Puppet users - Feb 2012 - Announce: Puppet 2.6.14 Available [security update]

Puppet 2.6.14 is a security release in the 2.6.x branch which
addresses CVEs 2012-1053 and 2012-1054.

All users of Puppet 2.6.x are encouraged to upgrade when possible to
Puppet 2.6.14.

Other information available at:  http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-1053 and
http://puppetlabs.com/security/cve/cve-2012-1053

Detailed feature release notes are available:

https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.14


This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.6.14.tar.gz

RPMs are available at http://yum.puppetlabs.com/el or /fedora

DEBs are available at http://apt.puppetlabs.com

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.6.14
http://projects.puppetlabs.com/projects/puppet/

# Summary #

(#12457, #12459) Execs, when run with a user specified but with no
group specified will get root group, so the exec then gets unintended
privileges. This is a permanent change for the forked process. Exploit
requires access to either the command the exec will run or to the
manifests calling execs.

(#12458) Similarly unexpected privileges are given to providers and
types (egid remains as root).

(#12460) Klogin type will write to untrusted locations (write through symlinks)


# Details #

CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ]

#12457 - Real gid always present in supplementary groups

 Overview
 ================================================== In
Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary
 groups in the "initgroups" method.  At
 lib/puppet/util/suidmanager.rb:148, it reads:

  Process.initgroups(Etc.getpwuid(user).name, Process.gid)

 Since the real gid is probably root, this always adds the gid "0" to
 the list of supplementary groups for the process as per this strace for
 a change to my user account (with 7 supplementary groups):

  setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0

 This method is called by SUIDManager''s change_user method, which is
 called in critical places such as lib/puppet/util.rb:308 in
 execute_posix (as used by lots of things including Exec resources).


#12458 - Only euid changed, not egid

 Overview
 ============================== The second problem occurs when only a target
user is given to the
 SUIDManager asuser method as opposed to a target user and group, as is
 the case in the following places:
  lib/puppet/provider/ssh_authorized_key/parsed.rb:59
  lib/puppet/type/file/target.rb:46

 In this case, the SUIDManager asuser method at
 lib/puppet/util/suidmanager.rb:78 doesn''t change the egid, only the
 euid, so the egid remains as root.


#12459 - Permanent uid change doesn''t drop supplementary groups

 Overview
 ======= When execute_posix or similar forks and calls SUIDManager''s
change_user
 method, it sets permanent=true to change the real uid instead of the
 euid (lib/puppet/util.rb:307).

 In change_user, a different code path is taken when a permanent change
 is made, and so the supplementary groups aren''t dropped
 (lib/puppet/util/suidmanager.rb:121), even if the primary group is set.


CVE-2012-1054 Klogin write through symlink [ High ]

#12460 - Klogin File Handling Issue (Write through symlink)

High risk for users of this type. Users can symlink to arbitrary files, causing
them to be overwritten, such as other klogin files.

2.6.14
==d48ad59 Revert "(#5246) Puppetd does not remove it''s pidfile
when it exits"
ade5965 Remove unnecessary fallbacks in change_{user,group}
0a09a64 Document uid/gid-related methods in Puppet::Util
2599d56 Copy owner/group in replace_file
ead36ff (#12463) eliminate `secure_open` in favour of `replace_file`
1469538 (#12460) use `replace_file` for the .k5login file
8461203 (#12462) user_role_add: use `replace_file` for /etc/shadow
0ad532a (#12463) add secure `replace_file` to Puppet::Util
76d0749 (#12459) drop supplementary groups when permanently dropping UID
50909b9 (#12458) default to users primary group, not root, in `asuser`
d00c5cc (#12457) add users primary group, not Process.gid, in initgroups
d937ae3 (#6541) Use the same filebucket for backup and restore
a758066 (#11996) Fix test failures due to hash processing order changes.
e0e31d5 (#5246) Puppetd does not remove it''s pidfile when it exits
0ab4597 (#11764) Fix failing cron test
073ca03 (#11764) Fix cron jobs for passing block to method

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.