Ubuntu
puppet package

puppet can no longer find puppet:// resources after ruby2.7 CVE Update

Bug #2018547 reported by Chris Lundquist
282
This bug affects 4 people
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Invalid
Undecided
Unassigned
ruby2.7 (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

Ubuntu 20.04 Focal
Package change: `ruby2.7`

`Changes from 2.7.0-5ubuntu1.8 to 2.7.0-5ubuntu1.9`

https://ubuntu.com/security/notices/USN-6055-1
Breaks Puppet apply / masterless puppet, by causing the agent to attempt to connect to 0.0.0.0

`URI.parse('puppet:///modules/hadoop/su.pam').host`

Puppet expects the above to return `nil`, and your patch explicitly says it should return an empty string. Empty strings are "truthy" values, compared to nil, a "falsy" value

Puppet's behavior changes when `host` is present, and tries to connect to the puppet master, using that host. In the above case, it ends up trying to connect to 0.0.0.0.

This naturally doesn't work, the puppet agent is unable to "find" the required resource and then the puppet run fails.

```
# broken
irb(main):001:0> URI.parse(URI.escape('puppet:///modules/hadoop/su.pam')).host
(irb):1: warning: URI.escape is obsolete
=> ""
```

```
# Working 2.7, before the CVE
irb(main):001:0> RUBY_VERSION
=> "2.7.0"
irb(main):002:0> URI.parse(URI.escape('puppet:///modules/hadoop/su.pam')).host
(irb):2: warning: URI.escape is obsolete
=> nil
```

```
# Ruby 3.0 working
irb(main):001:0> require 'uri'
=> true
irb(main):002:0> URI.parse('puppet:///modules/hadoop/su.pam').host
=> nil
```

note:
`sin_addr=inet_addr("0.0.0.0")}, 16) = -1 ECONNREFUSED (Connection refused)`

from the `strace` of a similar file:
```
[pid 2205534] socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 5<TCP:[6296640]>
[pid 2205534] connect(5<TCP:[6296640]>, {sa_family=AF_INET, sin_port=htons(8140), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 ECONNREFUSED (Connection refused)
[pid 2205534] close(5<TCP:[6296640]>) = 0
...
[pid 2205534] writev(2<pipe:[6286934]>, [{iov_base="\33[1;31mError: /Stage[bootstrap2]/Apt_transport_s3/File[/usr/lib/apt/methods/s3]: Could not evaluate: Could not retrieve file metadata for puppet:///modules/apt_transport_s3/s3: Failed to open TCP connection to :8140 (Connection refused - connect(2) for \"\" port 8140)\33[0m", iov_len=270}, {iov_base="\n", iov_len=1}], 2 <unfinished ...>
[pid 2208271] futex(0x7fde7404ee88, FUTEX_WAIT_BITSET_PRIVATE, 0, {tv_sec=46467, tv_nsec=747121019}, FUTEX_BITSET_MATCH_ANY <unfinished ...>
[pid 2204312] <... read resumed>"\33[1;31mError: /Stage[bootstrap2]/Apt_transport_s3/File[/usr/lib/apt/methods/s3]: Could not evaluate: Could not retrieve file metadata for puppet:///modules/apt_transport_s3/s3: Failed to open TCP connection to :8140 (Connection refused - connect(2) for \"\" port 8140)\33[0m\n", 8192) = 271
```

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in puppet (Ubuntu):
status: New → Confirmed
Changed in ruby2.7 (Ubuntu):
status: New → Confirmed
Lucas Kanashiro (lucaskanashiro)
tags: added: regression-update
Robie Basak (racb)
information type: Public → Public Security
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Thanks for report this issue. I'm working on a regression/revert update ASAP.

Changed in ruby2.7 (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby2.7 - 2.7.0-5ubuntu1.10

---------------
ruby2.7 (2.7.0-5ubuntu1.10) focal-security; urgency=medium

  * SECURITY REGRESSION: URI.parse returning empty when it should return nil
    - reverting/removing patches for CVE-2023-28755-*.patch that changed the
      regex behaviour causing URI.parse to return '' instead previous
      behaviour nil as some applications expected to use the last one as
      return (LP: #2018547)

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 05 May 2023 04:37:32 -0300

Changed in ruby2.7 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I talked to Lucas Kanashiro and he instructed me to mark this bug as Invalid for puppet.

Changed in puppet (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Chris Lundquist (clundquist) wrote :

Makes sense!
I opened it against both because of the interaction between the packages.

Thank you all for releasing a fix for this so quickly!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.