From da3684c79d5fe6ece826e087e8693c75ac40414c Mon Sep 17 00:00:00 2001 From: Eric Putnam Date: Thu, 1 Feb 2018 10:23:09 -0800 Subject: [PATCH 1/3] (PE-23473) fix for cve-2018-6508 --- CHANGELOG.md | 7 +++++++ metadata.json | 2 +- tasks/sql.rb | 10 +++++----- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 95e73d905..3e5b7b13c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## Supported Release [5.2.1] +### Summary +This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks. + +### Fixed +- Fix export and mysql tasks for arbitrary remote code + ## Supported Release [5.2.0] ### Added diff --git a/metadata.json b/metadata.json index ea5d3c74d..e5c717976 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-mysql", - "version": "5.2.0", + "version": "5.2.1", "author": "Puppet Labs", "summary": "Installs, configures, and manages the MySQL service.", "license": "Apache-2.0", diff --git a/tasks/sql.rb b/tasks/sql.rb index 0d0ee8612..7e68c62a4 100755 --- a/tasks/sql.rb +++ b/tasks/sql.rb @@ -4,11 +4,11 @@ require 'puppet' def get(sql, database, user, password) - cmd_string = "mysql -e \"#{sql}\"" - cmd_string << " --database=#{database}" unless database.nil? - cmd_string << " --user=#{user}" unless user.nil? - cmd_string << " --password=#{password}" unless password.nil? - stdout, _stderr, status = Open3.capture3(cmd_string) + cmd = ['mysql', '-e', sql] + cmd << " --database=#{database}" unless database.nil? + cmd << " --user=#{user}" unless user.nil? + cmd << " --password=#{password}" unless password.nil? + stdout, _stderr, status = Open3.capture3(*cmd) raise Puppet::Error, _("stderr: ' %{stderr}') % { stderr: stderr }") if status != 0 { status: stdout.strip } end From 05e302c3c497cdb63ccb947c86975b0007938e20 Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 2 Feb 2018 15:17:28 +0000 Subject: [PATCH 2/3] (maint) fix cli command string for task --- tasks/sql.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/sql.rb b/tasks/sql.rb index 7e68c62a4..8376b5699 100755 --- a/tasks/sql.rb +++ b/tasks/sql.rb @@ -4,11 +4,11 @@ require 'puppet' def get(sql, database, user, password) - cmd = ['mysql', '-e', sql] - cmd << " --database=#{database}" unless database.nil? - cmd << " --user=#{user}" unless user.nil? - cmd << " --password=#{password}" unless password.nil? - stdout, _stderr, status = Open3.capture3(*cmd) + cmd = ['mysql', '-e', "#{sql} "] + cmd << "--database=#{database}" unless database.nil? + cmd << "--user=#{user}" unless user.nil? + cmd << "--password=#{password}" unless password.nil? + stdout, stderr, status = Open3.capture3(*cmd) raise Puppet::Error, _("stderr: ' %{stderr}') % { stderr: stderr }") if status != 0 { status: stdout.strip } end From 4dbd3d40c7f546d4f0b0fd799639e43233eeb5f1 Mon Sep 17 00:00:00 2001 From: Eric Putnam Date: Tue, 6 Feb 2018 11:38:27 -0800 Subject: [PATCH 3/3] skip rubocop warning in task For whatever reason, rubocop cannot see that stderr is indeed a used variable. --- tasks/sql.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/sql.rb b/tasks/sql.rb index 8376b5699..29b2c6bda 100755 --- a/tasks/sql.rb +++ b/tasks/sql.rb @@ -8,7 +8,7 @@ def get(sql, database, user, password) cmd << "--database=#{database}" unless database.nil? cmd << "--user=#{user}" unless user.nil? cmd << "--password=#{password}" unless password.nil? - stdout, stderr, status = Open3.capture3(*cmd) + stdout, stderr, status = Open3.capture3(*cmd) # rubocop:disable Lint/UselessAssignment raise Puppet::Error, _("stderr: ' %{stderr}') % { stderr: stderr }") if status != 0 { status: stdout.strip } end