So I had another look at this and something doesn't add up.
I believe that the CVE is for CNs with / in them while the code checks the
textual representation of the whole subject.
For example, when you have C=UK CN=test.v13.gr you end up having a textual
representation of "/C=UK/CN=test.v13.gr" which fails the check because of the
"/" in it but does not seem to fall within CVE's description.
I believe the problem lies in lib/puppet/ssl/certificate.rb which uses as name
the full name instead of just CN.
Puppet's internal CA doesn't have this problem because it only adds CN to the
subject. The patch is supposed to strip everything before and after the CN=xxx
part.
Please consider the attached patch which I believe changes the representation
of the certificate name to be just the CN field. There's a bug in it in case
another field contains the string CN= in it, which will result in a failure to
match the certificate name but I believe this is minor, hard to work around
and not a security risk.
If you have a close look you'll see that puppet was already stripping the CN=
part but was failing miserably when there were other parts in the subject or
the issuer.
p.s. I don't claim to have any knowledge of puppet's code. This is just a
quick hack so standard disclaimers apply.
Thanks,
Stefanos
diff -Nur puppet-2.7.18.orig/lib/puppet/ssl/certificate.rb puppet-2.7.18/lib/puppet/ssl/certificate.rb
--- puppet-2.7.18.orig/lib/puppet/ssl/certificate.rb 2012-07-09 23:08:16.000000000 +0100
+++ puppet-2.7.18/lib/puppet/ssl/certificate.rb 2013-04-16 01:48:08.763992157 +0100
@@ -15,7 +15,7 @@
# Convert a string into an instance.
def self.from_s(string)
instance = wrapped_class.new(string)
- name = instance.subject.to_s.sub(/\/CN=/i, '').downcase
+ name = instance.subject.to_s.sub(/.*\/CN=([^\/]*)($|\/.*)/i, '\n').downcase
result = new(name)
result.content = instance
result
