Bug 1045212 (CVE-2013-4969)

Summary:

CVE-2013-4969 Puppet: Unsafe use of Temp files in File type

Product:

[Other] Security Response

Reporter:

Kurt Seifried <kseifried>

Component:

vulnerability

Assignee:

Ohad Levy <ohadlevy>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

aortega, apevec, ayoung, bdunne, bkearney, ccoleman, chrisw, cpelland, dajohnso, dcleal, dmcphers, esammons, gkotton, gmollett, iboverma, iheim, jfrey, jialiu, jomara, jrafanie, jross, jrusnack, kseifried, lhh, lmeyer, markmc, matt, mcressma, mmccune, mmcgrath, obarenbo, ohadlevy, rbryant, sclewis, security-response-team, xlecauch, yeylon

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

puppet 3.4.1

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2014-10-03 07:06:12 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1046902, 1047792, 1138953

Bug Blocks:

1045213

Attachments:

Description	Flags
CVE-2013-4969-2.7.x-temp-file.patch	none
CVE-2013-4969-3.3.x-temp-file.patch	none

Description Kurt Seifried 2013-12-19 21:29:39 UTC

Moses Mendoza of Puppet Labs reports:

Unsafe use of Temp files in File type (Local Privilege Escalation)
Assessed Risk Level: Medium

Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to. The degree of difficulty to exploit this
vulnerability is high. We have not actually exploited this
vulnerability successfully.

Comment 1 Kurt Seifried 2013-12-19 21:48:55 UTC

Created attachment 839245 [details]
CVE-2013-4969-2.7.x-temp-file.patch

Comment 2 Kurt Seifried 2013-12-19 21:49:22 UTC

Created attachment 839246 [details]
CVE-2013-4969-3.3.x-temp-file.patch

Comment 4 Ratul Gupta 2013-12-30 11:20:33 UTC

External References:
http://puppetlabs.com/security/cve/cve-2013-4969

Comment 5 Ratul Gupta 2014-01-02 09:11:34 UTC

Created puppet tracking bugs for this issue:

Affects: fedora-all [bug 1047792]

Comment 6 Dominic Cleal 2014-01-09 13:25:34 UTC

Please note that there was a minor regression introduced in the fix for CVE-2013-4969, which affects the default mode of files created by Puppet file resources if no mode is specified.

This has been fixed in Puppet 3.4.2 and 2.7.25 via PUP-1255:
  https://tickets.puppetlabs.com/browse/PUP-1255

For the stable/3.4.x branch, these patches fix it:
  https://github.com/puppetlabs/puppet/commit/6cabaa048
  https://github.com/puppetlabs/puppet/commit/a4af858e8

For the 2.7.x branch, this fixes it:
  https://github.com/puppetlabs/puppet/commit/6a11abb8a

Comment 7 Sam Kottler 2014-01-14 10:49:58 UTC

Puppet 3.4.2 and 2.7.25 have the fix that changes the default file mode back to 0644. I'm currently working on updating all Fedora branches to 3.4.2 and EPEL already has an update in testing (pending one more +1 karma bit).

Comment 9 Kurt Seifried 2014-07-10 04:43:12 UTC

Statement:

Red Hat Product Security has rated this issue as having Low security impact in Subscription Asset Manager 1. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform 4.0. This issue is not currently planned to be addressed in future updates.