Bug 727024 – VUL-0: puppet file overwrite via .k5login file

Bug 727024 - VUL-0: puppet file overwrite via .k5login file


Summary:	VUL-0: puppet file overwrite via .k5login file

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Vítězslav Čížek
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.3:44045 maint:relea...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2011-10-28 08:47 UTC by Ludwig Nussel
Modified:	2012-07-16 09:00 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-10-28 08:47:48 UTC

Your friendly security team received the following report via mitre.
Please respond ASAP.
The issue is public.

-------8<-------
======================================================
Name: CVE-2011-3869

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.


Reference: UBUNTU: http://www.ubuntu.com/usn/USN-1223-2
Reference: UBUNTU: http://www.ubuntu.com/usn/USN-1223-1
Reference: DEBIAN: http://www.debian.org/security/2011/dsa-2314
Reference: SECUNIA: http://secunia.com/advisories/46458
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
Reference: CONFIRM: http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb

Comment 1 Bernhard Wiedemann 2011-10-31 11:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89788 11.4 / puppet

Comment 2 Bernhard Wiedemann 2011-10-31 13:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89794 11.3 / puppet
https://build.opensuse.org/request/show/89795 11.4 / puppet

Comment 3 Bernhard Wiedemann 2011-11-01 11:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89861 11.4 / puppet
https://build.opensuse.org/request/show/89863 11.3 / puppet

Comment 4 Sebastian Krahmer 2011-11-01 13:07:56 UTC

handled in MaintenanceTracker-43902

Comment 6 Swamp Workflow Management 2011-11-28 10:48:22 UTC

Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)

Comment 7 Swamp Workflow Management 2011-11-29 02:58:46 UTC

Update released for: puppet, puppet-server
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 8 Bernhard Wiedemann 2011-12-09 22:00:21 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/96214 Evergreen:11.1 / puppet
https://build.opensuse.org/request/show/96215 Evergreen:11.1 / puppet

Comment 9 Bernhard Wiedemann 2012-07-10 12:00:33 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/127500 Evergreen:11.2 / puppet

Comment 10 Bernhard Wiedemann 2012-07-16 09:00:47 UTC

This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/127980 Evergreen:11.2 / puppet