Bugzilla – Bug 835122
VUL-0: CVE-2013-4761: puppet: `resource_type` remote code execution vulnerability
Last modified: 2014-10-06 13:50:41 UTC
Quote from [1]: "By using the `resource_type` service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node’s file system. While this behavior is not enabled by default, `auth.conf` settings could be modified to allow it. The exploit requires local file system access to the Puppet Master." [1] http://puppetlabs.com/security/cve/cve-2013-4761/
bugbot adjusting priority
The SWAMPID for this issue is 54110. This issue was rated as moderate. Please submit fixed packages until 2013-09-02. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
was there any reply?
request 30697 submitted. Unit tests might be broken thought.
The SWAMPID for this issue is 55944. This issue was rated as important. Please submit fixed packages until 2014-01-27. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
So have we seen opensuse updates for this already? If so or if not needed, we can close this.
Update released for: puppet, puppet-server Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: puppet, puppet-server Products: SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: puppet, puppet-server Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0155-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 835122,853982 CVE References: CVE-2013-4761 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): puppet-2.6.18-0.12.1 SUSE Linux Enterprise Server 11 SP3 (src): puppet-2.6.18-0.12.1 SUSE Linux Enterprise Server 11 SP2 for VMware (src): puppet-2.6.18-0.12.1 SUSE Linux Enterprise Server 11 SP2 (src): puppet-2.6.18-0.12.1 SUSE Linux Enterprise Desktop 11 SP3 (src): puppet-2.6.18-0.12.1 SUSE Linux Enterprise Desktop 11 SP2 (src): puppet-2.6.18-0.12.1
This updated package completely breaks puppet. The application of bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch does not leave /usr/lib64/ruby/vendor_ruby/1.8/puppet/parser/type_loader.rb in a usable state as the signature for the "import" method is changed and the call to it from the "load_until" method is not fixed. This results in obscure error "wrong number of arguments (1 for 2)" when trying to load *anything* from the module path.(In reply to comment #26) > SUSE-SU-2014:0155-1: An update that solves one vulnerability and has one errata > is now available. > > Category: security (important) > Bug References: 835122,853982 > CVE References: CVE-2013-4761 > Sources used: > SUSE Linux Enterprise Server 11 SP3 for VMware (src): puppet-2.6.18-0.12.1 > SUSE Linux Enterprise Server 11 SP3 (src): puppet-2.6.18-0.12.1 > SUSE Linux Enterprise Server 11 SP2 for VMware (src): puppet-2.6.18-0.12.1 > SUSE Linux Enterprise Server 11 SP2 (src): puppet-2.6.18-0.12.1 > SUSE Linux Enterprise Desktop 11 SP3 (src): puppet-2.6.18-0.12.1 > SUSE Linux Enterprise Desktop 11 SP2 (src): puppet-2.6.18-0.12.1 This updated package completely breaks puppet. The application of bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch does not leave /usr/lib64/ruby/vendor_ruby/1.8/puppet/parser/type_loader.rb in a usable state as the signature for the "import" method is changed and the call to it from the "load_until" method is not fixed. This results in obscure error "wrong number of arguments (1 for 2)" when trying to load *anything* from the module path.
(In reply to comment #27) > This updated package completely breaks puppet. The application of > bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch does not leave > /usr/lib64/ruby/vendor_ruby/1.8/puppet/parser/type_loader.rb in a usable state > as the signature for the "import" method is changed and the call to it from the > "load_until" method is not fixed. This results in obscure error "wrong number > of arguments (1 for 2)" when trying to load *anything* from the module path. Very sorry for the inconvenience, Dardo Kleiner. I will do the regression test once again right now. When I did the regression test at the end of last month, it worked well. It seems that you launched puppet on x86_64, right? Did you try it on i386 platform?
(In reply to comment #29) > (In reply to comment #27) > > This updated package completely breaks puppet. The application of > > bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch does not leave > > /usr/lib64/ruby/vendor_ruby/1.8/puppet/parser/type_loader.rb in a usable state > > as the signature for the "import" method is changed and the call to it from the > > "load_until" method is not fixed. This results in obscure error "wrong number > > of arguments (1 for 2)" when trying to load *anything* from the module path. > > Very sorry for the inconvenience, Dardo Kleiner. > > > I will do the regression test once again right now. > > When I did the regression test at the end of last month, it worked well. > It seems that you launched puppet on x86_64, right? > Did you try it on i386 platform? I am using x86_64 - I do not have an i386 platform to test. Unless it was packaged differently, I would expect the problem to be the same as its a Ruby syntax error in type_loader.rb. Here's a simple test - this is stock SLES11SP3 w/ all latest updates: # rpm -q puppet puppet-2.6.18-0.12.1 # mkdir -p modules/test/manifests # echo "class test { }" > modules/test/manifests/init.pp # puppet apply --modulepath=./modules <(echo 'include ::test') wrong number of arguments (1 for 2) at ... # zypper -n in --oldpackage -y puppet-2.6.18-0.8.1 # puppet apply --modulepath=./modules <(echo 'include ::test') notice: Finished catalog run in 0.01 seconds Thanks for your attention!
Fixing this regression is of course already high priority for us, but we would like to handle it through L3 (so we can even provide you an earlier build of the fixed package as a PTF). Dardo, do you have a contact in NTS? If yes, could you ask the engineer to open a new bug report and escalate it to L3? Thanks!
> I am using x86_64 - I do not have an i386 platform to test. Unless it was > packaged differently, I would expect the problem to be the same as its a Ruby > syntax error in type_loader.rb. > > Here's a simple test - this is stock SLES11SP3 w/ all latest updates: > > # rpm -q puppet > puppet-2.6.18-0.12.1 > # mkdir -p modules/test/manifests > # echo "class test { }" > modules/test/manifests/init.pp > # puppet apply --modulepath=./modules <(echo 'include ::test') > wrong number of arguments (1 for 2) at ... > > # zypper -n in --oldpackage -y puppet-2.6.18-0.8.1 > # puppet apply --modulepath=./modules <(echo 'include ::test') > notice: Finished catalog run in 0.01 seconds > > Thanks for your attention! I was able to reproduce it. From this point of view, it's a regression indeed. I redid the regression/functional tests listed in my testreport today, but couldn't find the regression you provided, I think we mush improve the regression testcases to cove more aspects of puppet. Anyway, I will add your testcase in regression test from now on.
What are we up to here? Theres also a new puppet security update coming. Something to integrate from here?
AFAIR, we've reverted the patch in the last update to fix the regression. I don't know if there's someone working on the back port.
Is this fixed with our 2.7 version update?
We have the 2.7.26 version and the bug was resolved in 2.7.23 version. So it should be fixed.