Puppet 2.6.14 is a security release in the 2.6.x branch which addresses CVEs 2012-1053 and 2012-1054.
All users of Puppet 2.6.x are encouraged to upgrade when possible to Puppet 2.6.14. Other information available at: http://puppetlabs.com/security or visit http://puppetlabs.com/security/cve/cve-2012-1053 and http://puppetlabs.com/security/cve/cve-2012-1053 Detailed feature release notes are available: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.14 This release is available for download at: http://puppetlabs.com/downloads/puppet/puppet-2.6.14.tar.gz RPMs are available at http://yum.puppetlabs.com/el or /fedora DEBs are available at http://apt.puppetlabs.com Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.14 http://projects.puppetlabs.com/projects/puppet/ # Summary # (#12457, #12459) Execs, when run with a user specified but with no group specified will get root group, so the exec then gets unintended privileges. This is a permanent change for the forked process. Exploit requires access to either the command the exec will run or to the manifests calling execs. (#12458) Similarly unexpected privileges are given to providers and types (egid remains as root). (#12460) Klogin type will write to untrusted locations (write through symlinks) # Details # CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ] #12457 - Real gid always present in supplementary groups Overview =================================================== In Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary groups in the "initgroups" method. At lib/puppet/util/suidmanager.rb:148, it reads: Process.initgroups(Etc.getpwuid(user).name, Process.gid) Since the real gid is probably root, this always adds the gid "0" to the list of supplementary groups for the process as per this strace for a change to my user account (with 7 supplementary groups): setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0 This method is called by SUIDManager's change_user method, which is called in critical places such as lib/puppet/util.rb:308 in execute_posix (as used by lots of things including Exec resources). #12458 - Only euid changed, not egid Overview =============================== The second problem occurs when only a target user is given to the SUIDManager asuser method as opposed to a target user and group, as is the case in the following places: lib/puppet/provider/ssh_authorized_key/parsed.rb:59 lib/puppet/type/file/target.rb:46 In this case, the SUIDManager asuser method at lib/puppet/util/suidmanager.rb:78 doesn't change the egid, only the euid, so the egid remains as root. #12459 - Permanent uid change doesn't drop supplementary groups Overview ======== When execute_posix or similar forks and calls SUIDManager's change_user method, it sets permanent=true to change the real uid instead of the euid (lib/puppet/util.rb:307). In change_user, a different code path is taken when a permanent change is made, and so the supplementary groups aren't dropped (lib/puppet/util/suidmanager.rb:121), even if the primary group is set. CVE-2012-1054 Klogin write through symlink [ High ] #12460 - Klogin File Handling Issue (Write through symlink) High risk for users of this type. Users can symlink to arbitrary files, causing them to be overwritten, such as other klogin files. 2.6.14 === d48ad59 Revert "(#5246) Puppetd does not remove it's pidfile when it exits" ade5965 Remove unnecessary fallbacks in change_{user,group} 0a09a64 Document uid/gid-related methods in Puppet::Util 2599d56 Copy owner/group in replace_file ead36ff (#12463) eliminate `secure_open` in favour of `replace_file` 1469538 (#12460) use `replace_file` for the .k5login file 8461203 (#12462) user_role_add: use `replace_file` for /etc/shadow 0ad532a (#12463) add secure `replace_file` to Puppet::Util 76d0749 (#12459) drop supplementary groups when permanently dropping UID 50909b9 (#12458) default to users primary group, not root, in `asuser` d00c5cc (#12457) add users primary group, not Process.gid, in initgroups d937ae3 (#6541) Use the same filebucket for backup and restore a758066 (#11996) Fix test failures due to hash processing order changes. e0e31d5 (#5246) Puppetd does not remove it's pidfile when it exits 0ab4597 (#11764) Fix failing cron test 073ca03 (#11764) Fix cron jobs for passing block to method -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
