[Bug 825878] New: Puppet CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c0 Summary: Puppet CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: openSUSE 12.3 Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload. Reproducible: Always Steps to Reproduce: 1. 2. 3. http://puppetlabs.com/security/cve/cve-2013-3567/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c1 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |boris@steki.net, | |dlovasko@suse.com, | |nkrinner@suse.com AssignedTo|security-team@suse.de |jatan@suse.com Summary|Puppet CVE-2013-3567 |VUL-0: puppet: |(Unauthenticated Remote |CVE-2013-3567: |Code Execution |Unauthenticated Remote Code |Vulnerability) |Execution Vulnerability Alias| |CVE-2013-3567 --- Comment #1 from Alexander Bergmann <abergmann@suse.com> 2013-06-20 02:38:15 UTC --- Status: Resolved in Puppet 2.7.22, 3.2.2 Resolved in Puppet Enterprise 2.8.2 Credits: Credit to Ben Murphy for the responsible disclosure of this vulnerability. ---- openSUSE:12.2: puppet-2.7.6 openSUSE:12.3: puppet-3.0.2 SLE11-SP2: puppet-2.6.18-0.4.2 SLE11-SP1: puppet-2.6.17-0.3.1 SLE10: Not used in any sle10 version. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c2 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #2 from Swamp Workflow Management <swamp@suse.de> 2013-06-20 16:00:18 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c3 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:53262:critica | |l --- Comment #3 from Swamp Workflow Management <swamp@suse.de> 2013-06-26 06:48:17 UTC --- The SWAMPID for this issue is 53262. This issue was rated as critical. Please submit fixed packages until 2013-06-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c5 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jatan@suse.com |vdziewiecki@suse.com --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-07-04 09:25:23 UTC --- assign to sle maintainer (james seems to be opensuse maintainer) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-07-10 14:26:16 UTC --- ping? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c Wojtek Dziewięcki <vdziewiecki@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c7 --- Comment #7 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-07-18 11:33:30 UTC --- Sorry for the late response, I was on vacation. I believe that puppet 2.6.18 in SLE is not affected, because Puppetlabs didn't release new 2.6 version and also according to this site: http://www.securityfocus.com/bid/60664 I'll fix it in openSUSE soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c8 --- Comment #8 from Marcus Meissner <meissner@suse.com> 2013-07-18 14:27:58 UTC --- I diffed 3.2.1 and 3.2.2 ... the diff parts live also in 2.6.18 although I cannot really find the securityx fix itself (but they add a full safe yaml copy in the diff). :( Do you have a contact there? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c9 --- Comment #9 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-07-18 15:25:43 UTC --- No I don't know anyone in puppet labs. I've been looking for a way to extract a patch myself now. Should I try to find a contact or mailing list on their web page? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c10 --- Comment #10 from Marcus Meissner <meissner@suse.com> 2013-07-19 06:38:49 UTC --- Created an attachment (id=548577) --> (http://bugzilla.novell.com/attachment.cgi?id=548577) puppet-3.2.1-3.2.2.diff I extracted the 3.2.1-3.2.2 puppet diff, most of it just seems to be for this bug, but not knowing ruby ... it is hard to say :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c11 --- Comment #11 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-07-19 12:00:58 UTC --- 3.2.2. release notes say: 3.2.2 is a security fix release of the Puppet 3.2 series. It has no other bug fixes or new features. So I think we can just use the diff you extracted as patch, I'm on it now, thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:53262:critica |maint:running:53262:critica |l |l maint:planned:update -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c14 --- Comment #14 from Matthias Weckbecker <mweckbecker@suse.com> 2013-07-29 11:47:45 CEST --- -24 days SLA. Any news here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c18 --- Comment #18 from Boris Manojlovic <boris@steki.net> 2013-07-31 22:50:12 UTC --- I have patched 12.3 version of puppet but i urge everyone with better ruby knowledge to test package first I have replaced lib/puppet/transaction/report.rb with latest version (?) because patching it was simply impossible, looking into header it say it is used by internal reporting of client, but i really cannot say if it will work correctly... home:bmanojlovic:branches:OBS_Maintained:puppet -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-08-05 15:00:40 CEST --- This is an autogenerated message for OBS integration: This bug (825878) was mentioned in https://build.opensuse.org/request/show/185935 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c20 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:53262:critica |maint:running:53262:critica |l maint:planned:update |l | |maint:released:sle11-sp1:53 | |263 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> 2013-08-06 13:05:07 UTC --- Update released for: puppet, puppet-server Products: SLE-SERVER 11-SP1-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c21 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:53262:critica |maint:running:53262:critica |l |l |maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 | |maint:released:sle11-sp2:53 | |264 --- Comment #21 from Swamp Workflow Management <swamp@suse.de> 2013-08-06 14:49:57 UTC --- Update released for: puppet, puppet-server Products: SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c22 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:53262:critica |maint:running:53262:critica |l |l |maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 |maint:released:sle11-sp2:53 |maint:released:sle11-sp3:53 |264 |265 --- Comment #22 from Swamp Workflow Management <swamp@suse.de> 2013-08-06 14:53:55 UTC --- Update released for: puppet, puppet-server Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c23 --- Comment #23 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-08-09 15:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (825878) was mentioned in https://build.opensuse.org/request/show/186578 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:53262:critica | |l |maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 |maint:released:sle11-sp3:53 |maint:released:sle11-sp3:53 |265 |265 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c24 --- Comment #24 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-08-12 16:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (825878) was mentioned in https://build.opensuse.org/request/show/186737 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 |maint:released:sle11-sp3:53 |maint:released:sle11-sp3:53 |265 |265 |obs:running:1940:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 |maint:released:sle11-sp3:53 |maint:released:sle11-sp3:53 |265 |265 |obs:running:1940:moderate |obs:running:1940:critical -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c25 Wojtek Dziewięcki <vdziewiecki@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|vdziewiecki@suse.com |security-team@suse.de --- Comment #25 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-08-20 10:26:54 UTC --- Fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:sle11-sp1:53 |maint:released:sle11-sp1:53 |263 |263 |maint:released:sle11-sp3:53 |maint:released:sle11-sp3:53 |265 |265 |obs:running:1940:critical | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c26 --- Comment #26 from Swamp Workflow Management <swamp@suse.de> 2013-08-22 13:04:19 UTC --- openSUSE-SU-2013:1370-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 825878 CVE References: CVE-2013-3567 Sources used: openSUSE 12.3 (src): puppet-3.0.2-2.9.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c27 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #27 from Sebastian Krahmer <krahmer@suse.com> 2013-12-23 12:26:02 UTC --- Why's this still open? SWAMP is finished, openSUSE released -> closing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com