Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 742644 - (CVE-2011-3870) CVE-2011-3870 puppet: SSH authorized_keys symlink attack
CVE-2011-3870 puppet: SSH authorized_keys symlink attack
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20110930,repo...
: Security
Depends On: 742654 742655
Blocks: 742180 748458
  Show dependency treegraph
 
Reported: 2011-09-30 17:27 EDT by Vincent Danen
Modified: 2012-12-05 04:18 EST (History)
8 users (show)

See Also:
Fixed In Version: puppet 2.6.11, puppet 2.7.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-04 02:46:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch from upstream for 2.6.x and 2.7.x (4.21 KB, patch)
2011-09-30 19:11 EDT, Vincent Danen 		no flags Details | Diff
patch from upstream for 0.25.x (2.01 KB, patch)
2011-09-30 19:12 EDT, Vincent Danen 		no flags Details | Diff
patch from Jamie Strandboge needed prior to applying upstream's 0.25.x patch (5.09 KB, patch)
2011-09-30 19:14 EDT, Vincent Danen 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2011-09-30 17:27:57 EDT 
A race condition was found in the way puppet handled ssh_authorized_keys.  If a user's authorized_keys file was managed, they could use this flaw to overwrite arbitrary files as root when the target directory and file did not exist.  Puppet would create the directory, ensure that is was user-writable, then wrote the file as the user before changing the file ownership.  In the time between the write and chown/chmod operation, a user could replace the file with a symbolic link and have the operation apply to any file on the disk, as root.

This is corrected in upstream 2.6.11 and 2.7.5 releases.


Acknowledgements:

Red Hat would like to thank the Puppet team for reporting this issue.  Upstream acknowledges Ricky Zhou as the original reporter.
Comment 1 Vincent Danen 2011-09-30 19:11:48 EDT 
Created attachment 525844 [details]
patch from upstream for 2.6.x and 2.7.x
Comment 2 Vincent Danen 2011-09-30 19:12:27 EDT 
Created attachment 525845 [details]
patch from upstream for 0.25.x
Comment 3 Vincent Danen 2011-09-30 19:14:20 EDT 
Created attachment 525846 [details]
patch from Jamie Strandboge needed prior to applying upstream's 0.25.x patch

Jamie noted that this patch needs to be applied prior to what upstream supplied, which are from commits:

ce233aa2a511bf6818f28c226144ec5b05a468ee
8d9575775737c08c6cbfdf7f9a22f2ea4ab21b20
0aae5a71a8e3b38cd8d7041f5c40091887c924a8
Comment 4 Vincent Danen 2011-09-30 19:35:55 EDT 
Created puppet tracking bugs for this issue

Affects: fedora-all [bug 742654]
Affects: epel-all [bug 742655]
Comment 5 Fedora Update System 2011-10-24 11:39:31 EDT 
puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Kurt Seifried 2012-04-11 12:17:07 EDT 
Resolved in Puppet 2.7.5 and 2.6.11, CloudForms ships Puppet 2.6.14.
Comment 7 Tomas Hoger 2012-07-04 02:46:22 EDT 
Fixed upstream in 2.7.5 and 2.6.11.

External Reference:

http://puppetlabs.com/security/cve/cve-2011-3870/
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.