Bug 11019 - puppet new security issues CVE-2013-4761 and CVE-2013-4956
: puppet new security issues CVE-2013-4761 and CVE-2013-4956
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/563689/
: MGA2TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-16 18:04 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
5 users (show)

See Also:
Source RPM: puppet
CVE:


Attachments

Description David Walser 2013-08-16 18:04:55 CEST
Ubuntu has issued an advisory on August 15:
http://www.ubuntu.com/usn/usn-1928-1/

Here are the upstream advisories:
http://puppetlabs.com/security/cve/cve-2013-4761/
http://puppetlabs.com/security/cve/cve-2013-4956/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-20 15:16:42 CEST
The issues are fixed in puppet 2.7.23 and 3.2.4.

Guillaume has uploaded puppet 3.2.4 in Cauldron.
Comment 2 Oden Eriksson 2013-08-20 16:39:53 CEST
2.7.23 has been submitted to 2 + 3
Comment 3 David Walser 2013-08-20 16:41:30 CEST
Thanks Oden.  All that's left is puppet3 in Mageia 3.
Comment 4 Oden Eriksson 2013-08-21 09:27:17 CEST
======================================================
Name: CVE-2013-4761
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130705
Category: 
Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4761/

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, allows remote attackers to execute arbitrary Ruby
programs from the master via the resource_type service.  NOTE: this
vulnerability can only be exploited utilizing unspecified "local file
system access" to the Puppet Master.



======================================================
Name: CVE-2013-4956
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4956/

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and
3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, installs modules with weak permissions if those
permissions were used when the modules were originally built, which
might allow local users to read or modify those modules depending on
the original permissions.
Comment 5 Oden Eriksson 2013-08-21 09:58:20 CEST
(In reply to David Walser from comment #3)
> Thanks Oden.  All that's left is puppet3 in Mageia 3.

puppet3-3.2.4-1.mga3 has been submitted.
Comment 6 David Walser 2013-08-21 16:25:28 CEST
Thanks Oden!

Advisory:
========================

Updated puppet and puppet3 packages fix security vulnerabilities:

It was discovered that Puppet incorrectly handled the resource_type service. A
local attacker on the master could use this issue to execute arbitrary Ruby
files (CVE-2013-4761).

It was discovered that Puppet incorrectly handled permissions on the modules it
installed. Modules could be installed with the permissions that existed when
they were built, possibly exposing them to a local attacker (CVE-2013-4956).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956
http://puppetlabs.com/security/cve/cve-2013-4761/
http://puppetlabs.com/security/cve/cve-2013-4956/
http://www.ubuntu.com/usn/usn-1928-1/
========================

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.mga2
puppet-server-2.7.23-1.mga2
puppet-2.7.23-1.mga3
puppet-server-2.7.23-1.mga3
vim-puppet-2.7.23-1.mga3
emacs-puppet-2.7.23-1.mga3
puppet3-3.2.4-1.mga3
puppet3-server-3.2.4-1.mga3
vim-puppet3-3.2.4-1.mga3
emacs-puppet3-3.2.4-1.mga3

from SRPMS:
puppet-2.7.23-1.mga2.src.rpm
puppet-2.7.23-1.mga3.src.rpm
puppet3-3.2.4-1.mga3.src.rpm
Comment 7 claire robinson 2013-08-21 19:49:41 CEST
No PoC's. Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5
Comment 8 Dave Hodgins 2013-08-22 04:02:10 CEST
Advisory 11019.adv uploaded to svn.
Comment 9 claire robinson 2013-08-22 14:42:50 CEST
Testing mga3 32 & 64
Comment 10 claire robinson 2013-08-22 15:56:51 CEST
Testing complete mga3 32 & 64

Followed the procedure to serve a file (/etc/motd) in each direction with puppet, then removed puppet, deleted /var/lib/puppet and repeated the tests for puppet3

See here for the different syntax in fileserver.conf for puppet3
https://bugs.mageia.org/show_bug.cgi?id=10568#c13

You may want to echo "" > /etc/motd when finished testing or you'll see the test text whenever you log in with ssh.
Comment 11 claire robinson 2013-08-23 12:46:14 CEST
Testing complete mga2 32 & 64

Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates.

Thanks!
Comment 12 Thomas Backlund 2013-08-26 21:46:08 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0259.html

Note You need to log in before you can comment on or make changes to this bug.