This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 502881 - (CVE-2010-0156) CVE-2010-0156 puppet: several insecure tempfile creation issues
CVE-2010-0156 puppet: several insecure tempfile creation issues
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: puppet (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
: Reopened, Security, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-27 11:39 EDT by Till Maas
Modified: 2010-03-02 19:20 EST (History)
4 users (show)

See Also:
Fixed In Version: 0.25.4-1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-01 19:53:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Till Maas 2009-05-27 11:39:47 EDT
Description of problem:
I noticed that puppet may create several predictable files in /tmp, e.g.

/tmp/daemonout
/tmp/puppetdoc.txt
/tmp/puppetdoc.tex

There are also a lot more in the tests, but they may not be run in Fedora's F10 spec, and even more in the puppet source, e.g. for the dmg installation provider.

Version-Release number of selected component (if applicable):
puppet-0.24.8-1.fc10

How reproducible:
always

Steps to Reproduce:
1. grep -nR /tmp/ /usr/lib/ruby/site_ruby/1.8/puppet

Actual results:
Contains ruby code like:
/usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:33:            File.open("/tmp/daemonout", "w") { |f|

Expected results:
Should only report findings that are not executed, e.g. in comments or help information

Additional info:
Current git seems to contain even more issues, e.g. 
lib/puppet/network/server.rb:25:            File.open("/tmp/daemonout", "w") { |f|
Comment 1 Jeroen van Meeuwen 2009-06-24 10:27:38 EDT
This is an issue the file already exists, with arbitrary content and only with permissive permissions, am I right?

Would it help to put these files in, say, 0750, puppet:puppet, /var/cache/puppet/, so that only the puppet user (and root) can write to these files?
Comment 2 Till Maas 2009-06-27 11:50:36 EDT
(In reply to comment #1)
> This is an issue the file already exists, with arbitrary content and only with
> permissive permissions, am I right?

I do not understand this question. But a typical attack in this case would be to create a symlink in e.g. /tmp/daemonout that points to a file that only root can write to, to manipulate the contents of this file.

> Would it help to put these files in, say, 0750, puppet:puppet,
> /var/cache/puppet/, so that only the puppet user (and root) can write to these
> files?  

/tmp/daemonout should probably be in /var/log or some puppet log file should be used instead imho. For the puppetdoc and test files the Tempfile class in ruby should be used to generate securely temporary files or maybe a temporary directory within /tmp. The class Tempfile is already used in other locations in puppet.
Comment 3 Jeroen van Meeuwen 2009-08-12 19:00:04 EDT
(In reply to comment #2)
> (In reply to comment #1)
> > This is an issue the file already exists, with arbitrary content and only with
> > permissive permissions, am I right?
> 
> I do not understand this question. But a typical attack in this case would be
> to create a symlink in e.g. /tmp/daemonout that points to a file that only root
> can write to, to manipulate the contents of this file.
> 

A file in /tmp/ is not just readable, writeable or executable to just anyone just because it is in /tmp/. The same file system permissions apply to files and directories created in /tmp/ as do they anywhere else. The only difference with /tmp/ is that anyone can create files there, and anyone can list the directories content;

With umask, files created in /tmp/ would not even be group-readable or writeable:

==
Every 1.0s: find /tmp/ -name *puppet* -exec ls -lh {} \;                                                                                                                                                            Thu Aug 13 00:12:39 2009

-rw-------. 1 root root 0 2009-08-13 00:12 ./puppet.15122.0
==

I fail to see how this is a security problem, unless the file is created with extraneous permissions before the puppet daemon creates the file itself.

If you can explain or give me some reference I'll be happy to read up ;-)
Comment 4 Till Maas 2009-08-13 04:29:17 EDT
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > This is an issue the file already exists, with arbitrary content and only with
> > > permissive permissions, am I right?
> > 
> > I do not understand this question. But a typical attack in this case would be
> > to create a symlink in e.g. /tmp/daemonout that points to a file that only root
> > can write to, to manipulate the contents of this file.
> > 
> 
> A file in /tmp/ is not just readable, writeable or executable to just anyone
> just because it is in /tmp/. The same file system permissions apply to files
> and directories created in /tmp/ as do they anywhere else. The only difference
> with /tmp/ is that anyone can create files there, and anyone can list the
> directories content;

> I fail to see how this is a security problem, unless the file is created with
> extraneous permissions before the puppet daemon creates the file itself.

