Overview

File puppet-3.8.5-CVE-2017-2295.patch of Package puppet.14603

Index: puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/indirector/catalog/compiler.rb
+++ puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
@@ -22,9 +22,14 @@ class Puppet::Resource::Catalog::Compile
       # in Network::HTTP::Handler will automagically deserialize the value.
       if text_facts.is_a?(Puppet::Node::Facts)
         facts = text_facts
-      else
+      elsif format == 'pson'
+        # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
+        facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
+      elsif Puppet[:dangerous_fact_formats]
         # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
         facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
+      else
+        raise ArgumentError, "Unsupported facts format"
       end
 
       unless facts.name == request.key
Index: puppet-3.8.5/lib/puppet/defaults.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/defaults.rb
+++ puppet-3.8.5/lib/puppet/defaults.rb
@@ -2112,4 +2112,14 @@ EOT
           generate manifest documentation.",
     }
   )
+  define_settings(:master,
+    # SUSE specific option that enables using various dangerous fact formats (e.g. YAML).
+    # When it's set to false, only PSON fact format is accepted.
+    # See bug #1040151, CVE-2017-2295
+    :dangerous_fact_formats => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether to allow to use dangerous fact formats (e.g. YAML)",
+      }
+    )
 end
openSUSE Build Service is sponsored by
Places