Puppet users - Feb 2012 - Announce: Puppet 2.7.11 Available [security/maintenance update]

Puppet 2.7.11 is a maintenance and security release in the 2.7.x branch.

The security changes in 2.7.11 address CVEs 2012-1053 and 2012-1054.
The maintenance changes are to address regressions in 2.7.10.

All users of Puppet 2.7.x are encouraged to upgrade when possible to
Puppet 2.7.11.

Other information available at:  http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-1053 and
http://puppetlabs.com/security/cve/cve-2012-1054

Detailed feature release notes are available:

https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.11


This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.7.11.tar.gz

RPM''s are available at http://yum.puppetlabs.com/el or /fedora

Debs are available on http://apt.puppetlabs.com (lenny requires
backports enabled)

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.11
http://projects.puppetlabs.com/projects/puppet/



# Summary #

(#12457, #12459) Execs, when run with a user specified but with no
group specified will get root group, so the exec then gets unintended
privileges. This is a permanent change for the forked process. Exploit
requires access to either the command the exec will run or to the
manifests calling execs.

(#12458) Similarly unexpected privileges are given to providers and
types (egid remains as root).

(#12460) Klogin type will write to untrusted locations (write through symlinks)


# Details #

CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ]

#12457 - Real gid always present in supplementary groups

 Overview
 ================================================== In
Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary
 groups in the "initgroups" method.  At
 lib/puppet/util/suidmanager.rb:148, it reads:

  Process.initgroups(Etc.getpwuid(user).name, Process.gid)

 Since the real gid is probably root, this always adds the gid "0" to
 the list of supplementary groups for the process as per this strace for
 a change to my user account (with 7 supplementary groups):

  setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0

 This method is called by SUIDManager''s change_user method, which is
 called in critical places such as lib/puppet/util.rb:308 in
 execute_posix (as used by lots of things including Exec resources).


#12458 - Only euid changed, not egid

 Overview
 ============================== The second problem occurs when only a target
user is given to the
 SUIDManager asuser method as opposed to a target user and group, as is
 the case in the following places:
  lib/puppet/provider/ssh_authorized_key/parsed.rb:59
  lib/puppet/type/file/target.rb:46

 In this case, the SUIDManager asuser method at
 lib/puppet/util/suidmanager.rb:78 doesn''t change the egid, only the
 euid, so the egid remains as root.


#12459 - Permanent uid change doesn''t drop supplementary groups

 Overview
 ======= When execute_posix or similar forks and calls SUIDManager''s
change_user
 method, it sets permanent=true to change the real uid instead of the
 euid (lib/puppet/util.rb:307).

 In change_user, a different code path is taken when a permanent change
 is made, and so the supplementary groups aren''t dropped
 (lib/puppet/util/suidmanager.rb:121), even if the primary group is set.


CVE-2012-1054 Klogin write through symlink [ High ]

#12460 - Klogin File Handling Issue (Write through symlink)

High risk for users of this type. Users can symlink to arbitrary files, causing
them to be overwritten, such as other klogin files.

