Overview

File puppet-0.25.4-CVE-2011-3848.patch of Package puppet

From 6e5a821cbf94b220dfc021ff7ebad0831c60e207 Mon Sep 17 00:00:00 2001
From: Daniel Pittman <daniel@puppetlabs.com>
Date: Sat, 24 Sep 2011 12:44:20 -0700
Subject: [PATCH] Resist directory traversal attacks through indirections.

In various versions of Puppet it was possible to cause a directory traversal
attack through the SSLFile indirection base class.  This was variously
triggered through the user-supplied key, or the Subject of the certificate, in
the code.

Now, we detect bad patterns down in the base class for our indirections, and
fail hard on them.  This reduces the attack surface with as little disruption
to the overall codebase as possible, making it suitable to deploy as part of
older, stable versions of Puppet.

In the long term we will also address this higher up the stack, to prevent
these problems from reoccurring, but for now this will suffice.

Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com> for the
responsible disclosure, and useful analysis, around this defect.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
---
 lib/puppet/indirector.rb          |    8 +++++++-
 lib/puppet/indirector/ssl_file.rb |    5 +++++
 lib/puppet/indirector/yaml.rb     |    5 +++++
 spec/unit/indirector/ssl_file.rb  |   19 +++++++++++++++++++
 spec/unit/indirector/yaml.rb      |   15 +++++++++++++++
 5 files changed, 51 insertions(+), 1 deletions(-)

diff --git a/lib/puppet/indirector.rb b/lib/puppet/indirector.rb
index 61ef2db..20a460d 100644
--- a/lib/puppet/indirector.rb
+++ b/lib/puppet/indirector.rb
@@ -31,7 +31,13 @@ module Puppet::Indirector
         @indirection
     end
 
-    module ClassMethods   
+    # Helper definition for indirections that handle filenames.
+    BadNameRegexp = Regexp.union(/^\.\./,
+                                 %r{[\\/]},
+                                 "\0",
+                                 /(?i)^[a-z]:/)
+
+    module ClassMethods
         attr_reader :indirection
 
         def cache_class=(klass)
diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb
index fc1e65d..9defcb5 100644
--- a/lib/puppet/indirector/ssl_file.rb
+++ b/lib/puppet/indirector/ssl_file.rb
@@ -54,6 +54,11 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
 
     # Use a setting to determine our path.
     def path(name)
+        if name =~ Puppet::Indirector::BadNameRegexp then
+            Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}")
+            raise ArgumentError, "invalid key"
+        end
+
         if ca?(name) and ca_location
             ca_location
         elsif collection_directory
diff --git a/lib/puppet/indirector/yaml.rb b/lib/puppet/indirector/yaml.rb
index 782112e..a119b86 100644
--- a/lib/puppet/indirector/yaml.rb
+++ b/lib/puppet/indirector/yaml.rb
@@ -50,6 +50,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus
 
     # Return the path to a given node's file.
     def path(name)
+        if name =~ Puppet::Indirector::BadNameRegexp then
+            Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}")
+            raise ArgumentError, "invalid key"
+        end
+
         File.join(base, self.class.indirection_name.to_s, name.to_s + ".yaml")
     end
 
diff --git a/spec/unit/indirector/ssl_file.rb b/spec/unit/indirector/ssl_file.rb
index 7a9d629..077ccc2 100755
--- a/spec/unit/indirector/ssl_file.rb
+++ b/spec/unit/indirector/ssl_file.rb
@@ -89,6 +89,25 @@ describe Puppet::Indirector::SslFile do
             end
         end
 
+        ['../foo', '..\\foo', './../foo', '.\\..\\foo',
+            '/foo', '//foo', '\\foo', '\\\\goo',
+            "test\0/../bar", "test\0\\..\\bar",
+            "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar",
+            " / bar", " /../ bar", " \\..\\ bar",
+            "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar",
+            "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar",
+            "//?/c:/foo",
+        ].each do |input|
+            it "should resist directory traversal attacks (#{input.inspect})" do
+                expect { @searcher.path(input) }.to raise_error
+            end
+        end
+
+      # REVISIT: Should probably test MS-DOS reserved names here, too, since
+      # they would represent a vulnerability on a Win32 system, should we ever
+      # support that path.  Don't forget that 'CON.foo' == 'CON'
+      # --daniel 2011-09-24
+
         describe "when finding certificates on disk" do
             describe "and no certificate is present" do
                 before do
diff --git a/spec/unit/indirector/yaml.rb b/spec/unit/indirector/yaml.rb
index 0e70708..c5d357f 100755
--- a/spec/unit/indirector/yaml.rb
+++ b/spec/unit/indirector/yaml.rb
@@ -50,6 +50,21 @@ describe Puppet::Indirector::Yaml, " when choosing file location" do
         it "should use the object's name to determine the file name" do
             @store.path(:me).should =~ %r{me.yaml$}
         end
+
+        ['../foo', '..\\foo', './../foo', '.\\..\\foo',
+            '/foo', '//foo', '\\foo', '\\\\goo',
+            "test\0/../bar", "test\0\\..\\bar",
+            "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar",
+            " / bar", " /../ bar", " \\..\\ bar",
+            "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar",
+            "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar",
+            "//?/c:/foo",
+        ].each do |input|
+            it "should resist directory traversal attacks (#{input.inspect})" do
+                expect { @store.path(input) }.to raise_error
+            end
+        end
+
     end
 
     describe Puppet::Indirector::Yaml, " when storing objects as YAML" do
-- 
1.7.4.4
openSUSE Build Service is sponsored by
Places