~ubuntu-branches/ubuntu/precise/puppet/precise-security

Viewing changes to .pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving.rb

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-07-10 07:58:03 UTC
Revision ID: package-import@ubuntu.com-20120710075803-og8iubg2a90dtk7f

Tags: 2.7.11-1ubuntu2.1

* SECURITY UPDATE: Multiple July 2012 security issues
  - debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch: upstream
    patch to fix multiple security issues.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3866: last_run_report.yaml report file is world readable and
    leads to arbitrary file read on master by an agent
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

files added:
.pc/.quilt_patches

.pc/.quilt_series

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/application

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/application/master.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/defaults.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face/file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face/file/download.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file/indirection_hooks.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/configuration.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/content.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/indirection_hooks.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/metadata.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/mount

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/mount/modules.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/terminus_selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_bucket_file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_bucket_file/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_content

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_content/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_metadata

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_metadata/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/network/authstore.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/reports

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/reports/store.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/base.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority/interface.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/host.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_bucket

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_bucket/file_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving/content_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving/metadata_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/network/rest_authconfig_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving_model.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/configuration_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/content_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/indirection_hooks_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/metadata_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/mount

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/mount/modules_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/terminus_selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_bucket_file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_bucket_file/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_content

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_content/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_metadata

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_metadata/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network/handler

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network/handler/ca_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/reports

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/reports/store_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority/interface_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority_spec.rb

debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch

lib/puppet/file_serving/terminus_selector.rb

lib/puppet/indirector/file_bucket_file/selector.rb

lib/puppet/indirector/file_content/selector.rb

lib/puppet/indirector/file_metadata/selector.rb

spec/integration/file_bucket

spec/integration/file_bucket/file_spec.rb

spec/shared_behaviours/file_serving_model.rb

spec/unit/file_serving/terminus_selector_spec.rb

spec/unit/indirector/file_bucket_file/selector_spec.rb

spec/unit/indirector/file_content/selector_spec.rb

spec/unit/indirector/file_metadata/selector_spec.rb

files removed:
lib/puppet/file_bucket/file

lib/puppet/file_bucket/file/indirection_hooks.rb

lib/puppet/file_serving/indirection_hooks.rb

spec/unit/file_serving/indirection_hooks_spec.rb

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

lib/puppet/application/master.rb

lib/puppet/defaults.rb

lib/puppet/face/file/download.rb

lib/puppet/file_bucket/file.rb

lib/puppet/file_serving/configuration.rb

lib/puppet/file_serving/content.rb

lib/puppet/file_serving/metadata.rb

lib/puppet/file_serving/mount/modules.rb

lib/puppet/network/authstore.rb

lib/puppet/reports/store.rb

lib/puppet/ssl/base.rb

lib/puppet/ssl/certificate_authority.rb

lib/puppet/ssl/certificate_authority/interface.rb

lib/puppet/ssl/host.rb

spec/integration/file_serving/content_spec.rb

spec/integration/file_serving/metadata_spec.rb

spec/integration/network/rest_authconfig_spec.rb

spec/shared_behaviours/file_serving.rb

spec/unit/file_serving/configuration_spec.rb

spec/unit/file_serving/content_spec.rb

spec/unit/file_serving/metadata_spec.rb

spec/unit/file_serving/mount/modules_spec.rb

spec/unit/network/handler/ca_spec.rb

spec/unit/reports/store_spec.rb

spec/unit/ssl/certificate_authority/interface_spec.rb

spec/unit/ssl/certificate_authority_spec.rb

Show diffs side-by-side

added added

removed removed

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving.rb

#!/usr/bin/env rspec

shared_examples_for "Puppet::FileServing::Files" do

it "should use the rest terminus when the 'puppet' URI scheme is used and a host name is present" do

uri = "puppet://myhost/fakemod/my/file"

# It appears that the mocking somehow interferes with the caching subsystem.

# This mock somehow causes another terminus to get generated.

term = @indirection.terminus(:rest)

@indirection.stubs(:terminus).with(:rest).returns term

term.expects(:find)

@indirection.find(uri)

end

it "should use the rest terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is not 'puppet' or 'apply'" do

uri = "puppet:///fakemod/my/file"

Puppet.settings.stubs(:value).returns "foo"

Puppet.settings.stubs(:value).with(:name).returns("puppetd")

Puppet.settings.stubs(:value).with(:modulepath).returns("")

@indirection.terminus(:rest).expects(:find)

@indirection.find(uri)

end

it "should use the file_server terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is 'puppet'" do

uri = "puppet:///fakemod/my/file"

Puppet::Node::Environment.stubs(:new).returns(stub("env", :name => "testing", :module => nil, :modulepath => []))

Puppet.settings.stubs(:value).returns ""

Puppet.settings.stubs(:value).with(:name).returns("puppet")

Puppet.settings.stubs(:value).with(:fileserverconfig).returns("/whatever")

@indirection.terminus(:file_server).expects(:find)

@indirection.terminus(:file_server).stubs(:authorized?).returns(true)

@indirection.find(uri)

end

it "should use the file_server terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is 'apply'" do

uri = "puppet:///fakemod/my/file"

Puppet::Node::Environment.stubs(:new).returns(stub("env", :name => "testing", :module => nil, :modulepath => []))

Puppet.settings.stubs(:value).returns ""

Puppet.settings.stubs(:value).with(:name).returns("apply")

Puppet.settings.stubs(:value).with(:fileserverconfig).returns("/whatever")

@indirection.terminus(:file_server).expects(:find)

@indirection.terminus(:file_server).stubs(:authorized?).returns(true)

@indirection.find(uri)

end

it "should use the file terminus when the 'file' URI scheme is used" do

uri = Puppet::Util.path_to_uri(File.expand_path('/fakemod/my/other file'))

uri.scheme.should == 'file'

@indirection.terminus(:file).expects(:find)

@indirection.find(uri.to_s)

end

it "should use the file terminus when a fully qualified path is provided" do

uri = File.expand_path("/fakemod/my/file")

@indirection.terminus(:file).expects(:find)

@indirection.find(uri)

end

it "should use the configuration to test whether the request is allowed" do

uri = "fakemod/my/file"

mount = mock 'mount'

config = stub 'configuration', :split_path => [mount, "eh"]

@indirection.terminus(:file_server).stubs(:configuration).returns config

@indirection.terminus(:file_server).expects(:find)

mount.expects(:allowed?).returns(true)

@indirection.find(uri, :node => "foo", :ip => "bar")

end

Older »