Created attachment 365698 [details, diff] patch 3.3.x Puppet Labs has become aware of a security vulnerability Puppet. This vulnerability was discovered internally and has not been publicly disclosed. We appreciate your consideration to the sensitivity of this information, and respectfully ask that you refrain from publicly disclosing the contents of this email until our planned disclosure date, Thursday, December 26, 2013, UTC 18:00. We have attached patches for the following versions of puppet in the 2.7.x and 3.3.x series: * 2.7.x - CVE-2013-4969-2.7.x-temp-file.patch * 3.3.x - CVE-2013-4969-3.3.x-temp-file.patch While the Puppet 2.7.x series is officially end of life, a few brave community members have offered to continue unofficial maintenance of 2.7.x for a short time. For this release, Sam Kottler has offered his assistance applying the 2.7.x patch. If you require assistance with the 2.7.x patch, please contact Sam Kottler at s@shk.io. Along with Puppet 3.3.3, a "community" release of Puppet 2.7.24 will be issued on our stated disclosure date. If you have trouble with the 3.3.x patch, please let us know and we will attempt to assist as much as possible. # Vulnerability Summary # CVE-2013-4969 Unsafe use of Temp files in File type (Local Privilege Escalation) Assessed Risk Level: Medium Puppet uses temp files unsafely by looking for a name it can use in a directory, and then later writing to that file, creating a vulnerability in which an attacker could make the name a symlink to another file and thereby cause the puppet agent to overwrite something that it did not intend to. The degree of difficulty to exploit this vulnerability is high. We have not actually exploited this vulnerability successfully. # Commits in Fixes # These commits will be in the 2.7.24 and 3.3.3 releases of Puppet, respectively. 2.7.24 ====== 691fbbe (#23343) Use `replace_file` to update a file's contents 3.3.3 ====== 2bcd29c (#23343) Use `replace_file` to update a file's contents If you have any questions or need additional clarification, please respond to distro-maintainers@puppetlabs.com Thank you, Moses Mendoza Puppet Labs
Created attachment 365700 [details, diff] 2.7 patch
ok, we need fast stablereqs open for the following =app-admin/puppet-2.7.24 amd64 hppa ppc sparc x86 =app-admin/puppet-3.4.1 amd64 hppa sparc x86 I'd like puppet 3.4.1 to get stable for ppc as well so I can close bug 486002 as well :D
puppet is used for admin tasks very heavily (shipping passwd/shadow files isn't uncommon). Because of this I am escalating this bug to B1.
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2013-4969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4969): Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.
removing myself from the cc list as I'm not needed here :D
Thanks for your work GLSA vote: no
GLSA vote: no. Closing as [noglsa]