Here are some step by step instructions, that hopefull help to understand the problem:

1) backup your /etc/shadow file, e.g. with cp /etc/shadow /root/shadow.puppet-backup
2) As a non root user run: ln -s /etc/shadow /tmp/puppet.tex
3) As root run: puppetdoc -m pdf
4) notice that /etc/shadow has been overwritten with latex code: less /etc/shadow
5) restore /etc/shadow: cp /root/shadow.puppet-backup /etc/shadow

> If you can explain or give me some reference I'll be happy to read up ;-)  

http://capec.mitre.org/data/definitions/27.html
Comment 5 Jeroen van Meeuwen 2009-08-13 17:58:14 EDT
So, a form of understanding is in my brain now...

Would the solution be to not use /tmp/, but some directory non-root users cannot just write to (cannot create symbolic links to other files in)?

I'd suggest:

 puppet:puppet drwxr-x--- /var/run/puppet

or something similar?
Comment 6 Till Maas 2009-08-14 09:36:30 EDT
(In reply to comment #5)
> So, a form of understanding is in my brain now...
> 
> Would the solution be to not use /tmp/, but some directory non-root users
> cannot just write to (cannot create symbolic links to other files in)?
> 
> I'd suggest:
> 
>  puppet:puppet drwxr-x--- /var/run/puppet
> 
> or something similar?  

Basically I already answerded this in comment:2, but I can also provide more details if needed:
 /tmp/daemonout is a logfile and should got to /var/log, the other files should be created using the ruby tempfile class[0] or using a temporary directory, e.g. for the pdf creation there are iirc also some other helper files created with the same basename, e.g. instead of /tmp/puppetdoc.tex /tmp/puppetdoc.aux can probably also be used.

[0] http://www.ruby-doc.org/stdlib/libdoc/tempfile/rdoc/index.html
Comment 7 Bug Zapper 2009-11-18 07:01:57 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Bug Zapper 2009-12-18 04:29:48 EST
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 9 Till Maas 2010-01-03 17:14:00 EST
reproduced exploit from comment:4 with /tmp/puppetdoc.tex in step 2 with puppet-0.24.8-4.fc12
Comment 10 Till Maas 2010-01-03 18:24:59 EST
add co-maintainer Todd M. Zullinger to CC list
Comment 11 James Turnbull 2010-01-03 22:03:53 EST
We're happy to have these propagated upstream - we're currently looking at a broader fix than just these files.  For the moment happy to have you add me as a CC to any tickets such as these.
Comment 12 James Turnbull 2010-01-04 02:13:50 EST
This is the fix we're proposing:

http://github.com/MarkusQ/puppet/commit/0e9db34ba0afe0ea0bee3afd005a011e3099d055

Can you please test and provide feedback?

Thanks
Comment 13 Jeroen van Meeuwen 2010-01-04 07:04:41 EST
This looks fine to me, although I wonder what mysterious side-effects one could trigger now that the file (symlink) is being deleted, and Puppet awaits re-creation and then fails. I guess it needs to, since the file may also be a Puppet file created during a previous (aborted?) run...
Comment 14 Todd Zullinger 2010-01-04 12:23:18 EST
James, thanks to you and Markus for the quick work.  I tested a little on CentOS 5 and Fedora 10 (I'm travelling and don't have handy access to an F-12 box with 0.25.x right now).  I only tested puppetdoc, and noted that while the patch from Markus prevents the tmp file problem, it does result in a traceback rather than a simple warning as I think is intended:

[root@localhost ~]# echo 'Secret root stuff' > /etc/test
[root@localhost ~]# chmod 400 /etc/test

[user@localhost ~]$ ln -sv /etc/test /tmp/puppetdoc.tex

[root@localhost ~]# puppetdoc -m pdf
creating pdf
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:411:in `secure_open': private method `warn' called for Puppet:Module (NoMethodError)
	from /usr/lib/ruby/site_ruby/1.8/puppet/util/reference.rb:51:in `pdf'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetdoc.rb:160:in `other'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
	from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
	from /usr/bin/puppetdoc:65