2.7.11 Changelog
==c814c6b (#12572) Fix failing last run summary test on windows
87bcf3f (#12188) Handle Win32 as well as Unix in pidfile tests.
01b57e9 (#12188) Better handling of PID file cleanup warnings.
a8b6088 (#12572) Add acceptance test to make sure no last_run_summary
diff is printed
40480ed (#12572) Revert fix for #7106 and implement a more minimal fix
0486462 (#12412) Mark symbolic file modes test as pending on Windows
115ba71 Symbolic file mode test fixes when no mode change happens.
dde3945 Disable specs that use replace_file on Windows
4272d1f Disable replace_file on Windows
4bcbad4 Remove unnecessary fallbacks in change_{user,group}
ff372fb Document uid/gid-related methods in Puppet::Util
5f8f3ba Copy owner/group in replace_file
f0c9995 (#12463) eliminate `secure_open` in favour of `replace_file`
0c96703 (#12460) use `replace_file` for the .k5login file
7900a66 (#12462) user_role_add: use `replace_file` for /etc/shadow
f9f9961 (#12463) add secure `replace_file` to Puppet::Util
db0f872 (#12459) drop supplementary groups when permanently dropping UID
7f26d28 (#12458) default to users primary group, not root, in `asuser`
a96babf (#12457) add users primary group, not Process.gid, in initgroups
2f21546 Restore compatible `insync?` behaviour for matching arrays.
6ffe25b Fix bugs around the finer-grained insync? protocol.
133b739 Add unit tests for the `insysc?` method of a property.
908bfbd Property Spec cleanup: eliminate stubbing of resource and provider.
0d95eb7 Property Spec cleanup: last let method extraction.
5394413 Property Spec cleanup: extract more let methods.
f919e17 Property Spec cleanup: remove unused instance variable.
7bb261b Property Spec cleanup: remove some pointless extra stubs.
e81f02c Property Spec cleanup: extract property instance to a let method.
4fc4dd4 Property Spec cleanup: extract mock resource to let method.
9083fc6 Property Spec cleanup: extract mock provider to let method.
25d7c99 Property Spec cleanup: extract new subclass to let method.
3638651 (#2927) Acceptance test for symbolic file modes.
daa247e (#12296) Acceptance test for cycle detection in graphs.
1f0f40e Use natural ordering of Puppet::Provider.
3c1604a Make `Puppet::Provider` ordered.
50dc35d (#12296) Now that `Puppet::Type` is ordered, use that.
9962ac0 (#12296) Make `Puppet::Type` ordered.
b28d4ce (#12296) Test cycle detection on real Puppet::Type instances.
103a554 (#12310) Remove process_name instrumentation listener
f11ee44 (#12464) Avoid unnecessarily reloading facts when
node_name_fact is not set

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.

It says bug 12572 is fixed in 2.7.11, but this is not the case.

It seems the released RPM packages for RHEL6 (both binary and source RPM)
do not contain the real fix here at
https://github.com/puppetlabs/puppet/commit/411828be395a68d70fec634fa8d8ff12572e8501.
I still see the old code  ..

