Overview

File puppet-CVE-2017-2295.patch of Package rubygem-puppet.6846

From 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea Mon Sep 17 00:00:00 2001
From: Josh Cooper <josh@puppet.com>
Date: Fri, 28 Apr 2017 12:09:11 -0700
Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON

Previously, an authenticated user could cause the master to execute
YAML.load on user-specified input, as well as MessagePack.unpack if the
msgpack gem was installed.

Since 3.2.2, agents have always sent facts as PSON. There is no reason
to support other formats, so reject all fact formats except PSON.
---

Index: puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/indirector/catalog/compiler.rb
+++ puppet-3.8.5/lib/puppet/indirector/catalog/compiler.rb
@@ -22,9 +22,11 @@ class Puppet::Resource::Catalog::Compile
       # in Network::HTTP::Handler will automagically deserialize the value.
       if text_facts.is_a?(Puppet::Node::Facts)
         facts = text_facts
-      else
+      elsif format == 'pson'
         # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
-        facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
+        facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
+      else
+        raise ArgumentError, "Unsupported facts format"
       end
 
       unless facts.name == request.key
openSUSE Build Service is sponsored by
Places