I'm not sure how to quickly test the other code paths and I don't have as much time as I'd like to look into it.  But I will try and test anything if you or Markus have suggestions.
Comment 15 James Turnbull 2010-01-04 12:32:46 EST
Todd - we'll do some more testing and get back to you.
Comment 16 James Turnbull 2010-01-04 12:58:17 EST
Try the updated fix in that same branch.
Comment 17 Todd Zullinger 2010-01-04 14:56:02 EST
James, no traceback with the typo fixed.  I didn't get any warning when running puppetdoc, though it did do what it is intended -- deleted the symlink and created it as a regular file.  If it's supposed to log or print a warning, let me know and I'll test or look further.
Comment 18 Till Maas 2010-01-04 18:42:48 EST
I just got an CVE number for this issue:
CVE-2010-0156
Comment 19 James Turnbull 2010-01-05 01:48:49 EST
Okay we've merged the branch and released 0.25.2 with the fix in it.
Comment 20 James Turnbull 2010-01-05 05:03:34 EST
We also back-ported the patch to 0.24.x and created a new 0.24.x release numbered 0.24.9.  I'll announce that shortly.
Comment 21 Todd Zullinger 2010-01-05 18:21:07 EST
I've built and submitted puppet-0.25.2 for Fedora and EPEL branches.  It's marked as a security update and submitted for updates-testing, as we'd like to get at least a little bit of testing to ensure there aren't any big problems hiding in the update.

Thanks to James and Markus for quickly working to implement a fix and get it into 0.25.2 in the 11th hour.  Someday I hope to repay you with inebriating beverages of your choice. :)
Comment 22 Fedora Update System 2010-01-06 20:00:31 EST
puppet-0.25.2-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0251
Comment 23 Fedora Update System 2010-01-06 20:00:41 EST
puppet-0.25.2-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0254
Comment 24 Fedora Update System 2010-01-07 16:42:24 EST
puppet-0.25.2-1.el5.1 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0031
Comment 25 Fedora Update System 2010-01-12 18:55:14 EST
puppet-0.25.3-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0054
Comment 26 Fedora Update System 2010-01-12 18:55:29 EST
puppet-0.25.3-1.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0046
Comment 27 Fedora Update System 2010-01-13 20:19:35 EST
puppet-0.25.3-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0492
Comment 28 Fedora Update System 2010-01-13 20:23:38 EST
puppet-0.25.3-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0523
Comment 29 Fedora Update System 2010-01-19 20:55:30 EST
puppet-0.25.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/puppet-0.25.3-2.fc11
Comment 30 Fedora Update System 2010-01-19 20:55:37 EST
puppet-0.25.3-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/puppet-0.25.3-2.fc12
Comment 31 Fedora Update System 2010-01-19 20:55:42 EST
puppet-0.25.3-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/puppet-0.25.3-2.el5
Comment 32 Fedora Update System 2010-01-19 20:55:46 EST
puppet-0.25.3-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/puppet-0.25.3-2.el4
Comment 33 Fedora Update System 2010-01-20 17:39:27 EST
puppet-0.25.3-2.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0095
Comment 34 Fedora Update System 2010-01-20 17:39:38 EST
puppet-0.25.3-2.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0097
Comment 35 Fedora Update System 2010-01-20 19:08:09 EST
puppet-0.25.3-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0834
Comment 36 Fedora Update System 2010-01-20 19:13:48 EST
puppet-0.25.3-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0865
Comment 37 Fedora Update System 2010-01-31 10:45:19 EST
puppet-0.25.4-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/puppet-0.25.4-1.el5
Comment 38 Fedora Update System 2010-01-31 10:45:28 EST
puppet-0.25.4-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/puppet-0.25.4-1.fc11
Comment 39 Fedora Update System 2010-01-31 10:45:33 EST
puppet-0.25.4-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/puppet-0.25.4-1.el4
Comment 40 Fedora Update System 2010-01-31 10:45:38 EST
puppet-0.25.4-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/puppet-0.25.4-1.fc12
Comment 41 Fedora Update System 2010-02-01 20:15:11 EST
puppet-0.25.4-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1336
Comment 42 Fedora Update System 2010-02-01 20:17:31 EST
puppet-0.25.4-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1347
Comment 43 Fedora Update System 2010-02-03 15:02:55 EST
puppet-0.25.4-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0154
Comment 44 Fedora Update System 2010-02-03 15:05:01 EST
puppet-0.25.4-1.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0163
Comment 45 Fedora Update System 2010-03-01 19:53:12 EST
puppet-0.25.4-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 46 Fedora Update System 2010-03-01 20:09:38 EST
puppet-0.25.4-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 47 Fedora Update System 2010-03-02 19:17:50 EST
puppet-0.25.4-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 48 Fedora Update System 2010-03-02 19:20:06 EST
puppet-0.25.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.