Bug 1045212 (CVE-2013-4969) - CVE-2013-4969 Puppet: Unsafe use of Temp files in File type
Summary: CVE-2013-4969 Puppet: Unsafe use of Temp files in File type
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2013-4969
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Ohad Levy
QA Contact:
URL:
Whiteboard:
Depends On: 1046902 1047792 1138953
Blocks: 1045213
TreeView+ depends on / blocked
 
Reported: 2013-12-19 21:29 UTC by Kurt Seifried
Modified: 2021-02-17 07:03 UTC (History)
37 users (show)

Fixed In Version: puppet 3.4.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-03 07:06:12 UTC


Attachments (Terms of Use)
CVE-2013-4969-2.7.x-temp-file.patch (9.89 KB, patch)
2013-12-19 21:48 UTC, Kurt Seifried
no flags Details | Diff
CVE-2013-4969-3.3.x-temp-file.patch (10.56 KB, patch)
2013-12-19 21:49 UTC, Kurt Seifried
no flags Details | Diff

Description Kurt Seifried 2013-12-19 21:29:39 UTC
Moses Mendoza of Puppet Labs reports:

Unsafe use of Temp files in File type (Local Privilege Escalation)
Assessed Risk Level: Medium

Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to. The degree of difficulty to exploit this
vulnerability is high. We have not actually exploited this
vulnerability successfully.

Comment 1 Kurt Seifried 2013-12-19 21:48:55 UTC
Created attachment 839245 [details]
CVE-2013-4969-2.7.x-temp-file.patch

Comment 2 Kurt Seifried 2013-12-19 21:49:22 UTC
Created attachment 839246 [details]
CVE-2013-4969-3.3.x-temp-file.patch

Comment 4 Ratul Gupta 2013-12-30 11:20:33 UTC
External References:
http://puppetlabs.com/security/cve/cve-2013-4969

Comment 5 Ratul Gupta 2014-01-02 09:11:34 UTC
Created puppet tracking bugs for this issue:

Affects: fedora-all [bug 1047792]

Comment 6 Dominic Cleal 2014-01-09 13:25:34 UTC
Please note that there was a minor regression introduced in the fix for CVE-2013-4969, which affects the default mode of files created by Puppet file resources if no mode is specified.

This has been fixed in Puppet 3.4.2 and 2.7.25 via PUP-1255:
  https://tickets.puppetlabs.com/browse/PUP-1255

For the stable/3.4.x branch, these patches fix it:
  https://github.com/puppetlabs/puppet/commit/6cabaa048
  https://github.com/puppetlabs/puppet/commit/a4af858e8

For the 2.7.x branch, this fixes it:
  https://github.com/puppetlabs/puppet/commit/6a11abb8a

Comment 7 Sam Kottler 2014-01-14 10:49:58 UTC
Puppet 3.4.2 and 2.7.25 have the fix that changes the default file mode back to 0644. I'm currently working on updating all Fedora branches to 3.4.2 and EPEL already has an update in testing (pending one more +1 karma bit).

Comment 9 Kurt Seifried 2014-07-10 04:43:12 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact in Subscription Asset Manager 1. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform 4.0. This issue is not currently planned to be addressed in future updates.


Note You need to log in before you can comment on or make changes to this bug.