Bug 839135 (CVE-2012-3866) - CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
Summary: CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 839168
Blocks: 839173
TreeView+ depends on / blocked
 
Reported: 2012-07-11 05:24 UTC by Kurt Seifried
Modified: 2021-02-23 14:22 UTC (History)
3 users (show)

Fixed In Version: puppet 2.7.18
Clone Of:
Environment:
Last Closed: 2012-12-05 09:45:07 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2012-07-11 05:24:14 UTC 
From puppet labs: CVE-2012-3866 (last_run_report.yaml is world readable)

A bug in Puppet 2.7.17 leaves last_run_report.yaml world readable.

The most recent Puppet run report is stored on the Puppet master with 
world-readable permissions. The report file contains the context diffs of any 
changes to configuration on an agent, which may contain sensitive information 
that an attacker can then access. The last run report is overwritten with 
every Puppet run.

Note: This only affects the 2.7 series of Puppet.

Resolved in Puppet 2.7.18
Comment 1 Kurt Seifried 2012-07-11 06:42:52 UTC 
Created puppet tracking bugs for this issue

Affects: fedora-17 [bug 839168]
Comment 2 Kurt Seifried 2012-07-12 02:37:09 UTC 
External Reference:

http://puppetlabs.com/security/cve/cve-2012-3866/
Comment 3 Tomas Hoger 2012-07-12 10:13:49 UTC 
Upstream commit:

2.7:
https://github.com/puppetlabs/puppet/commit/fd44bf5
Comment 4 Fedora Update System 2012-07-28 01:20:09 UTC 
puppet-2.7.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.