puppet 2.6.17 → 2.6.18

data/CHANGELOG

@@ -1,3 +1,28 @@
+2.6.18
+===
+b166c4f (#19391) Find the catalog for the specified node name
+f256c6d Don't assume master supports SSLv2
+bb288aa Don't require openssl client to return 0 on failure
+a11a690 Display SSL messages so we can match our regex
+f07b761 Don't assume puppetbindir is defined
+e617728 Remove unnecessary rubygems require
+75a5f7e Run openssl from windows when trying to downgrade master
+e6b6124 Separate tests for same CVEs into separate files
+bdcf029 Fix order-dependent test failure in rest_authconfig_spec
+66249d4 Always read request body when using Rack
+d5c9a2c (#19392) (CVE-2013-1653) Fix acceptance test to catch unvalidated model on 2.6
+ac44d87 (#19392) (CVE-2013-1653) Validate indirection model in save handler
+b01c728 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275)
+16fce8e (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname
+7648de2 (#19391) Backport Request#remote? method
+906ab92 (#8858) Explicitly set SSL peer verification mode.
+31dad7d (#8858) Refactor tests to use real HTTP objects
+6a7bd25 (#19392) (CVE-2013-1653) Validate instances passed to indirector
+ccf2e4c (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests
+add9998 (#19151) Reject SSLv2 SSL handshakes and ciphers
+d9ad70a (#14093) Restore access to the filename in the template
+f45cd4b (#14093) Remove unsafe attributes from TemplateWrapper
+
 2.6.17
 ===
 554eefc Reject directory traversal in store report processor

data/conf/auth.conf

@@ -58,10 +58,10 @@ path /certificate_revocation_list/ca
 method find
 allow *
 
-# allow all nodes to store their reports
-path /report
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
 method save
-allow *
+allow $1
 
 # inconditionnally allow access to all files services
 # which means in practice that fileserver.conf will

data/conf/redhat/puppet.spec

@@ -5,7 +5,7 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.6.17
+Version:        2.6.18
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        GPLv2
@@ -253,8 +253,11 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Sun Mar 10 2013 Matthaus Owens <matthaus@puppetlabs.com> - 2.6.18-1
+- Update for 2.6.18 (CVE-2013-1640, CVE-2013-1652, CVE-2013-1654, CVE-2013-2274, CVE-2013-2275)
+
 * Mon Jul 19 2012 Moses Mendoza <moses@puppetlabs.com> - 2.6.17-1
-- Update for 2.7.17
+- Update for 2.6.17
 
 * Mon Dec 12 2011 Matthaus Litteken <matthaus@puppetlabs.com> - 2.6.13-1
 - Release of 2.6.13

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.6.17'
+  PUPPETVERSION = '2.6.18'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/indirector/catalog/compiler.rb

@@ -13,7 +13,9 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
 
   def extract_facts_from_request(request)
     return unless text_facts = request.options[:facts]
-    raise ArgumentError, "Facts but no fact format provided for #{request.name}" unless format = request.options[:facts_format]
+    unless format = request.options[:facts_format]
+      raise ArgumentError, "Facts but no fact format provided for #{request.key}"
+    end
 
     # If the facts were encoded as yaml, then the param reconstitution system
     # in Network::HTTP::Handler will automagically deserialize the value.
@@ -22,6 +24,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     else
       facts = Puppet::Node::Facts.convert_from(format, text_facts)
     end
+
+    unless facts.name == request.key
+      raise Puppet::Error, "Catalog for #{request.key.inspect} was requested with fact definition for the wrong node (#{facts.name.inspect})."
+    end
+
     facts.save
   end
 
@@ -104,7 +111,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   # to find the node.
   def node_from_request(request)
     if node = request.options[:use_node]
-      return node
+      if request.remote?
+        raise Puppet::Error, "Invalid option use_node for a remote request"
+      else
+        return node
+      end
     end
 
     # We rely on our authorization system to determine whether the connected

data/lib/puppet/indirector/errors.rb

@@ -0,0 +1,5 @@
+require 'puppet/error'
+
+module Puppet::Indirector
+  class ValidationError < Puppet::Error; end
+end

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -48,6 +48,10 @@ module Puppet::FileBucketFile
       instance.to_s
     end
 
+    def validate_key(request)
+      # There are no ACLs on filebucket files so validating key is not important
+    end
+
     private
 
     def path_match(dir_path, files_original_path)

data/lib/puppet/indirector/file_bucket_file/selector.rb

@@ -44,6 +44,10 @@ module Puppet::FileBucketFile
         true
       end
     end
+
+    def validate_key(request)
+      get_terminus(request).validate(request)
+    end
   end
 end
 

data/lib/puppet/indirector/indirection.rb

@@ -301,6 +301,7 @@ class Puppet::Indirector::Indirection
 
     dest_terminus = terminus(terminus_name)
     check_authorization(request, dest_terminus)
+    dest_terminus.validate(request)
 
     dest_terminus
   end

data/lib/puppet/indirector/request.rb

@@ -149,6 +149,10 @@ class Puppet::Indirector::Request
     return(uri ? uri : "/#{indirection_name}/#{key}")
   end
 
