I guess we should push 2.6.11, since 2.6 is in maintainance only.

Ok, I pushed puppet 2.6.11.

Advisory text :
This advisory updates wireshark to the latest version of puppet  of the 2.6.X branch (2.6.11), fixing
 several security issues :
- CVE-2011-3871 : A flaw was found in the way puppet resource in --edit mode handled temporary
files.  It would use an extremely predictable file name which persisted and
could be known well prior to creation.  This could result in both editing an
arbitrary target file, and tricking puppet into running that arbitrary file as
the invoking user.  This is feature is typically used as the root user, as you
cannot do much as a less privileged user.

- CVE-2011-3869
A flaw was found in the way puppet handled the k5login type.  The k5login type
is typically used to manage a file in the home directory of a user.  It would
write to the target file, as root, without doing anything to secure the file. 
This would allow the owner of the home directory to symlink to anything on the
system, and have the contents replaced, as root.

- CVE-2011-3870
A race condition was found in the way puppet handled ssh_authorized_keys.  If a
user's authorized_keys file was managed, they could use this flaw to overwrite
arbitrary files as root when the target directory and file did not exist. 
Puppet would create the directory, ensure that is was user-writable, then wrote
the file as the user before changing the file ownership.  In the time between
the write and chown/chmod operation, a user could replace the file with a
symbolic link and have the operation apply to any file on the disk, as root.

- CVE-2011-3848
A directory traversal flaw was found in the way SSLFile and YAML Puppet
indirector base classes performed management or certain, user-supplied x509
certificate signing requests. An authenticated attacker could use this flaw to
overwrite arbitrary system file, accessible with the privileges of the Puppet
Master application.  

 Some minors bugfixes have been also added as part of the upgrade to 2.6.11.

Build failed with :
+ cp -pr CHANGELOG COPYING LICENSE README examples /home/iurt/rpm/BUILDROOT/puppet-2.6.11-1.mga1.x86_64/usr/share/doc/puppet
cp: cannot stat `README': No such file or directory

package submited again.

Ok thanks, I assign to the QA
puppet-2.6.11-1.mga1.src.rpm

CC: (none) => misc
Assignee: misc => qa-bugs

It looks like we can follow the example here for testing..

http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern

There are no exploits available for testing the CVE's so we can just check it seems to do what it is supposed to.

For testing   CVE-2011-3871, that should be quite easy. The problem is that running "puppet resource --edit Package" will use a quite predictible filename ( like /tmp/xpuppet-$PID.pp ). While using the exploit would be a little bit lenghty for not much ( and slightly convoluted ), it should be sufficient to check the file opened by the command.

If this is in /tmp/xpuppet-1234.pp then this is wrong. If this look like : ~/x2puppet20111005-20140-1xqnwcu-0 it is good.

For  CVE-2011-3869 , just make a hard link from ~user1/.k5login to /tmp/toto, and check that adding a k5login declaration write the content in /tmp/toto too ( bonus point if someone is fool enough try to this with /etc/passwd as the target ). Just placing a simple manifest could be done, but I never used k5login so I am not sure to be able to give more information for now.

I looked at the redmine, but there is no exploit either ( like  http://projects.puppetlabs.com/issues/9794 ). This should be quite easy to test by someone familiar with puppet and 2h of free time.


The 2 others one are tricky. Gentoo bug give some information, I think this involve creating a fake certificate with a name containing ../../../, and use this to overwrite a file ( since the name is used as part of the fiename, and was not checked , so puppet end storing this in /var/lib/puppet$name, with $name being ../../../foo , and ths writing the cetificate outside of /var/lib/puppet )
 
And the ssh one is like the k5login one, with a timing problem ( ie, you have to create the link at the right moment if I understood correctly ). Anyway, we will likely deploy the package on our infrastructure so this would be validated.

i586:

# puppet resource --edit Package

No file in /tmp. Found ~/x2puppet20111007-20047-1k5ch0p-0

:quit gave - warning: Could not retrieve fact fqdn

I'm assuming thats 'fully qualified domain name' so would be expected.

Following the Simplest pattern instructions in comment 6

service puppetmaster start
service puppet start

in syslog:
puppet-agent[3821]: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

I added puppet as an alias for localhost in /etc/hosts as the client and server are running on the same machine.(Google!)

puppet-agent[5370]: Could not retrieve catalog from remote server: hostname was not match with the server certificate
puppet-agent[5370]: Using cached catalog
puppet-agent[5370]: Could not retrieve catalog; skipping run


I found on google also:

puppet agent --server localhost --waitforcert 60 --test

which gave:

puppet-agent[8095]: Caching catalog for localhost
puppet-agent[8095]: Applying configuration version '1317994177'
puppet-agent[8095]: Creating state file /var/lib/puppet/state/state.yaml
puppet-agent[8095]: Finished catalog run in 0.03 seconds


I've no idea where to begin with the k5login as I'm completely novice to puppet but willing to perform tests if you leave 'idiot proof' instructions.

Thanks

(In reply to comment #2)
> 
> Advisory text :
> This advisory updates wireshark to the latest version of puppet


Seems like C&P mistake ;)

CC: (none) => doktor5000

Without learning puppet more comprehensively, which I just don't have time to do, the best I can do is to check the patches have been applied.

Tested equally OK x86_64 so I'm going to validate.



Advisory text :
-----------------------
This advisory updates Puppet to the latest version of the 2.6.X
branch (2.6.11), fixing several security issues :

- CVE-2011-3871 : A flaw was found in the way puppet resource in --edit mode
handled temporary
files.  It would use an extremely predictable file name which persisted and
could be known well prior to creation.  This could result in both editing an
arbitrary target file, and tricking puppet into running that arbitrary file as
the invoking user.  This is feature is typically used as the root user, as you
cannot do much as a less privileged user.

- CVE-2011-3869
A flaw was found in the way puppet handled the k5login type.  The k5login type
is typically used to manage a file in the home directory of a user.  It would
write to the target file, as root, without doing anything to secure the file. 
This would allow the owner of the home directory to symlink to anything on the
system, and have the contents replaced, as root.

- CVE-2011-3870
A race condition was found in the way puppet handled ssh_authorized_keys.  If a
user's authorized_keys file was managed, they could use this flaw to overwrite
arbitrary files as root when the target directory and file did not exist. 
Puppet would create the directory, ensure that is was user-writable, then wrote
the file as the user before changing the file ownership.  In the time between
the write and chown/chmod operation, a user could replace the file with a
symbolic link and have the operation apply to any file on the disk, as root.

- CVE-2011-3848
A directory traversal flaw was found in the way SSLFile and YAML Puppet
indirector base classes performed management or certain, user-supplied x509
certificate signing requests. An authenticated attacker could use this flaw to
overwrite arbitrary system file, accessible with the privileges of the Puppet
Master application.  

 Some minors bugfixes have been also added as part of the upgrade to 2.6.11.

----------------------------------


Source RPM: puppet-2.6.11-1.mga1.src.rpm


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED