hiera: code execution from the current directory

Bug #1470417 reported by Alexei Sheplyakov on 2015-07-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Medium
Fuel for Openstack
8.0.x
Medium
MOS Ceph
Mitaka
Medium
Fuel for Openstack

Bug Description

Platforms running Ruby 1.9.1 or earlier would load Ruby source files from the current working directory during
a Hiera lookup. This could lead to the execution of arbitrary code.

Affected versions: hiera < 1.3.4 (version in MOS 7.0, 6.1 is 1.3.1)

https://puppetlabs.com/security/cve/cve-2014-3248?_ga=1.41171371.843555409.1435740886

Suggested solution: upgrade to hiera 1.3.4 which contains a fix. Besides it provides a substantial speed increase for lookups compared to Hiera 1.3.[21]

CVE References

Changed in fuel:
assignee: nobody → MOS Linux (mos-linux)
status: New → Triaged
Changed in fuel:
assignee: MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov)
Alexei Sheplyakov (asheplyakov) wrote :

puppet 3.4.3, mcollective 2.3.3 are affected too. Upgrading only hiera makes little sense, and upgrading puppet
and mcollective this late is way too risky. Moving to 8.0

Changed in fuel:
milestone: 7.0 → 8.0
Dmitry Pyzhov (dpyzhov) on 2015-10-21
tags: added: area-linux
tags: added: mos-linux
removed: area-linux
Dmitry Pyzhov (dpyzhov) on 2015-10-27
tags: added: area-mos
Roman Podoliaka (rpodolyaka) wrote :

We no longer fix Medium bugs in 8.0, closing as Won't Fix

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers