Moses Mendoza (moses) reports: By using the resource_type service a user can cause puppet to load arbitrary ruby files from filesystem on the puppet master. This is not enabled by default but may be enabled in auth.conf. Exploit requires local file system access to the Puppet Master.
Created attachment 786417 [details] 2.7.22-puppet-Aug-2013-CVE-fixes.patc This fixes CVE-2013-4956 and CVE-2013-4761
Created attachment 786418 [details] 3.2.3-puppet-Aug-2013-CVE-fixes.patch This fixes CVE-2013-4956 and CVE-2013-4761
External References: http://puppetlabs.com/security/cve/cve-2013-4761/
Created puppet tracking bugs for this issue: Affects: fedora-all [bug 997615]
I've pushed Puppet 3.2.4 to the F20 and rawhide repos which contains a fix for this issue.
Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1283 https://rhn.redhat.com/errata/RHSA-2013-1283.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1284 https://rhn.redhat.com/errata/RHSA-2013-1284.html
This issue has been addressed in following products: Fedora-all puppet 3.2.4-1 - Update to 3.2.4 to fix CVE-2013-4761 and CVE-2013-4956