+  def remote?
+    self.node or self.ip
+  end
+
   private
 
   def set_attributes(options)

data/lib/puppet/indirector/resource/ral.rb

@@ -1,4 +1,8 @@
+require 'puppet/indirector/resource/validator'
+
 class Puppet::Resource::Ral < Puppet::Indirector::Code
+  include Puppet::Resource::Validator
+
   def find( request )
     # find by name
     res   = type(request).instances.find { |o| o.name == resource_name(request) }

data/lib/puppet/indirector/resource/validator.rb

@@ -0,0 +1,8 @@
+module Puppet::Resource::Validator
+  def validate_key(request)
+    type, title = request.key.split('/', 2)
+    unless type.downcase == request.instance.type.downcase and title == request.instance.title
+      raise Puppet::Indirector::ValidationError, "Resource instance does not match request key"
+    end
+  end
+end

data/lib/puppet/indirector/rest.rb

@@ -107,6 +107,10 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
     deserialize network(request).put(indirection2uri(request), request.instance.render, headers.merge({ "Content-Type" => request.instance.mime }))
   end
 
+  def validate_key(request)
+    # Validation happens on the remote end
+  end
+
   private
 
   def environment

data/lib/puppet/indirector/run/local.rb

@@ -5,4 +5,8 @@ class Puppet::Run::Local < Puppet::Indirector::Code
   def save( request )
     request.instance.run
   end
+
+  def validate_key(request)
+    # No key is necessary for kick
+  end
 end

data/lib/puppet/indirector/terminus.rb

@@ -1,4 +1,5 @@
 require 'puppet/indirector'
+require 'puppet/indirector/errors'
 require 'puppet/indirector/indirection'
 require 'puppet/util/instance_loader'
 
@@ -145,4 +146,23 @@ class Puppet::Indirector::Terminus
   def terminus_type
     self.class.terminus_type
   end
+
+  def validate(request)
+    if request.instance
+      validate_model(request)
+      validate_key(request)
+    end
+  end
+
+  def validate_key(request)
+    unless request.key == request.instance.name
+      raise Puppet::Indirector::ValidationError, "Instance name #{request.instance.name.inspect} does not match requested key #{request.key.inspect}"
+    end
+  end
+
+  def validate_model(request)
+    unless model === request.instance
+      raise Puppet::Indirector::ValidationError, "Invalid instance type #{request.instance.class.inspect}, expected #{model.inspect}"
+    end
+  end
 end

data/lib/puppet/network/http/handler.rb

@@ -70,6 +70,8 @@ module Puppet::Network::HTTP::Handler
     raise
   rescue Exception => e
     return do_exception(response, e)
+  ensure
+    cleanup(request)
   end
 
   # Set the response up, with the body and status.
@@ -155,6 +157,9 @@ module Puppet::Network::HTTP::Handler
 
     format = request_format(request)
     obj = indirection_request.model.convert_from(format, data)
+    unless indirection_request.model === obj
+      raise ArgumentError, "Request data must be of type #{indirection_request.model.inspect}"
+    end
     result = save_object(indirection_request, obj)
     return_yaml_response(response, result)
   end
@@ -217,6 +222,10 @@ module Puppet::Network::HTTP::Handler
     raise NotImplementedError
   end
 
+  def cleanup(request)
+    # By default, there is nothing to cleanup.
+  end
+
   def decode_params(params)
     params.inject({}) do |result, ary|
       param, value = ary

data/lib/puppet/network/http/rack/rest.rb

@@ -73,12 +73,17 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
   end
 
   # return the request body
-  # request.body has some limitiations, so we need to concat it back
-  # into a regular string, which is something puppet can use.
   def body(request)
     request.body.read
   end
 
+  # Passenger freaks out if we finish handling the request without reading any
+  # part of the body, so make sure we have.
+  def cleanup(request)
+    request.body.read(1)
+    nil
+  end
+
   def extract_client_info(request)
     result = {}
     result[:ip] = request.ip

data/lib/puppet/network/http/webrick.rb

@@ -104,6 +104,7 @@ class Puppet::Network::HTTP::WEBrick
     results[:SSLCertificate] = host.certificate.content
     results[:SSLStartImmediately] = true
     results[:SSLEnable] = true
+    results[:SSLOptions] = OpenSSL::SSL::OP_NO_SSLv2
 
     raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.find(Puppet::SSL::CA_NAME)
 

data/lib/puppet/network/http_pool.rb

@@ -50,14 +50,23 @@ module Puppet::Network::HttpPool
 
   # Use cert information from a Puppet client to set up the http object.
   def self.cert_setup(http)
-    # Just no-op if we don't have certs.
-    return false unless FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
-
-    http.cert_store = ssl_host.ssl_store
-    http.ca_file = Puppet[:localcacert]
-    http.cert = ssl_host.certificate.content
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    http.key = ssl_host.key.content
+    if FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
+      http.cert_store  = ssl_host.ssl_store
+      http.ca_file     = Puppet[:localcacert]
+      http.cert        = ssl_host.certificate.content
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http.key         = ssl_host.key.content
+    else
+      # We don't have the local certificates, so we don't do any verification
+      # or setup at this early stage.  REVISIT: Shouldn't we supply the local
+      # certificate details if we have them?  The original code didn't.
+      # --daniel 2012-06-03
+
+      # Ruby 1.8 defaulted to this, but 1.9 defaults to peer verify, and we
+      # almost always talk to a dedicated, not-standard CA that isn't trusted
+      # out of the box.  This forces the expected state.
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
   end
 
