First published: Wed May 27 2009(Updated: )
Description of problem: I noticed that puppet may create several predictable files in /tmp, e.g. /tmp/daemonout /tmp/puppetdoc.txt /tmp/puppetdoc.tex There are also a lot more in the tests, but they may not be run in Fedora's F10 spec, and even more in the puppet source, e.g. for the dmg installation provider. Version-Release number of selected component (if applicable): puppet-0.24.8-1.fc10 How reproducible: always Steps to Reproduce: 1. grep -nR /tmp/ /usr/lib/ruby/site_ruby/1.8/puppet Actual results: Contains ruby code like: /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:33: File.open("/tmp/daemonout", "w") { |f| Expected results: Should only report findings that are not executed, e.g. in comments or help information Additional info: Current git seems to contain even more issues, e.g. lib/puppet/network/server.rb:25: File.open("/tmp/daemonout", "w") { |f|
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Puppet Puppet | =0.24.3 | |
Puppet Puppet | =0.25.0-beta1 | |
Puppet Puppet | =0.25.0-rc1 | |
Puppet Puppet | =0.24.5 | |
Puppet Puppet | =0.25.1 | |
Puppet Puppet | =0.25.1-rc2 | |
Puppet Puppet | =0.24.6-rc1 | |
Puppet Puppet | =0.24.7-rc2 | |
Puppet Puppet | =0.25.2-rc3 | |
Puppet Puppet | =0.24.7 | |
Puppet Puppet | =0.25.2-rc2 | |
Puppet Puppet | =0.24.6 | |
Puppet Puppet | =0.25.0 | |
Puppet Puppet | =0.25.1-rc1 | |
Puppet Puppet | =0.25.2-rc1 | |
Puppet Puppet | =0.24.4 | |
Puppet Puppet | =0.25.0-beta2 | |
Puppet Puppet | =0.24.8 | |
Puppet Puppet | =0.24.8-rc1 | |
Puppet Puppet | =0.24.6-rc2 | |
redhat/0.25.4 | <1.el5 | 1.el5 |
rubygems/puppet | >=0.25.0<0.25.2 | 0.25.2 |
rubygems/puppet | >=0.24.0<0.24.9 | 0.24.9 |
=0.24.3 | ||
=0.24.4 | ||
=0.24.5 | ||
=0.24.6 | ||
=0.24.6-rc1 | ||
=0.24.6-rc2 | ||
=0.24.7 | ||
=0.24.7-rc2 | ||
=0.24.8 | ||
=0.24.8-rc1 | ||
=0.25.0 | ||
=0.25.0-beta1 | ||
=0.25.0-beta2 | ||
=0.25.0-rc1 | ||
=0.25.1 | ||
=0.25.1-rc1 | ||
=0.25.1-rc2 | ||
=0.25.2-rc1 | ||
=0.25.2-rc2 | ||
=0.25.2-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.