Vulnerability 1 (CVE-2013-4956)
Local Privilege Escalation/Arbitrary Code Execution
Assessed Risk Level: Low
Puppet Module Tool does not control permissions of modules it
installs, instead transferring permissions that existed when the
module is built. This could allow a malicious user to write to modify
the puppet module if their local username is the same as the username
originally used to create the module and the user has write permission
to the puppet module directory.
Vulnerability 2 (CVE-2013-4761)
Remote Code Execution Vulnerability
Assessed Risk Level: Medium
By using the resource_type service a user can cause puppet to load
arbitrary ruby files from filesystem on the puppet master. This is not
enabled by default but may be enabled in auth.conf. Exploit requires
local file system access to the Puppet Master.
This will result in a fast stablereq
Please stabilize 2.7.23 for amd64, hppa, ppc, sparc and x86
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : amd64 hppa ppc sparc x86
Stable for HPPA.
sparc stable, last arch, closing
Nope, bug doesn't get closed yet. Added to existing Puppet GLSA request. Reclassified as B1 after discussion with ago.
This issue was resolved and addressed in
GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before
3.0.1, installs modules with weak permissions if those permissions were used
when the modules were originally built, which might allow local users to
read or modify those modules depending on the original permissions.
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before
3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1,
allows remote attackers to execute arbitrary Ruby programs from the master
via the resource_type service. NOTE: this vulnerability can only be
exploited utilizing unspecified "local file system access" to the Puppet