Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:Test
puppet
puppet-0.25.4-CVE-2011-3848.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File puppet-0.25.4-CVE-2011-3848.patch of Package puppet
From 6e5a821cbf94b220dfc021ff7ebad0831c60e207 Mon Sep 17 00:00:00 2001 From: Daniel Pittman <daniel@puppetlabs.com> Date: Sat, 24 Sep 2011 12:44:20 -0700 Subject: [PATCH] Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com> for the responsible disclosure, and useful analysis, around this defect. Signed-off-by: Daniel Pittman <daniel@puppetlabs.com> --- lib/puppet/indirector.rb | 8 +++++++- lib/puppet/indirector/ssl_file.rb | 5 +++++ lib/puppet/indirector/yaml.rb | 5 +++++ spec/unit/indirector/ssl_file.rb | 19 +++++++++++++++++++ spec/unit/indirector/yaml.rb | 15 +++++++++++++++ 5 files changed, 51 insertions(+), 1 deletions(-) diff --git a/lib/puppet/indirector.rb b/lib/puppet/indirector.rb index 61ef2db..20a460d 100644 --- a/lib/puppet/indirector.rb +++ b/lib/puppet/indirector.rb @@ -31,7 +31,13 @@ module Puppet::Indirector @indirection end - module ClassMethods + # Helper definition for indirections that handle filenames. + BadNameRegexp = Regexp.union(/^\.\./, + %r{[\\/]}, + "\0", + /(?i)^[a-z]:/) + + module ClassMethods attr_reader :indirection def cache_class=(klass) diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb index fc1e65d..9defcb5 100644 --- a/lib/puppet/indirector/ssl_file.rb +++ b/lib/puppet/indirector/ssl_file.rb @@ -54,6 +54,11 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus # Use a setting to determine our path. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + if ca?(name) and ca_location ca_location elsif collection_directory diff --git a/lib/puppet/indirector/yaml.rb b/lib/puppet/indirector/yaml.rb index 782112e..a119b86 100644 --- a/lib/puppet/indirector/yaml.rb +++ b/lib/puppet/indirector/yaml.rb @@ -50,6 +50,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus # Return the path to a given node's file. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + File.join(base, self.class.indirection_name.to_s, name.to_s + ".yaml") end diff --git a/spec/unit/indirector/ssl_file.rb b/spec/unit/indirector/ssl_file.rb index 7a9d629..077ccc2 100755 --- a/spec/unit/indirector/ssl_file.rb +++ b/spec/unit/indirector/ssl_file.rb @@ -89,6 +89,25 @@ describe Puppet::Indirector::SslFile do end end + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @searcher.path(input) }.to raise_error + end + end + + # REVISIT: Should probably test MS-DOS reserved names here, too, since + # they would represent a vulnerability on a Win32 system, should we ever + # support that path. Don't forget that 'CON.foo' == 'CON' + # --daniel 2011-09-24 + describe "when finding certificates on disk" do describe "and no certificate is present" do before do diff --git a/spec/unit/indirector/yaml.rb b/spec/unit/indirector/yaml.rb index 0e70708..c5d357f 100755 --- a/spec/unit/indirector/yaml.rb +++ b/spec/unit/indirector/yaml.rb @@ -50,6 +50,21 @@ describe Puppet::Indirector::Yaml, " when choosing file location" do it "should use the object's name to determine the file name" do @store.path(:me).should =~ %r{me.yaml$} end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @store.path(input) }.to raise_error + end + end + end describe Puppet::Indirector::Yaml, " when storing objects as YAML" do -- 1.7.4.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor