Bug 1045212 (CVE-2013-4969)
Summary: | CVE-2013-4969 Puppet: Unsafe use of Temp files in File type | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||
Component: | vulnerability | Assignee: | Ohad Levy <ohadlevy> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | aortega, apevec, ayoung, bdunne, bkearney, ccoleman, chrisw, cpelland, dajohnso, dcleal, dmcphers, esammons, gkotton, gmollett, iboverma, iheim, jfrey, jialiu, jomara, jrafanie, jross, jrusnack, kseifried, lhh, lmeyer, markmc, matt, mcressma, mmccune, mmcgrath, obarenbo, ohadlevy, rbryant, sclewis, security-response-team, xlecauch, yeylon | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | puppet 3.4.1 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-10-03 07:06:12 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1046902, 1047792, 1138953 | ||||||||
Bug Blocks: | 1045213 | ||||||||
Attachments: |
|
Description
Kurt Seifried
2013-12-19 21:29:39 UTC
Created attachment 839245 [details]
CVE-2013-4969-2.7.x-temp-file.patch
Created attachment 839246 [details]
CVE-2013-4969-3.3.x-temp-file.patch
External References: http://puppetlabs.com/security/cve/cve-2013-4969 Created puppet tracking bugs for this issue: Affects: fedora-all [bug 1047792] Please note that there was a minor regression introduced in the fix for CVE-2013-4969, which affects the default mode of files created by Puppet file resources if no mode is specified. This has been fixed in Puppet 3.4.2 and 2.7.25 via PUP-1255: https://tickets.puppetlabs.com/browse/PUP-1255 For the stable/3.4.x branch, these patches fix it: https://github.com/puppetlabs/puppet/commit/6cabaa048 https://github.com/puppetlabs/puppet/commit/a4af858e8 For the 2.7.x branch, this fixes it: https://github.com/puppetlabs/puppet/commit/6a11abb8a Puppet 3.4.2 and 2.7.25 have the fix that changes the default file mode back to 0644. I'm currently working on updating all Fedora branches to 3.4.2 and EPEL already has an update in testing (pending one more +1 karma bit). Statement: Red Hat Product Security has rated this issue as having Low security impact in Subscription Asset Manager 1. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform 4.0. This issue is not currently planned to be addressed in future updates. |