   # Retrieve a cached http instance if caching is enabled, else return

data/lib/puppet/network/rest_authconfig.rb

@@ -12,7 +12,7 @@ module Puppet
       # to fileserver.conf
       { :acl => "/file" },
       { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
-      { :acl => "/report", :method => :save, :authenticated => true },
+      { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
       { :acl => "/certificate/ca", :method => :find, :authenticated => false },
       { :acl => "/certificate/", :method => :find, :authenticated => false },
       { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },

data/lib/puppet/parser/templatewrapper.rb

@@ -5,8 +5,6 @@ require 'erb'
 
 class Puppet::Parser::TemplateWrapper
   attr_writer :scope
-  attr_reader :file
-  attr_accessor :string
   include Puppet::Util
   Puppet::Util.logmethods(self)
 
@@ -14,6 +12,10 @@ class Puppet::Parser::TemplateWrapper
     @__scope__ = scope
   end
 
+  def file
+    @__file__
+  end
+
   def scope
     @__scope__
   end
@@ -68,41 +70,40 @@ class Puppet::Parser::TemplateWrapper
   end
 
   def file=(filename)
-    unless @file = Puppet::Parser::Files.find_template(filename, scope.compiler.environment.to_s)
+    unless @__file__ = Puppet::Parser::Files.find_template(filename, scope.compiler.environment.to_s)
       raise Puppet::ParseError, "Could not find template '#{filename}'"
     end
 
     # We'll only ever not have a parser in testing, but, eh.
-    scope.known_resource_types.watch_file(file)
-
-    @string = File.read(file)
+    scope.known_resource_types.watch_file(@__file__)
   end
 
   def result(string = nil)
     if string
-      self.string = string
       template_source = "inline template"
     else
-      template_source = file
+      string = File.read(@__file__)
+      template_source = @__file__
     end
 
     # Expose all the variables in our scope as instance variables of the
     # current object, making it possible to access them without conflict
     # to the regular methods.
     benchmark(:debug, "Bound template variables for #{template_source}") do
-      scope.to_hash.each { |name, value|
+      scope.to_hash.each do |name, value|
         if name.kind_of?(String)
           realname = name.gsub(/[^\w]/, "_")
         else
           realname = name
         end
         instance_variable_set("@#{realname}", value)
-      }
+      end
     end
 
     result = nil
     benchmark(:debug, "Interpolated template #{template_source}") do
-      template = ERB.new(self.string, 0, "-")
+      template = ERB.new(string, 0, "-")
+      template.filename = @__file__
       result = template.result(binding)
     end
 
@@ -110,6 +111,6 @@ class Puppet::Parser::TemplateWrapper
   end
 
   def to_s
-    "template[#{(file ? file : "inline")}]"
+    "template[#{(@__file__ ? @__file__ : "inline")}]"
   end
 end

data/lib/puppet/util/monkey_patches.rb

@@ -138,3 +138,46 @@ class IO
     lines
   end
 end
+
+# (#19151) Reject all SSLv2 ciphers and handshakes
+require 'openssl'
+class OpenSSL::SSL::SSLContext
+  if match = /^1\.8\.(\d+)/.match(RUBY_VERSION)
+    older_than_187 = match[1].to_i < 7
+  else
+    older_than_187 = false
+  end
+
+  alias __original_initialize initialize
+  private :__original_initialize
+
+  if older_than_187
+    def initialize(*args)
+      __original_initialize(*args)
+      if bitmask = self.options
+        self.options = bitmask | OpenSSL::SSL::OP_NO_SSLv2
+      else
+        self.options = OpenSSL::SSL::OP_NO_SSLv2
+      end
+      # These are the default ciphers in recent MRI versions.  See
+      # https://github.com/ruby/ruby/blob/v1_9_3_392/ext/openssl/lib/openssl/ssl-internal.rb#L26
+      self.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW"
+    end
+  else
+    if DEFAULT_PARAMS[:options]
+      DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2
+    else
+      DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2
+    end
+    DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
+
+    def initialize(*args)
+      __original_initialize(*args)
+      params = {
+        :options => DEFAULT_PARAMS[:options],
+        :ciphers => DEFAULT_PARAMS[:ciphers],
+      }
+      set_params(params)
+    end
+  end
+end