On Wed, Feb 22, 2012 at 11:44 PM, Matthaus Litteken
<matthaus@puppetlabs.com
> wrote:
> Puppet 2.7.11 is a maintenance and security release in the 2.7.x branch.
>
> The security changes in 2.7.11 address CVEs 2012-1053 and 2012-1054.
> The maintenance changes are to address regressions in 2.7.10.
>
> All users of Puppet 2.7.x are encouraged to upgrade when possible to
> Puppet 2.7.11.
>
> Other information available at:  http://puppetlabs.com/security
> or visit http://puppetlabs.com/security/cve/cve-2012-1053 and
> http://puppetlabs.com/security/cve/cve-2012-1054
>
> Detailed feature release notes are available:
>
> https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.11
>
>
> This release is available for download at:
> http://puppetlabs.com/downloads/puppet/puppet-2.7.11.tar.gz
>
> RPM''s are available at http://yum.puppetlabs.com/el or /fedora
>
> Debs are available on http://apt.puppetlabs.com (lenny requires
> backports enabled)
>
> Puppet is also available via Rubygems at http://rubygems.org
>
> See the Verifying Puppet Download section at:
> http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
>
> Please report feedback via the Puppet Labs Redmine site, using an
> affected puppet version of 2.7.11
> http://projects.puppetlabs.com/projects/puppet/
>
>
>
> # Summary #
>
> (#12457, #12459) Execs, when run with a user specified but with no
> group specified will get root group, so the exec then gets unintended
> privileges. This is a permanent change for the forked process. Exploit
> requires access to either the command the exec will run or to the
> manifests calling execs.
>
> (#12458) Similarly unexpected privileges are given to providers and
> types (egid remains as root).
>
> (#12460) Klogin type will write to untrusted locations (write through
> symlinks)
>
>
> # Details #
>
> CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ]
>
> #12457 - Real gid always present in supplementary groups
>
>  Overview
>  ==================================================>  In
Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary
>  groups in the "initgroups" method.  At
>  lib/puppet/util/suidmanager.rb:148, it reads:
>
>  Process.initgroups(Etc.getpwuid(user).name, Process.gid)
>
>  Since the real gid is probably root, this always adds the gid
"0" to
>  the list of supplementary groups for the process as per this strace for
>  a change to my user account (with 7 supplementary groups):
>
>  setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0
>
>  This method is called by SUIDManager''s change_user method, which
is
>  called in critical places such as lib/puppet/util.rb:308 in
>  execute_posix (as used by lots of things including Exec resources).
>
>
> #12458 - Only euid changed, not egid
>
>  Overview
>  ==============================>  The second problem occurs when only a
target user is given to the
>  SUIDManager asuser method as opposed to a target user and group, as is
>  the case in the following places:
>  lib/puppet/provider/ssh_authorized_key/parsed.rb:59
>  lib/puppet/type/file/target.rb:46
>
>  In this case, the SUIDManager asuser method at
>  lib/puppet/util/suidmanager.rb:78 doesn''t change the egid, only
the
>  euid, so the egid remains as root.
>
>
> #12459 - Permanent uid change doesn''t drop supplementary groups
>
>  Overview
>  =======>  When execute_posix or similar forks and calls
SUIDManager''s change_user
>  method, it sets permanent=true to change the real uid instead of the
>  euid (lib/puppet/util.rb:307).
>
>  In change_user, a different code path is taken when a permanent change
>  is made, and so the supplementary groups aren''t dropped
>  (lib/puppet/util/suidmanager.rb:121), even if the primary group is set.
>
>
> CVE-2012-1054 Klogin write through symlink [ High ]
>
> #12460 - Klogin File Handling Issue (Write through symlink)
>
> High risk for users of this type. Users can symlink to arbitrary files,
> causing
> them to be overwritten, such as other klogin files.
>
> 2.7.11 Changelog
> ==> c814c6b (#12572) Fix failing last run summary test on windows
> 87bcf3f (#12188) Handle Win32 as well as Unix in pidfile tests.
> 01b57e9 (#12188) Better handling of PID file cleanup warnings.
> a8b6088 (#12572) Add acceptance test to make sure no last_run_summary
> diff is printed
> 40480ed (#12572) Revert fix for #7106 and implement a more minimal fix
> 0486462 (#12412) Mark symbolic file modes test as pending on Windows
> 115ba71 Symbolic file mode test fixes when no mode change happens.
> dde3945 Disable specs that use replace_file on Windows
> 4272d1f Disable replace_file on Windows
> 4bcbad4 Remove unnecessary fallbacks in change_{user,group}
> ff372fb Document uid/gid-related methods in Puppet::Util
> 5f8f3ba Copy owner/group in replace_file
> f0c9995 (#12463) eliminate `secure_open` in favour of `replace_file`
> 0c96703 (#12460) use `replace_file` for the .k5login file
> 7900a66 (#12462) user_role_add: use `replace_file` for /etc/shadow
> f9f9961 (#12463) add secure `replace_file` to Puppet::Util
> db0f872 (#12459) drop supplementary groups when permanently dropping UID
> 7f26d28 (#12458) default to users primary group, not root, in `asuser`
> a96babf (#12457) add users primary group, not Process.gid, in initgroups
> 2f21546 Restore compatible `insync?` behaviour for matching arrays.
> 6ffe25b Fix bugs around the finer-grained insync? protocol.
> 133b739 Add unit tests for the `insysc?` method of a property.
> 908bfbd Property Spec cleanup: eliminate stubbing of resource and provider.
> 0d95eb7 Property Spec cleanup: last let method extraction.
> 5394413 Property Spec cleanup: extract more let methods.
> f919e17 Property Spec cleanup: remove unused instance variable.
> 7bb261b Property Spec cleanup: remove some pointless extra stubs.
> e81f02c Property Spec cleanup: extract property instance to a let method.
> 4fc4dd4 Property Spec cleanup: extract mock resource to let method.
> 9083fc6 Property Spec cleanup: extract mock provider to let method.
> 25d7c99 Property Spec cleanup: extract new subclass to let method.
> 3638651 (#2927) Acceptance test for symbolic file modes.
> daa247e (#12296) Acceptance test for cycle detection in graphs.
> 1f0f40e Use natural ordering of Puppet::Provider.
> 3c1604a Make `Puppet::Provider` ordered.
> 50dc35d (#12296) Now that `Puppet::Type` is ordered, use that.
> 9962ac0 (#12296) Make `Puppet::Type` ordered.
> b28d4ce (#12296) Test cycle detection on real Puppet::Type instances.
> 103a554 (#12310) Remove process_name instrumentation listener
> f11ee44 (#12464) Avoid unnecessarily reloading facts when
> node_name_fact is not set
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

