From 178337ee6f953919c68950fd402ae843fd858409 Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Thu, 16 Nov 2017 16:01:23 +0000 Subject: [PATCH 1/3] (FM-6583) - Update test --- spec/acceptance/custom_config_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb index c8e254e858..e3668c0165 100644 --- a/spec/acceptance/custom_config_spec.rb +++ b/spec/acceptance/custom_config_spec.rb @@ -15,7 +15,7 @@ class { 'apache': } end describe file("#{$confd_dir}/25-acceptance_test.conf") do - it { is_expected.not_to be_file } + it { expect(file).not_to exist } end end From 5f6664a338180844d2acaacbe9cefe7f26ad7919 Mon Sep 17 00:00:00 2001 From: tphoney Date: Mon, 20 Nov 2017 17:46:59 +0000 Subject: [PATCH 2/3] MODULES-6070 Improvements for tasks and testing --- Gemfile | 1 + spec/acceptance/init_task_spec.rb | 4 +-- spec/spec_helper_acceptance.rb | 45 +------------------------------ tasks/init.json | 4 +++ tasks/init.rb | 19 ++++++++++--- 5 files changed, 24 insertions(+), 49 deletions(-) diff --git a/Gemfile b/Gemfile index a9f0161c79..8bd07c79b0 100644 --- a/Gemfile +++ b/Gemfile @@ -51,6 +51,7 @@ group :system_tests do gem "beaker-hostgenerator", *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION']) gem "beaker-abs", *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1') gem "puppet-blacksmith", '~> 3.4', :require => false + gem "beaker-task_helper" end gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) diff --git a/spec/acceptance/init_task_spec.rb b/spec/acceptance/init_task_spec.rb index 78bdaa05e6..ef87c948bf 100644 --- a/spec/acceptance/init_task_spec.rb +++ b/spec/acceptance/init_task_spec.rb @@ -1,7 +1,7 @@ # run a test task require 'spec_helper_acceptance' -describe 'apache tasks', if: pe_install? && puppet_version =~ %r{(5\.\d\.\d)} do +describe 'apache tasks', if: puppet_version =~ %r{(5\.\d\.\d)} && fact('operatingsystem') != 'SLES' do describe 'reload' do it 'execute reload' do pp = <<-EOS @@ -14,7 +14,7 @@ class { 'apache': apply_manifest(pp, :catch_failures => true) result = run_task(task_name: 'apache', params: 'action=reload') - expect_multiple_regexes(result: result, regexes: [%r{reload successful}, %r{Job completed. 1/1 nodes succeeded}]) + expect_multiple_regexes(result: result, regexes: [%r{reload successful}, %r{Job completed. 1/1 nodes succeeded|Ran on 1 node}]) end end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 39e47a849f..eca266ce03 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -2,56 +2,13 @@ require 'beaker-rspec/helpers/serverspec' require 'beaker/puppet_install_helper' require 'beaker/module_install_helper' - -def install_bolt_on(hosts) - on(hosts, "/opt/puppetlabs/puppet/bin/gem install --source http://rubygems.delivery.puppetlabs.net bolt -v '> 0.0.1'", acceptable_exit_codes: [0, 1]).stdout -end - -def pe_install? - ENV['PUPPET_INSTALL_TYPE'] =~ %r{pe}i -end - -def puppet_version - (on default, puppet('--version')).output.chomp -end +require 'beaker/task_helper' run_puppet_install_helper install_bolt_on(hosts) unless pe_install? install_module_on(hosts) install_module_dependencies_on(hosts) -DEFAULT_PASSWORD = if default[:hypervisor] == 'vagrant' - 'vagrant' - elsif default[:hypervisor] == 'vcloud' - 'Qu@lity!' - end - -def run_puppet_access_login(user:, password: '~!