Bug 837339 (CVE-2012-1989)

Summary: CVE-2012-1989 puppet: Insecure temporary file use for NET::Telnet connection log (/tmp/out.log)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, hbrock, jrusnack, k.georgiou, kseifried, ktdreyer, mmccune, morazi, mrg-program-list, tkramer, tmz, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet 2.7.13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-04 07:20:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 767033    

Description Jan Lieskovsky 2012-07-03 14:02:53 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1989 to the following vulnerability:

telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). 

References:
[1]  http://projects.puppetlabs.com/issues/13606
[2]  http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.13
[3]  http://puppetlabs.com/security/cve/cve-2012-1989/
[4]  http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html
[5]  http://ubuntu.com/usn/usn-1419-1
[6]  http://www.securityfocus.com/bid/52975
[7]  http://secunia.com/advisories/48743
[8]  http://secunia.com/advisories/48748
[9]  http://secunia.com/advisories/49136
[10] http://xforce.iss.net/xforce/xfdb/74797

Relevant upstream patch seems to be the following:
[11] https://github.com/puppetlabs/puppet/commit/91e7ce478649490d87684661f79d70b5ca46ddd0
Comment 1 Jan Lieskovsky 2012-07-03 14:05:10 UTC 
This issue did NOT affect the versions of the puppet package, as shipped with Fedora release of 16 and 17.

--

This issue did NOT affect the versions of the puppet package, as shipped with Fedora EPEL 5 and 6.
Comment 3 Tomas Hoger 2012-07-04 07:20:17 UTC 
As listed in the upstream advisory, this issue only affected 2.7.x versions.  Only Fedora 17 and Rawhide have this version and are already using fixed 2.7.13.  Fedora 17 did not include previous 2.7.x version and hence was never affected by this issue.

External Reference:

http://puppetlabs.com/security/cve/cve-2012-1989/