Announce: Puppet 2.7.11 Available [security/maintenance update]
Matthaus Litteken
The security changes in 2.7.11 address CVEs 2012-1053 and 2012-1054.
The maintenance changes are to address regressions in 2.7.10.
All users of Puppet 2.7.x are encouraged to upgrade when possible to
Puppet 2.7.11.
Other information available at: http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-1053 and
http://puppetlabs.com/security/cve/cve-2012-1054
Detailed feature release notes are available:
https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.11
This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.7.11.tar.gz
RPM's are available at http://yum.puppetlabs.com/el or /fedora
Debs are available on http://apt.puppetlabs.com (lenny requires
backports enabled)
Puppet is also available via Rubygems at http://rubygems.org
See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.11
http://projects.puppetlabs.com/projects/puppet/
# Summary #
(#12457, #12459) Execs, when run with a user specified but with no
group specified will get root group, so the exec then gets unintended
privileges. This is a permanent change for the forked process. Exploit
requires access to either the command the exec will run or to the
manifests calling execs.
(#12458) Similarly unexpected privileges are given to providers and
types (egid remains as root).
(#12460) Klogin type will write to untrusted locations (write through symlinks)
# Details #
CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ]
#12457 - Real gid always present in supplementary groups
Overview
===================================================
In Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary
groups in the "initgroups" method. At
lib/puppet/util/suidmanager.rb:148, it reads:
Process.initgroups(Etc.getpwuid(user).name, Process.gid)
Since the real gid is probably root, this always adds the gid "0" to
the list of supplementary groups for the process as per this strace for
a change to my user account (with 7 supplementary groups):
setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0
This method is called by SUIDManager's change_user method, which is
called in critical places such as lib/puppet/util.rb:308 in
execute_posix (as used by lots of things including Exec resources).
#12458 - Only euid changed, not egid
Overview
===============================
The second problem occurs when only a target user is given to the
SUIDManager asuser method as opposed to a target user and group, as is
the case in the following places:
lib/puppet/provider/ssh_authorized_key/parsed.rb:59
lib/puppet/type/file/target.rb:46
In this case, the SUIDManager asuser method at
lib/puppet/util/suidmanager.rb:78 doesn't change the egid, only the
euid, so the egid remains as root.
#12459 - Permanent uid change doesn't drop supplementary groups
Overview
========
When execute_posix or similar forks and calls SUIDManager's change_user
method, it sets permanent=true to change the real uid instead of the
euid (lib/puppet/util.rb:307).
In change_user, a different code path is taken when a permanent change
is made, and so the supplementary groups aren't dropped
(lib/puppet/util/suidmanager.rb:121), even if the primary group is set.
CVE-2012-1054 Klogin write through symlink [ High ]
#12460 - Klogin File Handling Issue (Write through symlink)
High risk for users of this type. Users can symlink to arbitrary files, causing
them to be overwritten, such as other klogin files.
2.7.11 Changelog
===
c814c6b (#12572) Fix failing last run summary test on windows
87bcf3f (#12188) Handle Win32 as well as Unix in pidfile tests.
01b57e9 (#12188) Better handling of PID file cleanup warnings.
a8b6088 (#12572) Add acceptance test to make sure no last_run_summary
diff is printed
40480ed (#12572) Revert fix for #7106 and implement a more minimal fix
0486462 (#12412) Mark symbolic file modes test as pending on Windows
115ba71 Symbolic file mode test fixes when no mode change happens.
dde3945 Disable specs that use replace_file on Windows
4272d1f Disable replace_file on Windows
4bcbad4 Remove unnecessary fallbacks in change_{user,group}
ff372fb Document uid/gid-related methods in Puppet::Util
5f8f3ba Copy owner/group in replace_file
f0c9995 (#12463) eliminate `secure_open` in favour of `replace_file`
0c96703 (#12460) use `replace_file` for the .k5login file
7900a66 (#12462) user_role_add: use `replace_file` for /etc/shadow
f9f9961 (#12463) add secure `replace_file` to Puppet::Util
db0f872 (#12459) drop supplementary groups when permanently dropping UID
7f26d28 (#12458) default to users primary group, not root, in `asuser`
a96babf (#12457) add users primary group, not Process.gid, in initgroups
2f21546 Restore compatible `insync?` behaviour for matching arrays.
6ffe25b Fix bugs around the finer-grained insync? protocol.
133b739 Add unit tests for the `insysc?` method of a property.
908bfbd Property Spec cleanup: eliminate stubbing of resource and provider.
0d95eb7 Property Spec cleanup: last let method extraction.
5394413 Property Spec cleanup: extract more let methods.
f919e17 Property Spec cleanup: remove unused instance variable.
7bb261b Property Spec cleanup: remove some pointless extra stubs.
e81f02c Property Spec cleanup: extract property instance to a let method.
4fc4dd4 Property Spec cleanup: extract mock resource to let method.
9083fc6 Property Spec cleanup: extract mock provider to let method.
25d7c99 Property Spec cleanup: extract new subclass to let method.
3638651 (#2927) Acceptance test for symbolic file modes.
daa247e (#12296) Acceptance test for cycle detection in graphs.
1f0f40e Use natural ordering of Puppet::Provider.
3c1604a Make `Puppet::Provider` ordered.
50dc35d (#12296) Now that `Puppet::Type` is ordered, use that.
9962ac0 (#12296) Make `Puppet::Type` ordered.
b28d4ce (#12296) Test cycle detection on real Puppet::Type instances.
103a554 (#12310) Remove process_name instrumentation listener
f11ee44 (#12464) Avoid unnecessarily reloading facts when
node_name_fact is not set
hai wu
It seems the released RPM packages for RHEL6 (both binary and source RPM) do not contain the real fix here at https://github.com/puppetlabs/puppet/commit/411828be395a68d70fec634fa8d8ff12572e8501. I still see the old code ..
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Heijmans
puppet-2.7.11-1.el5
puppet-server-2.7.11-1.el5
#
180 def save_last_run_summary(report)
181 last_run = Puppet.settings.setting(:lastrunfile)
182 last_run.create = true # force file creation
183
184 resource = last_run.to_resource
185 resource[:content] = YAML.dump(report.raw_summary)
186
187 catalog = Puppet::Resource::Catalog.new("last_run_file")
188 catalog.add_resource(resource)
189 ral = catalog.to_ral
190 ral.host_config = false
191 ral.apply
192 rescue => detail
193 puts detail.backtrace if Puppet[:trace]
194 Puppet.err "Could not save last run local report: #{detail}"
195 end
Matthaus Litteken
built from a stale tag on our end. I've built a new rpm for 2.7.11
called puppet-2.7.11-2. It includes the fixes for #12572.
The debs, gems, dmg and tarball were all fine, only the rpms were affected.
Thanks for letting us know.
-matthaus
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/nnRYxWqYj24J.