New upstream version 7.9.5
diff -Nru puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
--- puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch 1969-12-31 19:00:00.000000000 -0500
+++ puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch 2023-05-07 11:09:17.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?b?SsOpcsO0bWUgQ2hhcmFvdWk=?= <jerome at riseup.net>
+Date: Sun, 7 May 2023 11:00:09 -0400
+Subject: Backport fix for CVE-2023-1894
+
+Forwarded: not-needed
+Bug: https://tickets.puppetlabs.com/browse/PE-35786
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541
+Origin:
+ commit, https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc
+ backport, https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2
+---
+ .../puppetserver/certificate_authority.clj | 33 +++++++++++++++++---
+ .../puppetserver/certificate_authority_test.clj | 36 ++++++++++++++--------
+ 2 files changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+index 46429f4..16ab834 100644
+--- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
++++ b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+@@ -787,6 +787,11 @@
+ (utils/subject-alt-names {:dns-name (conj default-alt-names host-name)} false)
+ (utils/subject-alt-names (update alt-names-list :dns-name conj host-name) false))))
+
++
++(def pattern-match-dot #"\.")
++(def pattern-starts-with-alphanumeric-or-underscore #"^[\p{Alnum}_].*")
++(def pattern-matches-alphanumeric-with-symbols-string #"^[\p{Alnum}\-_]*[\p{Alnum}_]$")
++
+ (schema/defn validate-subject!
+ "Validate the CSR or certificate's subject name. The subject name must:
+ * match the hostname specified in the HTTP request (the `subject` parameter)
+@@ -795,12 +800,16 @@
+ * not contain the wildcard character (*)"
+ [hostname :- schema/Str
+ subject :- schema/Str]
++ (log/debug (i18n/trs "Checking \"{0}\" for validity" subject))
++
+ (when-not (= hostname subject)
++ (log/infof "Rejecting subject \"%s\" because it doesn't match hostname \"%s\"" subject hostname)
+ (sling/throw+
+ {:kind :hostname-mismatch
+- :msg (i18n/tru "Instance name \"{0}\" does not match requested key \"{1}\"" subject hostname)}))
++ :msg (format "Instance name \"%s\" does not match requested key \"%s\"" subject hostname)}))
+
+ (when (contains-uppercase? hostname)
++ (log/info (i18n/tru "Rejecting subject \"{0}\" because all characters must be lowercase" subject))
+ (sling/throw+
+ {:kind :invalid-subject-name
+ :msg (i18n/tru "Certificate names must be lower case.")}))
+@@ -809,11 +818,25 @@
+ (sling/throw+
+ {:kind :invalid-subject-name
+ :msg (i18n/tru "Subject contains a wildcard, which is not allowed: {0}" subject)}))
+-
+- (when-not (re-matches #"^([a-z0-9](?:(?:[a-z0-9\-_]*|(?<!-)\.(?![\-.]))*[a-z0-9]+)?)$" subject)
++
++ (when (str/ends-with? subject "-")
++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it ends with an invalid character" subject))
+ (sling/throw+
+- {:kind :invalid-subject-name
+- :msg (i18n/tru "Subject hostname format is invalid")})))
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))
++
++ (let [segments (str/split subject pattern-match-dot)]
++ (when-not (re-matches pattern-starts-with-alphanumeric-or-underscore (first segments))
++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it starts with an invalid character" subject))
++ (sling/throw+
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))
++
++ (when-not (every? #(re-matches pattern-matches-alphanumeric-with-symbols-string %) segments)
++ (log/info (i18n/tru "Rejecting subject \"{0}\" because it contains invalid characters" subject))
++ (sling/throw+
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))))
+
+ (schema/defn allowed-extension?
+ "A predicate that answers if an extension is allowed or not.
+diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+index 7df5e75..c8d4c7a 100644
+--- a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
++++ b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+@@ -1635,19 +1635,31 @@
+ (validate-subject!
+ "" ""))))
+
+- (testing "an exception is thrown when the hostnames contain multiple dots in a row"
+- (is (thrown+?
+- [:kind :invalid-subject-name
+- :msg "Subject hostname format is invalid"]
+- (validate-subject!
+- "rootca..example.org" "rootca..example.org"))))
++ (testing "subjects that end end in dot are valid"
++ (is (nil?
++ (validate-subject!
++ "rootca." "rootca."))))
+
+- (testing "an exception is thrown when the hostnames end in dot"
+- (is (thrown+?
+- [:kind :invalid-subject-name
+- :msg "Subject hostname format is invalid"]
+- (validate-subject!
+- "rootca." "rootca."))))
++ (testing "subjects that end in an underscore are valid"
++ (is (nil?
++ (validate-subject!
++ "rootca_" "rootca_"))))
++
++ (testing "subjects that start in an underscore are valid"
++ (is (nil?
++ (validate-subject!
++ "_x-puppet._tcp.example.com" "_x-puppet._tcp.example.com"))))
++
++ (testing "single letter segments are valid"
++ (is (nil?
++ (validate-subject!
++ "a.example.com" "a.example.com")))
++ (is (nil?
++ (validate-subject!
++ "_.example.com" "_.example.com")))
++ (is (nil?
++ (validate-subject!
++ "foo.a.example.com" "foo.a.example.com"))))
+
+ (testing "Single word hostnames are allowed"
+ (is (nil?
diff -Nru puppetserver-7.9.5/debian/patches/series puppetserver-7.9.5/debian/patches/series
--- puppetserver-7.9.5/debian/patches/series 2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/patches/series 2023-05-07 11:09:17.000000000 -0400
@@ -7,3 +7,4 @@
0007-Adapt-JRuby-environment-test-for-Debian.patch
0008-Adjust-defaults-paths.patch
0009-Remove-call-to-symlink-cadir.patch
+0010-Backport-fix-for-CVE-2023-1894.patch
diff -Nru puppetserver-7.9.5/debian/puppetserver.service puppetserver-7.9.5/debian/puppetserver.service
--- puppetserver-7.9.5/debian/puppetserver.service 2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/puppetserver.service 2023-03-12 11:08:38.000000000 -0400
@@ -15,6 +15,10 @@
UMask=027
+# the startup and reload commands rely on the trapperkeeper
+# restartfile to sync with the process' internal readiness
+# if the mainpid dies while loading, it will abort
+
ExecStartPre=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
ExecStart=/usr/bin/java $JAVA_ARGS \
-Djruby.lib=/usr/share/jruby/lib \
@@ -25,12 +29,11 @@
--bootstrap-config /etc/puppet/puppetserver/services.d \
--restart-file ${RUNTIME_DIRECTORY}/restart \
$TK_ARGS
-ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done"
+ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
-ExecReload=sh -c " \
- echo -n 0 > ${RUNTIME_DIRECTORY}/restart; \
- kill -HUP $MAINPID; \
- while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done"
+ExecReload=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
+ExecReload=kill -HUP $MAINPID
+ExecReload=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
SuccessExitStatus=143
More information about the Pkg-puppet-devel
mailing list