Ubuntu
puppet package

Default file mode now 0600 instead of 0644 (regression in CVE-2013-4969 fix)

Bug #1267385 reported by Dominic Cleal on 2014-01-09

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	puppet (Ubuntu)	Fix Released	Undecided	Marc Deslauriers
	Precise	Fix Released	Undecided	Marc Deslauriers
	Quantal	Fix Released	Undecided	Marc Deslauriers
	Raring	Fix Released	Undecided	Marc Deslauriers
	Saucy	Fix Released	Undecided	Marc Deslauriers
	Trusty	Fix Released	Undecided	Marc Deslauriers

Bug Description

The fix for CVE-2013-4969 (tempfile vulnerability) contained a regression affecting the default file mode if none is specified on a file resource. This has been fixed in upstream 3.4.2 and 2.7.25.

Upstream bug: https://tickets.puppetlabs.com/browse/PUP-1255

Please apply the following patch from 2.7.x to fix the issue:
https://github.com/puppetlabs/puppet/commit/6a11abb8ac

This currently affects the Foreman installer as some resources in our modules rely on this behaviour.

Reproduced on Ubuntu 12.04 with puppet 2.7.11-1ubuntu2.6:

# puppet apply -e 'file { "/tmp/a": content => "foo" }'
notice: /Stage[main]//File[/tmp/a]/ensure: defined content as '{md5}acbd18db4cc2f85cedef654fccc4a4d8'
notice: Finished catalog run in 0.08 seconds
# ls -l /tmp/a
-rw------- 1 root root 3 Jan 9 09:13 /tmp/a

||/ Name Version Description
+++-====================-====================-========================================================
ii puppet 2.7.11-1ubuntu2.6 Centralized configuration management - agent startup and

Related branches

lp:ubuntu/precise-security/puppet

lp:ubuntu/quantal-security/puppet

lp:ubuntu/raring-security/puppet

lp:ubuntu/saucy-security/puppet

lp:ubuntu/raring-updates/puppet

lp:ubuntu/trusty-proposed/puppet

lp:ubuntu/trusty/puppet

CVE References

2013-4969

Revision history for this message

Robie Basak (racb) wrote on 2014-01-09:

#1

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I have verified that the test case provided demonstrates a regression between 2.7.11-1ubuntu2 and 2.7.11-1ubuntu2.6 as described here and in the upstream ticket.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-01-09:

#2

I'll release regression fixed shortly.

Changed in puppet (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Quantal):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Raring):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Saucy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-09:

#3

This bug was fixed in the package puppet - 2.7.18-1ubuntu1.5

---------------
puppet (2.7.18-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:55:18 -0500

Changed in puppet (Ubuntu Quantal):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-09:

#4

This bug was fixed in the package puppet - 2.7.18-4ubuntu1.4

---------------
puppet (2.7.18-4ubuntu1.4) raring-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:54:31 -0500

Changed in puppet (Ubuntu Raring):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-09:

#5

This bug was fixed in the package puppet - 3.2.4-2ubuntu2.3

---------------
puppet (3.2.4-2ubuntu2.3) saucy-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:48:28 -0500

Changed in puppet (Ubuntu Saucy):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-09:

#6

This bug was fixed in the package puppet - 2.7.11-1ubuntu2.7

---------------
puppet (2.7.11-1ubuntu2.7) precise-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:56:00 -0500

Changed in puppet (Ubuntu Precise):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-10:

#7

This bug was fixed in the package puppet - 3.3.1-1ubuntu3

---------------
puppet (3.3.1-1ubuntu3) trusty; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 10:57:12 -0500

Changed in puppet (Ubuntu Trusty):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.