Ubuntu

Default file mode now 0600 instead of 0644 (regression in CVE-2013-4969 fix)

Reported by Dominic Cleal on 2014-01-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Raring
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers

Bug Description

The fix for CVE-2013-4969 (tempfile vulnerability) contained a regression affecting the default file mode if none is specified on a file resource. This has been fixed in upstream 3.4.2 and 2.7.25.

Upstream bug: https://tickets.puppetlabs.com/browse/PUP-1255

Please apply the following patch from 2.7.x to fix the issue:
  https://github.com/puppetlabs/puppet/commit/6a11abb8ac

This currently affects the Foreman installer as some resources in our modules rely on this behaviour.

Reproduced on Ubuntu 12.04 with puppet 2.7.11-1ubuntu2.6:

# puppet apply -e 'file { "/tmp/a": content => "foo" }'
notice: /Stage[main]//File[/tmp/a]/ensure: defined content as '{md5}acbd18db4cc2f85cedef654fccc4a4d8'
notice: Finished catalog run in 0.08 seconds
# ls -l /tmp/a
-rw------- 1 root root 3 Jan 9 09:13 /tmp/a

||/ Name Version Description
+++-====================-====================-========================================================
ii puppet 2.7.11-1ubuntu2.6 Centralized configuration management - agent startup and

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I have verified that the test case provided demonstrates a regression between 2.7.11-1ubuntu2 and 2.7.11-1ubuntu2.6 as described here and in the upstream ticket.

Marc Deslauriers (mdeslaur) wrote :

I'll release regression fixed shortly.

Changed in puppet (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Raring):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in puppet (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.18-1ubuntu1.5

---------------
puppet (2.7.18-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
 -- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:55:18 -0500

Changed in puppet (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.18-4ubuntu1.4

---------------
puppet (2.7.18-4ubuntu1.4) raring-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
 -- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:54:31 -0500

Changed in puppet (Ubuntu Raring):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 3.2.4-2ubuntu2.3

---------------
puppet (3.2.4-2ubuntu2.3) saucy-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
 -- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:48:28 -0500

Changed in puppet (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.11-1ubuntu2.7

---------------
puppet (2.7.11-1ubuntu2.7) precise-security; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
 -- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:56:00 -0500

Changed in puppet (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 3.3.1-1ubuntu3

---------------
puppet (3.3.1-1ubuntu3) trusty; urgency=low

  * SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
    - debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
      mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
      spec/unit/type/file_spec.rb.
    - CVE-2013-4969
 -- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 10:57:12 -0500

Changed in puppet (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers