Hello community,
here is the log from the commit of package puppet for openSUSE:11.3
checked in at Tue Nov 1 15:30:28 CET 2011.
--------
--- old-versions/11.3/UPDATES/all/puppet/puppet.changes 2011-10-05 16:43:00.000000000 +0200
+++ 11.3/puppet/puppet.changes 2011-11-01 11:54:32.000000000 +0100
@@ -1,0 +2,12 @@
+Tue Nov 1 10:04:55 UTC 2011 - vcizek@suse.com
+
+- fix for CVE-2011-3872 (bnc#726372)
+
+-------------------------------------------------------------------
+Mon Oct 31 10:00:39 UTC 2011 - vcizek@suse.com
+
+- fixes for several security bugs:
+ CVE-2011-3869, CVE-2011-3870, CVE-2011-3871
+ (bnc#727024, bnc#727025)
+
+-------------------------------------------------------------------
calling whatdependson for 11.3-i586
New:
----
0.25-9792-Predictable-temporary-filename-in-ralsh.patch
0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch
puppet-0.25.4-CVE-2011-3870.patch
puppet-0.25.4-CVE-2011-3872.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ puppet.spec ++++++
--- /var/tmp/diff_new_pack.zIVBmJ/_old 2011-11-01 15:28:13.000000000 +0100
+++ /var/tmp/diff_new_pack.zIVBmJ/_new 2011-11-01 15:28:13.000000000 +0100
@@ -21,7 +21,7 @@
Name: puppet
Version: 0.25.4
-Release: 4.<RELEASE2>
+Release: 4.<RELEASE5>
License: GPLv2+
Group: Productivity/Networking/System
Url: http://reductivelabs.com/projects/puppet/
@@ -32,7 +32,17 @@
Patch: %{name}-%{version}-yumconf.diff
Patch1: %{name}-%{version}-init.diff
Patch2: %{name}-%{version}-zypper.diff
+# PATCH-FIX-UPSTREAM bnc#721139 CVE-2011-3848
Patch3: puppet-0.25.4-CVE-2011-3848.patch
+# PATCH-FIX-UPSTREAM bnc#727025 CVE-2011-3870
+Patch4: puppet-0.25.4-CVE-2011-3870.patch
+# PATCH-FIX-UPSTREAM CVE-2011-3871
+Patch5: 0.25-9792-Predictable-temporary-filename-in-ralsh.patch
+# PATCH-FIX-UPSTREAM bnc#727024 CVE-2011-3869
+Patch7: 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch
+# PATCH-FIX-UPSTREAM bnc#726372 CVE-2011-3872
+Patch8: puppet-0.25.4-CVE-2011-3872.patch
+
Requires: ruby >= 1.8.1
Requires: facter >= 1.1.4
PreReq: pwdutils %insserv_prereq %fillup_prereq
@@ -71,6 +81,10 @@
%patch1
%patch2
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch7 -p1
+%patch8 -p1
sed -i 's#/usr/local/bin/ruby#/usr/bin/ruby#' lib/puppet/external/nagios.rb
%build
++++++ 0.25-9792-Predictable-temporary-filename-in-ralsh.patch ++++++
From 21b7192320dbb79a8cfe1fd3e06d0d399c964c0f Mon Sep 17 00:00:00 2001
From: Daniel Pittman
Date: Wed, 28 Sep 2011 23:23:55 -0700
Subject: [PATCH] (#9792) Predictable temporary filename in ralsh.
When ralsh is used in edit mode the temporary filename is in a shared
directory, and is absolutely predictable. Worse, it won't be touched until
well after the startup of the command.
It can be tricked into writing through a symlink to edit any file on the
system, or to create through it, but worse - the file is reopened with the
same name later, so it can have the target replaced between edit and
operate...
The only possible mitigation comes from the system editor and the behaviour it
has around editing through symbolic links, which is very weak.
This improves this to prefer the current working directory for the temporary
file, and to be somewhat less predictable and more safe in conjuring it into
being.
Signed-off-by: Daniel Pittman
---
lib/puppet/application/ralsh.rb | 27 +++++++++++++++++----------
1 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/lib/puppet/application/ralsh.rb b/lib/puppet/application/ralsh.rb
index b9f7a58..593d3c1 100644
--- a/lib/puppet/application/ralsh.rb
+++ b/lib/puppet/application/ralsh.rb
@@ -119,18 +119,25 @@ Puppet::Application.new(:ralsh) do
end.compact.join("\n")
if options[:edit]
- file = "/tmp/x2puppet-#{Process.pid}.pp"
+ require 'tempfile'
+ # Prefer the current directory, which is more likely to be secure
+ # and, in the case of interactive use, accessible to the user.
+ tmpfile = Tempfile.new('x2puppet', Dir.pwd)
begin
- File.open(file, "w") do |f|
- f.puts text
- end
- ENV["EDITOR"] ||= "vi"
- system(ENV["EDITOR"], file)
- system("puppet -v " + file)
+ # sync write, so nothing buffers before we invoke the editor.
+ tmpfile.sync = true
+ tmpfile.puts text
+
+ # edit the content
+ system(ENV["EDITOR"] || 'vi', tmpfile.path)
+
+ # ...and, now, pass that file to puppet to apply. Because
+ # many editors rename or replace the original file we need to
+ # feed the pathname, not the file content itself, to puppet.
