Moses Mendoza (moses) reports: Puppet Module Tool does not control permissions of modules it installs, instead transferring permissions that existed when the module is built. This could allow a malicious user to write to modify the puppet module if their local username is the same as the username originally used to create the module and the user has write permission to the puppet module directory.
Created attachment 786416 [details] 2.7.22-puppet-Aug-2013-CVE-fixes.patc
Comment on attachment 786416 [details] 2.7.22-puppet-Aug-2013-CVE-fixes.patc This fixes CVE-2013-4956 and CVE-2013-4761
Created attachment 786419 [details] 3.2.3-puppet-Aug-2013-CVE-fixes.patch This fixes CVE-2013-4956 and CVE-2013-4761
External References: http://puppetlabs.com/security/cve/cve-2013-4956/
Created puppet tracking bugs for this issue: Affects: fedora-all [bug 997615]
I've pushed Puppet 3.2.4 to the F20 and rawhide repos which contains a fix for this issue.
Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1283 https://rhn.redhat.com/errata/RHSA-2013-1283.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1284 https://rhn.redhat.com/errata/RHSA-2013-1284.html
This issue has been addressed in following products: Fedora-all puppet 3.2.4-1 - Update to 3.2.4 to fix CVE-2013-4761 and CVE-2013-4956