Puppet 2.7.11 is a maintenance and security release in the 2.7.x branch. The security changes in 2.7.11 address CVEs 2012-1053 and 2012-1054. The maintenance changes are to address regressions in 2.7.10.
All users of Puppet 2.7.x are encouraged to upgrade when possible to Puppet 2.7.11. Other information available at: http://puppetlabs.com/security or visit http://puppetlabs.com/security/cve/cve-2012-1053 and http://puppetlabs.com/security/cve/cve-2012-1054 Detailed feature release notes are available: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.11 This release is available for download at: http://puppetlabs.com/downloads/puppet/puppet-2.7.11.tar.gz RPM's are available at http://yum.puppetlabs.com/el or /fedora Debs are available on http://apt.puppetlabs.com (lenny requires backports enabled) Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.7.11 http://projects.puppetlabs.com/projects/puppet/ # Summary # (#12457, #12459) Execs, when run with a user specified but with no group specified will get root group, so the exec then gets unintended privileges. This is a permanent change for the forked process. Exploit requires access to either the command the exec will run or to the manifests calling execs. (#12458) Similarly unexpected privileges are given to providers and types (egid remains as root). (#12460) Klogin type will write to untrusted locations (write through symlinks) # Details # CVE-2012-1053 GID Issues (#12457, #12458, #12459) [ Medium ] #12457 - Real gid always present in supplementary groups Overview =================================================== In Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary groups in the "initgroups" method. At lib/puppet/util/suidmanager.rb:148, it reads: Process.initgroups(Etc.getpwuid(user).name, Process.gid) Since the real gid is probably root, this always adds the gid "0" to the list of supplementary groups for the process as per this strace for a change to my user account (with 7 supplementary groups): setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0 This method is called by SUIDManager's change_user method, which is called in critical places such as lib/puppet/util.rb:308 in execute_posix (as used by lots of things including Exec resources). #12458 - Only euid changed, not egid Overview =============================== The second problem occurs when only a target user is given to the SUIDManager asuser method as opposed to a target user and group, as is the case in the following places: lib/puppet/provider/ssh_authorized_key/parsed.rb:59 lib/puppet/type/file/target.rb:46 In this case, the SUIDManager asuser method at lib/puppet/util/suidmanager.rb:78 doesn't change the egid, only the euid, so the egid remains as root. #12459 - Permanent uid change doesn't drop supplementary groups Overview ======== When execute_posix or similar forks and calls SUIDManager's change_user method, it sets permanent=true to change the real uid instead of the euid (lib/puppet/util.rb:307). In change_user, a different code path is taken when a permanent change is made, and so the supplementary groups aren't dropped (lib/puppet/util/suidmanager.rb:121), even if the primary group is set. CVE-2012-1054 Klogin write through symlink [ High ] #12460 - Klogin File Handling Issue (Write through symlink) High risk for users of this type. Users can symlink to arbitrary files, causing them to be overwritten, such as other klogin files. 2.7.11 Changelog === c814c6b (#12572) Fix failing last run summary test on windows 87bcf3f (#12188) Handle Win32 as well as Unix in pidfile tests. 01b57e9 (#12188) Better handling of PID file cleanup warnings. a8b6088 (#12572) Add acceptance test to make sure no last_run_summary diff is printed 40480ed (#12572) Revert fix for #7106 and implement a more minimal fix 0486462 (#12412) Mark symbolic file modes test as pending on Windows 115ba71 Symbolic file mode test fixes when no mode change happens. dde3945 Disable specs that use replace_file on Windows 4272d1f Disable replace_file on Windows 4bcbad4 Remove unnecessary fallbacks in change_{user,group} ff372fb Document uid/gid-related methods in Puppet::Util 5f8f3ba Copy owner/group in replace_file f0c9995 (#12463) eliminate `secure_open` in favour of `replace_file` 0c96703 (#12460) use `replace_file` for the .k5login file 7900a66 (#12462) user_role_add: use `replace_file` for /etc/shadow f9f9961 (#12463) add secure `replace_file` to Puppet::Util db0f872 (#12459) drop supplementary groups when permanently dropping UID 7f26d28 (#12458) default to users primary group, not root, in `asuser` a96babf (#12457) add users primary group, not Process.gid, in initgroups 2f21546 Restore compatible `insync?` behaviour for matching arrays. 6ffe25b Fix bugs around the finer-grained insync? protocol. 133b739 Add unit tests for the `insysc?` method of a property. 908bfbd Property Spec cleanup: eliminate stubbing of resource and provider. 0d95eb7 Property Spec cleanup: last let method extraction. 5394413 Property Spec cleanup: extract more let methods. f919e17 Property Spec cleanup: remove unused instance variable. 7bb261b Property Spec cleanup: remove some pointless extra stubs. e81f02c Property Spec cleanup: extract property instance to a let method. 4fc4dd4 Property Spec cleanup: extract mock resource to let method. 9083fc6 Property Spec cleanup: extract mock provider to let method. 25d7c99 Property Spec cleanup: extract new subclass to let method. 3638651 (#2927) Acceptance test for symbolic file modes. daa247e (#12296) Acceptance test for cycle detection in graphs. 1f0f40e Use natural ordering of Puppet::Provider. 3c1604a Make `Puppet::Provider` ordered. 50dc35d (#12296) Now that `Puppet::Type` is ordered, use that. 9962ac0 (#12296) Make `Puppet::Type` ordered. b28d4ce (#12296) Test cycle detection on real Puppet::Type instances. 103a554 (#12310) Remove process_name instrumentation listener f11ee44 (#12464) Avoid unnecessarily reloading facts when node_name_fact is not set -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