+ system('puppet -v ' + tmpfile.path)
ensure
- #if FileTest.exists? file
- # File.unlink(file)
- #end
+ # The temporary file will be safely removed.
+ tmpfile.close(true)
end
else
puts text
--
1.7.6.4
++++++ 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch ++++++
From a4333c110ad084f205605708eaab52ad243d6c86 Mon Sep 17 00:00:00 2001
From: Daniel Pittman
Date: Thu, 29 Sep 2011 00:26:13 -0700
Subject: [PATCH] (#9794) k5login can overwrite arbitrary files as root
The k5login type is typically used to manage a file in the home directory of a
user; the explicit purpose of the files is to allow access to other users.
It writes to the target file directly, as root, without doing anything to
secure the file. That would allow the owner of the home directory to symlink
to anything on the system, and have it replaced with the correct content of
the file. Which is a fairly obvious escalation to root the next time Puppet
runs.
Now, instead, fix that to securely write the target file in a predictable and
secure fashion, using the `secure_open` helper.
Signed-off-by: Daniel Pittman
---
lib/puppet/type/k5login.rb | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/lib/puppet/type/k5login.rb b/lib/puppet/type/k5login.rb
index 5526fda..b13b34d 100644
--- a/lib/puppet/type/k5login.rb
+++ b/lib/puppet/type/k5login.rb
@@ -81,7 +81,9 @@ Puppet::Type.newtype(:k5login) do
private
def write(value)
- File.open(@resource[:name], "w") { |f| f.puts value.join("\n") }
+ Puppet::Util.secure_open(@resource[:name], "w") do |f|
+ f.puts value.join("\n")
+ end
end
end
end
--
1.7.6.4
++++++ puppet-0.25.4-CVE-2011-3870.patch ++++++
--- puppet-0.25.4.orig/lib/puppet/provider/ssh_authorized_key/parsed.rb
+++ puppet-0.25.4/lib/puppet/provider/ssh_authorized_key/parsed.rb
@@ -62,36 +62,24 @@
end
def flush
- # As path expansion had to be moved in the provider, we cannot generate new file
- # resources and thus have to chown and chmod here. It smells hackish.
-
- # Create target's parent directory if nonexistant
- if target
- dir = File.dirname(target)
- if not File.exist? dir
- Puppet.debug("Creating directory %s which did not exist" % dir)
- Dir.mkdir(dir, dir_perm)
- end
+ raise Puppet::Error, "Cannot write SSH authorized keys without user" unless user
+ raise Puppet::Error, "User '#{user}' does not exist" unless uid = Puppet::Util.uid(user)
+ # ParsedFile usually calls backup_target much later in the flush process,
+ # but our SUID makes that fail to open filebucket files for writing.
+ # Fortunately, there's already logic to make sure it only ever happens once,
+ # so calling it here supresses the later attempt by our superclass's flush method.
+ self.class.backup_target(target)
+
+ Puppet::Util::SUIDManager.asuser(@resource.should(:user)) do
+ unless File.exist?(dir = File.dirname(target))
+ Puppet.debug "Creating #{dir}"
+ Dir.mkdir(dir, dir_perm)
end
- # Generate the file
super
- # Ensure correct permissions
- if target and user
- uid = Puppet::Util.uid(user)
-
- if uid
- File.chown(uid, nil, dir)
- File.chown(uid, nil, target)
- else
- raise Puppet::Error, "Specified user does not exist"
- end
- end
-
- if target
- File.chmod(file_perm, target)
- end
+ File.chmod(file_perm, target)
+ end
end
# parse sshv2 option strings, wich is a comma separated list of
++++++ puppet-0.25.4-CVE-2011-3872.patch ++++++
--- puppet-0.25.4.orig/lib/puppet/defaults.rb
+++ puppet-0.25.4/lib/puppet/defaults.rb
@@ -222,9 +222,21 @@
to the fully qualified domain name.",
:call_on_define => true, # Call our hook with the default value, so we're always downcased
:hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }},
- :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
- If it's anything other than an empty string, it will be used as an alias in the created
- certificate. By default, only the server gets an alias set up, and only for 'puppet'."],
+ :certdnsnames => {:default => '',
+ :desc => "The DNS names on the Server certificate as a
+ colon-separated list. If it's anything other than an empty string,
+ it will be used as an alias in the created certificate. By
+ default, only the server gets an alias set up, and only for
+ 'puppet'.",
+ :hook => proc { |value|
+ msg = <http://puppetlabs.com/security/cve/3872 for
+more information"
+WARN
+ puts msg if value and value != ''
+ }
+ },
:certdir => {
:default => "$ssldir/certs",
:owner => "service",
--- puppet-0.25.4.orig/lib/puppet/sslcertificates.rb
+++ puppet-0.25.4/lib/puppet/sslcertificates.rb
@@ -57,16 +57,7 @@
key_usage = %w{cRLSign keyCertSign}
when :server
basic_constraint = "CA:FALSE"
- dnsnames = Puppet[:certdnsnames]
name = hash[:name].to_s.sub(%r{/CN=},'')
- if dnsnames != ""
- dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
- subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
- elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
- subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
- subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
- subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
- end
key_usage = %w{digitalSignature keyEncipherment}
ext_key_usage = %w{serverAuth clientAuth emailProtection}
when :ocsp
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org