Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 481186 (CVE-2013-4956) - <app-admin/puppet-[2.7.23,3.2.4]: Remote Code Execution (CVE-2013-{4761,4956})
Summary: <app-admin/puppet-[2.7.23,3.2.4]: Remote Code Execution (CVE-2013-{4761,4956})
Alias: CVE-2013-4956
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on: 481214
  Show dependency tree
Reported: 2013-08-15 15:15 UTC by Matthew Thode ( prometheanfire )
Modified: 2013-08-27 17:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-15 15:15:13 UTC
Vulnerability 1 (CVE-2013-4956)
Local Privilege Escalation/Arbitrary Code Execution
Assessed Risk Level: Low
Puppet Module Tool does not control permissions of modules it
installs, instead transferring permissions that existed when the
module is built.  This could allow a malicious user to write to modify
the puppet module if their local username is the same as the username
originally used to create the module and the user has write permission
to the puppet module directory.

Vulnerability 2 (CVE-2013-4761)
Remote Code Execution Vulnerability
Assessed Risk Level: Medium
By using the resource_type service a user can cause puppet to load
arbitrary ruby files from filesystem on the puppet master. This is not
enabled by default but may be enabled in auth.conf. Exploit requires
local file system access to the Puppet Master.

This will result in a fast stablereq

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-16 15:16:50 UTC
Stabilisation targets?
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-16 15:34:45 UTC
sorry, yes

Please stabilize 2.7.23 for amd64, hppa, ppc, sparc and x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-16 15:40:30 UTC
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : amd64 hppa ppc sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-16 19:39:27 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-16 19:43:33 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-17 16:21:44 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-19 13:33:53 UTC
ppc stable
Comment 8 Jack Morgan (RETIRED) gentoo-dev 2013-08-21 03:48:19 UTC
sparc stable, last arch, closing
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-21 03:55:51 UTC
Nope, bug doesn't get closed yet. Added to existing Puppet GLSA request. Reclassified as B1 after discussion with ago.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-08-23 18:44:10 UTC
This issue was resolved and addressed in
 GLSA 201308-04 at
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 17:14:25 UTC
CVE-2013-4956 (
  Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x
  before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before
  3.0.1, installs modules with weak permissions if those permissions were used
  when the modules were originally built, which might allow local users to
  read or modify those modules depending on the original permissions.

CVE-2013-4761 (
  Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before
  3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1,
  allows remote attackers to execute arbitrary Ruby programs from the master
  via the resource_type service.  NOTE: this vulnerability can only be
  exploited utilizing unspecified "local file system access" to the Puppet