A flaw was found in the way puppet handled the k5login type. The k5login type is typically used to manage a file in the home directory of a user. It would write to the target file, as root, without doing anything to secure the file. This would allow the owner of the home directory to symlink to anything on the system, and have the contents replaced, as root.
This is corrected in upstream 2.6.11 and 2.7.5 releases.
Created attachment 525847 [details]
patch from upstream for 2.6.x and 2.7.x
Created attachment 525848 [details]
patch from upstream for 0.25.x
Created puppet tracking bugs for this issue
Affects: fedora-all [bug 742654]
Affects: epel-all [bug 742655]
puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Resolved in Puppet 2.7.5 and 2.6.11, CloudForms ships Puppet 2.6.14.
Fixed upstream in 2.7.5 and 2.6.11.