Package: puppet / 2.7.23-1~deb7u3

Metadata

Package Version Patches format
puppet 2.7.23-1~deb7u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix symlink 1 ee4c6f7c697737aa919b9f90436ab0cc69934b03 | (download)

spec/integration/type/file_spec.rb | 42 21 + 21 - 0 !
1 file changed, 21 insertions(+), 21 deletions(-)

---
fix symlink 2 1b0e812ad9e33b3cc148fac30a28490f60f40c63 | (download)

lib/puppet/type/file/source.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
fix symlink 3 3a00ed468617c17b5a527c68cfc37d7d1fddaa72 | (download)

spec/unit/type/file/source_spec.rb | 15 8 + 7 - 0 !
1 file changed, 8 insertions(+), 7 deletions(-)

---
fix symlink 4 1d8a76e060f610a9db20cf1bdd4ff95dddba9309 | (download)

acceptance/tests/resource/file/ticket_7680-follow-symlinks.rb | 33 33 + 0 - 0 !
1 file changed, 33 insertions(+)

---
apache2 passenger template | (download)

ext/rack/files/apache2.conf | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set passenger puppet master document root
fix_logcheck | (download)

ext/logcheck/puppet | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix puppet-master logcheck rule

CVE 2013 4969 2.7.x temp file.patch | (download)

lib/puppet/type/file.rb | 35 12 + 23 - 0 !
lib/puppet/util.rb | 63 22 + 41 - 0 !
spec/integration/type/file_spec.rb | 15 1 + 14 - 0 !
spec/unit/type/file_spec.rb | 29 0 + 29 - 0 !
4 files changed, 35 insertions(+), 107 deletions(-)

 [patch] (#23343) use `replace_file` to update a file's contents

The previous code had an unsafe use of temp files by looking for a name
it can use in a directory and then later opening the file and writing to
it. An attacker could, through some lucky timing and good access, make
the selected name a symlink to another file and thereby cause puppet to
overwrite something that it did not intend to.

The temporary file is used to make the file update atomic and also to
check that the contents have been written correctly. This updates the
file type to use the Puppet::Util#replace_file method to do a safe,
atomic, content swap. Since replace_file requires a mode to be provided,
the code was also updated to use the assumed default of 0644, which is
used when figuring out the absolute mode integer from symbolic modes.

In order to get this change to work on windows, there were a few
modifications that needed to be made as well:

 - New file must have binmode set to generate checksums
   appropriately across operating sytems that results from newline
CVE 2013 4969 2.7.x temp file regression fix.patch | (download)

lib/puppet/type/file.rb | 4 1 + 3 - 0 !
lib/puppet/util.rb | 12 12 + 0 - 0 !
spec/unit/type/file_spec.rb | 67 67 + 0 - 0 !
3 files changed, 80 insertions(+), 3 deletions(-)

 (pup-1255) fix assumed default file mode to 0644
 When a file is created with content, the assumed default mode should be 0644,
 but this wasn't being explicitly set.  The secure file replacement (in
 Puppet::Util.replace_file) was instead defaulting to a file mode of 0600.
 The assumed default mode is now explicitly set when calling replace_file.
 .
 The code path for file creation without content continues to set a umask of
 0022 if no mode is specified on the resource, so new files are implicitly
 created with a mode of 0644.