The security changes in 2.7.13 address CVEs 2012-1906, 2012-1986,
2012-1987, 2012-1988, and 2012-1989.
All users of Puppet 2.7.x are encouraged to upgrade when possible to
More information available at: http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-1906,
Detailed feature release notes are available:
This release is available for download at:
RPM's are available at http://yum.puppetlabs.com/el or /fedora
Debs are available on http://apt.puppetlabs.com (lenny requires
Windows packages are available at
Mac packages are available at
Puppet is also available via Rubygems at http://rubygems.org
See the Verifying Puppet Download section at:
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.13
# Summary #
CVE-2012-1906 (High) [#13260] - appdmg and pkgdmg providers write
packages to insecure location
If a remote source is given for a package, the package is downloaded
to a predictable filename in /tmp.
It is possible to create a symlink at this name and use it to
clobber any file on the system, or by switching
the symlink install arbitrary packages (and package installers can
execute arbitrary code).
CVE-2012-1986 (High) [#13511] - Filebucket arbitrary file read
It is possible to construct a REST request to fetch a file from a
filebucket that overrides the puppet master’s
defined location for the files to be stored. If a user has access to
construct directories and symlinks on the
machine they can read any file that the user the puppet master is
running as has access to.
CVE-2012-1987 (Moderate) [#13552,#13553] - Filebucket denial of service
By constructing a marshaled form of a Puppet::FileBucket::File
object a user can cause it it to be written to
any place on the disk of the puppet master. This could be used for a
denial of service attach against the puppet
master if an attacker fills a filesystem that can cause systems to
stop working. In order to do this the attacker
needs no access to the puppet master system, but does need access to
agent SSL keys.
Using the symlink attack described in Bug #13511 the puppet master
can be caused to read from a stream
(e.g. /dev/random) when either trying to save a file or read a file.
Because of the way in which the puppet master
deals with sending files on the filesystem to a remote system via a
REST request the thread handling the request
will block forever reading from that stream and continually
consuming more memory. This can lead to the puppet
master system running out of memory and cause a denial of service.
CVE-2012-1988 (High) [#13518] - Filebucket arbitrary code execution
This requires access to the cert on the agent and an unprivileged
account on the master. By creating a path on
the master in a world-writable location that matches a command
string, one can then make a file bucket request
to execute that command.
CVE-2012-1989 (High) [#13606] - Telnet utility (used for network
devices) writes to insecure location
The telnet.rb file opens a NET::Telnet connection with an output log
of /tmp/out.log. That log could be replaced
by a symlink anywhere on the system and the puppet user would
happily write through the symlink, potentially
clobbering data or worse.
* 1f58ea6 Stub mktmpdir and remove_entry_secure in os x package providers
* b7553a5 (#13260) Spec test to verify that mktmpdir is used
* 46e8dc0 (#13260) Use mktmpdir when downloading packages
* b36bda9 Refactor pkgdmg specs
* 91e7ce4 Remove telnet Output_log parameter
* 0d6d299 Fix for bucket_path security vulnerability
* 19bd30a Removed text/marshal support