Moses Mendoza of Puppet Labs reports:
Unsafe use of Temp files in File type (Local Privilege Escalation)
Assessed Risk Level: Medium
Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to. The degree of difficulty to exploit this
vulnerability is high. We have not actually exploited this
Created attachment 839245 [details]
Created attachment 839246 [details]
Created puppet tracking bugs for this issue:
Affects: fedora-all [bug 1047792]
Please note that there was a minor regression introduced in the fix for CVE-2013-4969, which affects the default mode of files created by Puppet file resources if no mode is specified.
This has been fixed in Puppet 3.4.2 and 2.7.25 via PUP-1255:
For the stable/3.4.x branch, these patches fix it:
For the 2.7.x branch, this fixes it:
Puppet 3.4.2 and 2.7.25 have the fix that changes the default file mode back to 0644. I'm currently working on updating all Fedora branches to 3.4.2 and EPEL already has an update in testing (pending one more +1 karma bit).
Red Hat Product Security has rated this issue as having Low security impact in Subscription Asset Manager 1. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform 4.0. This issue is not currently planned to be addressed in future updates.