Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456002 (CVE-2012-6120) - <app-admin/puppet-2.7.19-r1: /var/log/puppet is world readable (CVE-2012-6120)
Summary: <app-admin/puppet-2.7.19-r1: /var/log/puppet is world readable (CVE-2012-6120)
Status: RESOLVED FIXED
Alias: CVE-2012-6120
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-07 12:34 UTC by Agostino Sarubbo
Modified: 2013-08-23 18:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-07 12:34:34 UTC
From $URL :

/var/log/puppet is world readable and may contain sensitive information

Also the files contained within are world readable.

Version-Release number of selected component (if applicable):

puppet-2.6.14-1.el6.noarch
puppet-2.6.17-2.el6.noarch
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-08 15:44:35 UTC
I don't think we are hit by this (my puppet is 2.7.18 and /var/log/puppet is not world readable).  The oldest puppet we have in tree is 2.7.18.
Comment 2 Agostino Sarubbo gentoo-dev 2013-02-08 15:53:13 UTC
(In reply to comment #1)
> I don't think we are hit by this (my puppet is 2.7.18 and /var/log/puppet is
> not world readable).  The oldest puppet we have in tree is 2.7.18.

the logdir become not world-readable only after you start puppetmaster. If you start only puppet it remains world readable.

amd64box ~ # /etc/init.d/puppet start
 * Caching service dependencies ...                                                                  [ ok ]
 * Starting puppet ...                                                                                     
amd64box ~ # ls -la /var/log/puppet/
totale 8                                                                                                   
drwxr-xr-x  2 puppet puppet 4096  8 feb 16.49 .                                                            
drwxr-xr-x 16 root   root   4096  8 feb 16.49 ..                                                           
-rw-r--r--  1 puppet puppet    0  8 feb 16.49 .keep_app-admin_puppet-0                                     
amd64box ~ # /etc/init.d/puppetmaster start                                                                
 * Starting puppetmaster ...                                                                               
amd64box ~ # ls -la /var/log/puppet/                                                                       
totale 16                                                                                                  
drwxr-x---  2 puppet puppet 4096  8 feb 16.50 .                                                            
drwxr-xr-x 16 root   root   4096  8 feb 16.49 ..                                                           
-rw-r--r--  1 puppet puppet    0  8 feb 16.49 .keep_app-admin_puppet-0                                     
-rw-rw----  1 puppet puppet 5377  8 feb 16.50 masterhttp.log
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-08 16:50:13 UTC
fix is in tree (all the r1 packages).  I think we should probably stablereq at least 2.7.18-r1.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-08 17:08:57 UTC
it may be easier to make 2.7.19-r1 as the one we mark stable, this would also get add ruby19 support, which ago wants.

only ebuild with the CVE is puppet-2.7.18 right now.
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-21 07:01:18 UTC
does the sec team cc people to mark stuff stable or what (so we can finally solve this bug)?
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-23 19:37:49 UTC
(In reply to comment #5)
> does the sec team cc people to mark stuff stable or what (so we can finally
> solve this bug)?

We can, you can, anyone can :)

(In reply to comment #4)
> it may be easier to make 2.7.19-r1 as the one we mark stable, this would
> also get add ruby19 support, which ago wants.
> 
> only ebuild with the CVE is puppet-2.7.18 right now.

Excellent. Arches, please test and mark stable =app-admin/puppet-2.7.19-r1
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-23 21:07:33 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-24 12:09:06 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-24 12:13:37 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-24 17:22:19 UTC
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-24 18:47:20 UTC
sparc stable
Comment 12 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-26 22:32:43 UTC
unsubscribing.  readd if needed
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-17 21:55:55 UTC
I'm just going to add this on to the GLSA draft with bug 461656.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:39:58 UTC
CVE-2012-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6120):
  Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directory
  with world-readable permissions, which allows local users to obtain
  sensitive information such as Puppet log files.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-23 18:44:05 UTC
This issue was resolved and addressed in
 GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).