Vulnerability 1 (CVE-2013-4956) Local Privilege Escalation/Arbitrary Code Execution Assessed Risk Level: Low Description: Puppet Module Tool does not control permissions of modules it installs, instead transferring permissions that existed when the module is built. This could allow a malicious user to write to modify the puppet module if their local username is the same as the username originally used to create the module and the user has write permission to the puppet module directory. Vulnerability 2 (CVE-2013-4761) Remote Code Execution Vulnerability Assessed Risk Level: Medium Description: By using the resource_type service a user can cause puppet to load arbitrary ruby files from filesystem on the puppet master. This is not enabled by default but may be enabled in auth.conf. Exploit requires local file system access to the Puppet Master. This will result in a fast stablereq Reproducible: Always
Stabilisation targets?
sorry, yes Please stabilize 2.7.23 for amd64, hppa, ppc, sparc and x86
Arch teams, please test and mark stable: =app-admin/puppet-2.7.23 Targeted stable KEYWORDS : amd64 hppa ppc sparc x86
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
sparc stable, last arch, closing
Nope, bug doesn't get closed yet. Added to existing Puppet GLSA request. Reclassified as B1 after discussion with ago.
This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-4956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4956): Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions. CVE-2013-4761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4761): Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
