Bug 908629 (CVE-2012-6120)

Summary: CVE-2012-6120 Puppet: Directory /var/log/puppet is world readable
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, bkearney, cpelland, dajohnso, djorm, dmcphers, iboverma, jeckersb, jialiu, jneedle, jomara, jose.p.oliveira.oss, katello-bugs, katello-internal, k.georgiou, ktdreyer, lmeyer, markmc, mastahnke, mcressma, mmccune, morazi, moses, mrg-program-list, msuchy, rbryant, rhos-maint, sclewis, tkramer, tmz, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120917,reported=20130201,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,fedora-all/puppet=new,epel-all/puppet=affected,cloudformscommon-1/puppet=wontfix,openshift-1/puppet=affected,mrg-1.3/puppet=affected,sam-1/puppet=affected,openstack-2.0/puppet=affected,openstack-2.1/puppet=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-28 22:39:06 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 908915, 908917, 908948, 908949, 908950, 908951, 995672    
Bug Blocks: 908633, 921763    

Description Kurt Seifried 2013-02-07 03:19:20 EST
/var/log/puppet is world readable and may contain sensitive information

Also the files contained within are world readable.

Version-Release number of selected component (if applicable):

puppet-2.6.14-1.el6.noarch
puppet-2.6.17-2.el6.noarch

How reproducible:

drwxr-xr-x.  2 puppet        puppet          4096 Mar  8 16:35 /var/log/puppet
Comment 2 Kurt Seifried 2013-02-07 15:47:54 EST
Created puppet tracking bugs for this issue

Affects: epel-all [bug 908915]
Comment 7 Alan Pevec 2013-02-18 18:22:34 EST
(In reply to comment #0)
> Lukas Zapletal reports:
> 
> /var/log/puppet is world readable and may contain sensitive information

FYI that was EPEL bug https://bugzilla.redhat.com/show_bug.cgi?id=857930
Comment 8 Todd Zullinger 2013-03-18 10:19:11 EDT
And this was a bug in the build system, not in the packaging.  A recent update and build without change to the spec file shows that /var/log/puppet now retains the proper permissions.

I don't seem to have any access to the blocker bugs, so I don't know what the security team wants to do about closing this out.  Please advise or close as appropriate.
Comment 9 Kurt Seifried 2013-03-21 02:25:06 EDT
The blocker bugs and depends on bugs are for Red Hat internal purposes, a tracking bug for EPEL was created (908915) and you were assigned to it, and it was closed properly so that's all you need to worry about on your side. Basically SRT handles closing of all CVE bugs (like this one).
Comment 11 errata-xmlrpc 2013-04-04 16:20:05 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0710 https://rhn.redhat.com/errata/RHSA-2013-0710.html
Comment 12 Kurt Seifried 2013-07-26 02:21:52 EDT
The Red Hat Security Response Team has rated this issue as having low security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.