A race condition was found in the way puppet handled ssh_authorized_keys. If a user's authorized_keys file was managed, they could use this flaw to overwrite arbitrary files as root when the target directory and file did not exist. Puppet would create the directory, ensure that is was user-writable, then wrote the file as the user before changing the file ownership. In the time between the write and chown/chmod operation, a user could replace the file with a symbolic link and have the operation apply to any file on the disk, as root.
This is corrected in upstream 2.6.11 and 2.7.5 releases.
Red Hat would like to thank the Puppet team for reporting this issue. Upstream acknowledges Ricky Zhou as the original reporter.
Created attachment 525844 [details]
patch from upstream for 2.6.x and 2.7.x
Created attachment 525845 [details]
patch from upstream for 0.25.x
Created attachment 525846 [details]
patch from Jamie Strandboge needed prior to applying upstream's 0.25.x patch
Jamie noted that this patch needs to be applied prior to what upstream supplied, which are from commits:
Created puppet tracking bugs for this issue
Affects: fedora-all [bug 742654]
Affects: epel-all [bug 742655]
puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Resolved in Puppet 2.7.5 and 2.6.11, CloudForms ships Puppet 2.6.14.
Fixed upstream in 2.7.5 and 2.6.11.