Bug 839135 - (CVE-2012-3866) CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120710,reported=2...
: Security
Depends On: 839168
Blocks: 839173
  Show dependency treegraph
 
Reported: 2012-07-11 01:24 EDT by Kurt Seifried
Modified: 2015-07-27 09:25 EDT (History)
3 users (show)

See Also:
Fixed In Version: puppet 2.7.18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-05 04:45:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-07-11 01:24:14 EDT
From puppet labs: CVE-2012-3866 (last_run_report.yaml is world readable)

A bug in Puppet 2.7.17 leaves last_run_report.yaml world readable.

The most recent Puppet run report is stored on the Puppet master with 
world-readable permissions. The report file contains the context diffs of any 
changes to configuration on an agent, which may contain sensitive information 
that an attacker can then access. The last run report is overwritten with 
every Puppet run.

Note: This only affects the 2.7 series of Puppet.

Resolved in Puppet 2.7.18
Comment 1 Kurt Seifried 2012-07-11 02:42:52 EDT
Created puppet tracking bugs for this issue

Affects: fedora-17 [bug 839168]
Comment 2 Kurt Seifried 2012-07-11 22:37:09 EDT
External Reference:

http://puppetlabs.com/security/cve/cve-2012-3866/
Comment 3 Tomas Hoger 2012-07-12 06:13:49 EDT
Upstream commit:

2.7:
https://github.com/puppetlabs/puppet/commit/fd44bf5
Comment 4 Fedora Update System 2012-07-27 21:20:09 EDT
puppet-2.7.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.