Bug 11019 - puppet new security issues CVE-2013-4761 and CVE-2013-4956
Summary: puppet new security issues CVE-2013-4761 and CVE-2013-4956
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/563689/
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-08-16 18:04 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
5 users (show)

See Also:
Source RPM: puppet
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-08-16 18:04:55 CEST 
Ubuntu has issued an advisory on August 15:
http://www.ubuntu.com/usn/usn-1928-1/

Here are the upstream advisories:
http://puppetlabs.com/security/cve/cve-2013-4761/
http://puppetlabs.com/security/cve/cve-2013-4956/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-20 15:16:42 CEST 
The issues are fixed in puppet 2.7.23 and 3.2.4.

Guillaume has uploaded puppet 3.2.4 in Cauldron.

CC: (none) => guillomovitch

Comment 2 Oden Eriksson 2013-08-20 16:39:53 CEST 
2.7.23 has been submitted to 2 + 3

CC: (none) => oe

Comment 3 David Walser 2013-08-20 16:41:30 CEST 
Thanks Oden.  All that's left is puppet3 in Mageia 3.
Comment 4 Oden Eriksson 2013-08-21 09:27:17 CEST 
======================================================
Name: CVE-2013-4761
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130705
Category: 
Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4761/

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, allows remote attackers to execute arbitrary Ruby
programs from the master via the resource_type service.  NOTE: this
vulnerability can only be exploited utilizing unspecified "local file
system access" to the Puppet Master.



======================================================
Name: CVE-2013-4956
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4956/

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and
3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, installs modules with weak permissions if those
permissions were used when the modules were originally built, which
might allow local users to read or modify those modules depending on
the original permissions.
Comment 5 Oden Eriksson 2013-08-21 09:58:20 CEST 
(In reply to David Walser from comment #3)
> Thanks Oden.  All that's left is puppet3 in Mageia 3.

puppet3-3.2.4-1.mga3 has been submitted.
Comment 6 David Walser 2013-08-21 16:25:28 CEST 
Thanks Oden!

Advisory:
========================

Updated puppet and puppet3 packages fix security vulnerabilities:

It was discovered that Puppet incorrectly handled the resource_type service. A
local attacker on the master could use this issue to execute arbitrary Ruby
files (CVE-2013-4761).

It was discovered that Puppet incorrectly handled permissions on the modules it
installed. Modules could be installed with the permissions that existed when
they were built, possibly exposing them to a local attacker (CVE-2013-4956).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956
http://puppetlabs.com/security/cve/cve-2013-4761/
http://puppetlabs.com/security/cve/cve-2013-4956/
http://www.ubuntu.com/usn/usn-1928-1/
========================

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.mga2
puppet-server-2.7.23-1.mga2
puppet-2.7.23-1.mga3
puppet-server-2.7.23-1.mga3
vim-puppet-2.7.23-1.mga3
emacs-puppet-2.7.23-1.mga3
puppet3-3.2.4-1.mga3
puppet3-server-3.2.4-1.mga3
vim-puppet3-3.2.4-1.mga3
emacs-puppet3-3.2.4-1.mga3

from SRPMS:
puppet-2.7.23-1.mga2.src.rpm
puppet-2.7.23-1.mga3.src.rpm
puppet3-3.2.4-1.mga3.src.rpm

CC: (none) => boklm
Version: Cauldron => 3
Assignee: boklm => qa-bugs
Whiteboard: (none) => MGA2TOO

Comment 7 claire robinson 2013-08-21 19:49:41 CEST 
No PoC's. Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 8 Dave Hodgins 2013-08-22 04:02:10 CEST 
Advisory 11019.adv uploaded to svn.

CC: (none) => davidwhodgins

Comment 9 claire robinson 2013-08-22 14:42:50 CEST 
Testing mga3 32 & 64
Comment 10 claire robinson 2013-08-22 15:56:51 CEST 
Testing complete mga3 32 & 64

Followed the procedure to serve a file (/etc/motd) in each direction with puppet, then removed puppet, deleted /var/lib/puppet and repeated the tests for puppet3

See here for the different syntax in fileserver.conf for puppet3
https://bugs.mageia.org/show_bug.cgi?id=10568#c13

You may want to echo "" > /etc/motd when finished testing or you'll see the test text whenever you log in with ssh.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 11 claire robinson 2013-08-23 12:46:14 CEST 
Testing complete mga2 32 & 64

Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates.

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-08-26 21:46:08 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0259.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:16 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.