Bug 839135 (CVE-2012-3866)

Summary: CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: k.georgiou, tmz, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet 2.7.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-05 09:45:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 839168    
Bug Blocks: 839173    

Description Kurt Seifried 2012-07-11 05:24:14 UTC 
From puppet labs: CVE-2012-3866 (last_run_report.yaml is world readable)

A bug in Puppet 2.7.17 leaves last_run_report.yaml world readable.

The most recent Puppet run report is stored on the Puppet master with 
world-readable permissions. The report file contains the context diffs of any 
changes to configuration on an agent, which may contain sensitive information 
that an attacker can then access. The last run report is overwritten with 
every Puppet run.

Note: This only affects the 2.7 series of Puppet.

Resolved in Puppet 2.7.18
Comment 1 Kurt Seifried 2012-07-11 06:42:52 UTC 
Created puppet tracking bugs for this issue

Affects: fedora-17 [bug 839168]
Comment 2 Kurt Seifried 2012-07-12 02:37:09 UTC 
External Reference:

http://puppetlabs.com/security/cve/cve-2012-3866/
Comment 3 Tomas Hoger 2012-07-12 10:13:49 UTC 
Upstream commit:

2.7:
https://github.com/puppetlabs/puppet/commit/fd44bf5
Comment 4 Fedora Update System 2012-07-28 01:20:09 UTC 
puppet-2.7.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.