same is for RHEL5 (binary rpm), I see that the rpm on yum.puppetlabs.com is 
from 22-Feb-2012 and the http://projects.puppetlabs.com/issues/12572 is 
closed 17hours ago, thats later then the released rpm.
 
# rpm -q puppet puppet-server
puppet-2.7.11-1.el5
puppet-server-2.7.11-1.el5
#
#vim /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb
180   def save_last_run_summary(report)
181     last_run = Puppet.settings.setting(:lastrunfile)
182     last_run.create = true # force file creation
183
184     resource = last_run.to_resource
185     resource[:content] = YAML.dump(report.raw_summary)
186
187     catalog = Puppet::Resource::Catalog.new("last_run_file")
188     catalog.add_resource(resource)
189     ral = catalog.to_ral
190     ral.host_config = false
191     ral.apply
192   rescue => detail
193     puts detail.backtrace if Puppet[:trace]
194     Puppet.err "Could not save last run local report: #{detail}"
195   end

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/nnRYxWqYj24J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

You''re totally right. It looks like the rpms for puppet-2.7.11-1 were
built from a stale tag on our end. I''ve built a new rpm for 2.7.11
called puppet-2.7.11-2. It includes the fixes for #12572.

The debs, gems, dmg and tarball were all fine, only the rpms were affected.

Thanks for letting us know.

-matthaus


On Fri, Feb 24, 2012 at 8:26 AM, Stefan Heijmans
<heijmans@rechtspraak.nl> wrote:
> same is for RHEL5 (binary rpm), I see that the rpm on yum.puppetlabs.com is
> from 22-Feb-2012 and the http://projects.puppetlabs.com/issues/12572 is
> closed 17hours ago, thats later then the released rpm.
>
> # rpm -q puppet puppet-server
> puppet-2.7.11-1.el5
> puppet-server-2.7.11-1.el5
> #
> #vim /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb
> 180   def save_last_run_summary(report)
> 181     last_run = Puppet.settings.setting(:lastrunfile)
> 182     last_run.create = true # force file creation
> 183
> 184     resource = last_run.to_resource
> 185     resource[:content] = YAML.dump(report.raw_summary)
> 186
> 187     catalog = Puppet::Resource::Catalog.new("last_run_file")
> 188     catalog.add_resource(resource)
> 189     ral = catalog.to_ral
> 190     ral.host_config = false
> 191     ral.apply
> 192   rescue => detail
> 193     puts detail.backtrace if Puppet[:trace]
> 194     Puppet.err "Could not save last run local report:
#{detail}"
> 195   end
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/nnRYxWqYj24J.
>
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.

Matthaus, thanks for the new rpm''s.

Small question; what is the difference between these versions;
.noarch.rpm
.el5.noarch.rpm

As the .noarch.rpm are not updated, they are still on 2.7.11-1.noarch.rpm.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/S5rViizHBGwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.