@#$%^*-/ aZ', lifetime: '5y') - on(master, puppet('access', 'login', '--username', user, '--lifetime', lifetime), stdin: password) -end - -def run_task(task_name:, params: nil, password: DEFAULT_PASSWORD) - if pe_install? - run_puppet_task(task_name: task_name, params: params) - else - run_bolt_task(task_name: task_name, params: params, password: password) - end -end - -def run_bolt_task(task_name:, params: nil, password: DEFAULT_PASSWORD) - on(master, "/opt/puppetlabs/puppet/bin/bolt task run #{task_name} --modules /etc/puppetlabs/code/modules/service --nodes localhost --password #{password} #{params}", acceptable_exit_codes: [0, 1]).stdout # rubocop:disable Metrics/LineLength -end - -def run_puppet_task(task_name:, params: nil) - on(master, puppet('task', 'run', task_name, '--nodes', fact_on(master, 'fqdn'), params.to_s), acceptable_exit_codes: [0, 1]).stdout -end - -def expect_multiple_regexes(result:, regexes:) - regexes.each do |regex| - expect(result).to match(regex) - end -end - RSpec.configure do |c| c.filter_run :focus => true c.run_all_when_everything_filtered = true diff --git a/tasks/init.json b/tasks/init.json index 0d0ceaeb40..3822ed643c 100644 --- a/tasks/init.json +++ b/tasks/init.json @@ -5,6 +5,10 @@ "action": { "description": "Action to perform ", "type": "Enum[reload]" + }, + "service_name": { + "description": "The name of the apache service ", + "type": "Optional[String[1]]" } } } diff --git a/tasks/init.rb b/tasks/init.rb index a6a474d080..38ecd463be 100755 --- a/tasks/init.rb +++ b/tasks/init.rb @@ -3,8 +3,20 @@ require 'open3' require 'puppet' -def service(action) - cmd_string = "service apache2 #{action}" +def service(action, service_name) + if service_name.nil? + cmd_string = "facter -p osfamily" + stdout, stderr, status = Open3.capture3(cmd_string) + osfamily = stdout.strip + if osfamily == 'RedHat' + service_name = 'httpd' + elsif osfamily == 'FreeBSD' + service_name = 'apache24' + else + service_name = 'apache2' + end + end + cmd_string = "service #{service_name} #{action}" stdout, stderr, status = Open3.capture3(cmd_string) raise Puppet::Error, stderr if status != 0 { status: "#{action} successful" } @@ -12,9 +24,10 @@ def service(action) params = JSON.parse(STDIN.read) action = params['action'] +service_name = params['service_name'] begin - result = service(action) + result = service(action, service_name) puts result.to_json exit 0 rescue Puppet::Error => e From 926edf82c143c23be628cf825a8175e0036f25b1 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Wed, 31 Jan 2018 16:50:40 -0800 Subject: [PATCH 3/3] (RE-10220) Fix CVE-2018-6508 --- CHANGELOG.md | 7 +++++++ metadata.json | 2 +- tasks/init.rb | 6 ++---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46ee4e92fd..c7e21dfed1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## Supported Release [2.3.1] +### Summary +This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks. + +### Fixed +- Fix init task for arbitrary remote code + ## Supported Release [2.3.0] ### Summary This is a feature release. It includes a task that will reload the apache service. diff --git a/metadata.json b/metadata.json index 0f9f5e8275..5734f55110 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-apache", - "version": "2.3.0", + "version": "2.3.1", "author": "puppet", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", diff --git a/tasks/init.rb b/tasks/init.rb index 38ecd463be..e902ed5b3d 100755 --- a/tasks/init.rb +++ b/tasks/init.rb @@ -5,8 +5,7 @@ def service(action, service_name) if service_name.nil? - cmd_string = "facter -p osfamily" - stdout, stderr, status = Open3.capture3(cmd_string) + stdout, stderr, status = Open3.capture3('facter', '-p', 'osfamily') osfamily = stdout.strip if osfamily == 'RedHat' service_name = 'httpd' @@ -16,8 +15,7 @@ def service(action, service_name) service_name = 'apache2' end end - cmd_string = "service #{service_name} #{action}" - stdout, stderr, status = Open3.capture3(cmd_string) + _stdout, stderr, status = Open3.capture3('service', service_name, action) raise Puppet::Error, stderr if status != 0 { status: "#{action} successful" } end