Bug 908629 - (CVE-2012-6120) CVE-2012-6120 Puppet: Directory /var/log/puppet is world readable
CVE-2012-6120 Puppet: Directory /var/log/puppet is world readable
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 908915 908917 908948 908949 908950 908951 995672
Blocks: 908633 921763
  Show dependency treegraph
Reported: 2013-02-07 03:19 EST by Kurt Seifried
Modified: 2016-04-26 15:52 EDT (History)
31 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-28 22:39:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-02-07 03:19:20 EST
/var/log/puppet is world readable and may contain sensitive information

Also the files contained within are world readable.

Version-Release number of selected component (if applicable):


How reproducible:

drwxr-xr-x.  2 puppet        puppet          4096 Mar  8 16:35 /var/log/puppet
Comment 2 Kurt Seifried 2013-02-07 15:47:54 EST
Created puppet tracking bugs for this issue

Affects: epel-all [bug 908915]
Comment 7 Alan Pevec 2013-02-18 18:22:34 EST
(In reply to comment #0)
> Lukas Zapletal reports:
> /var/log/puppet is world readable and may contain sensitive information

FYI that was EPEL bug https://bugzilla.redhat.com/show_bug.cgi?id=857930
Comment 8 Todd Zullinger 2013-03-18 10:19:11 EDT
And this was a bug in the build system, not in the packaging.  A recent update and build without change to the spec file shows that /var/log/puppet now retains the proper permissions.

I don't seem to have any access to the blocker bugs, so I don't know what the security team wants to do about closing this out.  Please advise or close as appropriate.
Comment 9 Kurt Seifried 2013-03-21 02:25:06 EDT
The blocker bugs and depends on bugs are for Red Hat internal purposes, a tracking bug for EPEL was created (908915) and you were assigned to it, and it was closed properly so that's all you need to worry about on your side. Basically SRT handles closing of all CVE bugs (like this one).
Comment 11 errata-xmlrpc 2013-04-04 16:20:05 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0710 https://rhn.redhat.com/errata/RHSA-2013-0710.html
Comment 12 Kurt Seifried 2013-07-26 02:21:52 EDT
The Red Hat Security Response Team has rated this issue as having low security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.

Note You need to log in before you can comment on or make changes to this bug.