Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7866

PMT unpacks modules with tarball permissions when using minitar

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.10.10, PUP 5.3.4
    • Component/s: None
    • Labels:
    • Template:
    • Acceptance Criteria:
      • PMT, when using minitar, uses the same permissions filtering as system tar when unpacking a module.
    • Team:
      Platform OS
    • Story Points:
      3
    • CVE-ID:
      CVE-2017-10689
    • Sprint:
      Platform OS 2017-10-17, Platform OS 2017-10-31, Platform OS Kanban
    • Method Found:
      Needs Assessment
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      The Puppet Module Tool (PMT), when using minitar, did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.
    • QA Risk Assessment:
      Automate

      Description

      When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

      When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              scott.mcclellan Scott McClellan
              Reporter:
              branan Branan Riley
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support