Bug #19629
closed
Fix for CVE-2023-28755 breaks "puppet apply" run
Description
(Not neccessarily a bug in Ruby - chances are I should have formatted my Puppet file URIs differently from the get-go.)
However, since yesterday I'm getting these errors when running puppet apply:
Could not evaluate: Could not retrieve file metadata for puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades: Failed to open TCP connection to :8140 (Connection refused - connect(2) for "" port 8140)
I think the reason this happens now in an otherwise completely unchanged environment is that on my Ubuntu system, a new ruby2.7 package has been installed, due to CVE-2023-28755. See http://changelogs.ubuntu.com/changelogs/pool/main/r/ruby2.7/ruby2.7_2.7.0-5ubuntu1.9/changelog for the backport info.
The patch info (URI.parse should set empty string in host instead of nil in lib/uri/rfc3986_parser.rb, raise ArgumentError with empty host url again in lib/net/http/generic_request.rb.) sounds exactly like the reason I'm suddenly running into this error: puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades is an URI with an empty hostname - or is it? It's actually meant to refer to a local file, not a file on remote host ""; however, this is how it now seems to be interpreted: protocol puppet, hostname ``, path /modules/unattended_upgrades....
Because the patched code now returns "" for the hostname instead of nil, it tries to do a hostname lookup for "" which of course fails.
Not sure if this is an intended consequence of the patch in this specific context, which is why I'm reporting it.
Updated by ManuelKiessling (Manuel Kießling) over 1 year ago
Updated by jeremyevans0 (Jeremy Evans) over 1 year ago
- Status changed from Open to Third Party's Issue
In Ruby 2.7.8 and 3.0.6, URI#host returns nil. Ruby 3.1.4 and 3.2.2 return "":
$ ruby32 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host'
""
$ ruby31 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host'
""
$ ruby30 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host'
nil
$ ruby27 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host'
nil
Not sure why the Ubuntu Ruby 2.7 behavior is different, but I would guess it is due to how they backported it. You should probably report the issue to the Ubuntu developers. Looking at the PuppetLabs ticket, they say basically the same thing.
Updated by ManuelKiessling (Manuel Kießling) over 1 year ago
You are right, and they have already fixed it through https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/2018547.