Bug 742649 (CVE-2011-3871)

Summary: CVE-2011-3871 puppet: predictable temporary file using RAL
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, k.georgiou, ktdreyer, security-response-team, tmz, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet 2.6.11, puppet 2.7.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-04 06:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 742654, 742655    
Bug Blocks: 742180, 748458    
Attachments:
Description Flags
patch from upstream for 2.6.x and 2.7.x
none
patch from upstream for 0.25.x none

Description Vincent Danen 2011-09-30 22:07:55 UTC
A flaw was found in the way puppet resource in --edit mode handled temporary files.  It would use an extremely predictable file name which persisted and could be known well prior to creation.  This could result in both editing an arbitrary target file, and tricking puppet into running that arbitrary file as the invoking user.  This is feature is typically used as the root user, as you cannot do much as a less privileged user.

This is corrected in upstream 2.6.11 and 2.7.5 releases.

Comment 1 Vincent Danen 2011-09-30 23:21:02 UTC
Created attachment 525849 [details]
patch from upstream for 2.6.x and 2.7.x

Comment 2 Vincent Danen 2011-09-30 23:21:21 UTC
Created attachment 525850 [details]
patch from upstream for 0.25.x

Comment 3 Vincent Danen 2011-09-30 23:36:50 UTC
Created puppet tracking bugs for this issue

Affects: fedora-all [bug 742654]
Affects: epel-all [bug 742655]

Comment 4 Fedora Update System 2011-10-24 15:39:43 UTC
puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Kurt Seifried 2012-04-11 16:18:06 UTC
Resolved in Puppet 2.7.5 and 2.6.11, CloudForms ships Puppet 2.6.14.

Comment 6 Tomas Hoger 2012-07-04 06:50:11 UTC
Fixed upstream in 2.7.5 and 2.6.11.

External Reference:

http://puppetlabs.com/security/cve/cve-2011-3871/