Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7866

PMT unpacks modules with tarball permissions when using minitar

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.10.10, PUP 5.3.4
    • Component/s: None
    • Labels:
    • Template:
    • Acceptance Criteria:
      • PMT, when using minitar, uses the same permissions filtering as system tar when unpacking a module.
    • Team:
      Platform OS
    • Story Points:
      3
    • CVE-ID:
      CVE-2017-10689
    • Sprint:
      Platform OS 2017-10-17, Platform OS 2017-10-31, Platform OS Kanban
    • Method Found:
      Needs Assessment
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      The Puppet Module Tool (PMT), when using minitar, did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.
    • QA Risk Assessment:
      Automate

      Description

      When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

      When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                scott.mcclellan Scott McClellan
                Reporter:
                branan Branan Riley
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support