Bug#989224: [Pkg-puppet-devel] Bug#989224: puppet: Cron Provider breaks on crontab with certain environment variables (easy DOS for a user)

[Stig Sandbeck Mathisen]

Joerg Jaspert  writes:

> Upstream does not care, see
> https://tickets.puppetlabs.com/browse/PUP-10998

>From the upstream comment, it looks a bit more like "Upstream has not
understood your comment, has yet to see the issue from your perspective
or thought through the security implications of the bug".

-- 
Stig Sandbeck Mathisen
Debian Developer

Bug#989224: puppet: Cron Provider breaks on crontab with certain environment variables (easy DOS for a user)

[Joerg Jaspert]

Source: puppet
Severity: important

Dear Maintainer,

puppets cron provider contains a bug that allows any local user to 
easily turn off the puppet service.


A crontab that contains an environment variable with a - breaks puppet. 
Change - to _ and it works.
Yes, POSIX does not allow that, sure, but users can be stupid, software 
should deal with it.


Test:
Create a crontab like

MAILTO=t...@example.com
CONSOLE-LOG=/var/log/file

*/15 * * * * /bin/bash -c "echo test"

And puppet goes boom, it couldn't parse the line, followed by a stack 
trace and out it is.

Now change the - to _ and voila, puppet does not go boom.

I personally had this on puppet6, but had a DSA member try on their 
machines, the bug exists on puppet5 buster and bullseye too.


Upstream does not care, see 
https://tickets.puppetlabs.com/browse/PUP-10998 if you want, but I think 
it would be nice if we do not ship such a bug in Debian.


--
bye, Joerg