Issue #9792 has been updated by Michael Stahnke.
CVE-2011-3871 ---------------------------------------- Bug #9792: puppet resource uses extremely predictable temporary file name https://projects.puppetlabs.com/issues/9792 Author: Daniel Pittman Status: Accepted Priority: Immediate Assignee: Daniel Pittman Category: security Target version: Affected Puppet version: Keywords: Branch: `puppet resource` in `--edit` mode uses an extremely predictable file name, which will persist on human timescales, which can be known well ahead of creation, and which results in both editing an arbitrary target file, and is able to be tricked into running that arbitrary file as the invoking user. Given that one of the most common uses of this feature will be as root – because you can't actually *do* much with it as a less privileged user – this is a serious risk of attack. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
