CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Debian Bug report logs - #551073
CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Date: Thu, 15 Oct 2009 14:46:35 +0200

Package: puppet
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for puppet.

CVE-2009-3564[0]:
| puppetmasterd in puppet 0.24.6 does not reset supplementary groups
| when it switches to a different user, which might allow local users to
| access restricted files.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
    http://security-tracker.debian.net/tracker/CVE-2009-3564
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrXGagACgkQNxpp46476apSHQCfcHeDYnvadCKBV5CkSyN0ViN7
r5IAn02E4bwIzgT6TlZNQuHNJnfQH3D4
=hbrZ
-----END PGP SIGNATURE-----

Message #10 received at 551073@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: 551073@bugs.debian.org

Subject: Assessment

Date: Thu, 17 Dec 2009 05:02:06 +1000

[Message part 1 (text/plain, inline)]

Fixed: 0.25.2-1

This looks feasible to backport to 0.24.5

Commit:

http://projects.reductivelabs.com/projects/puppet/repository/revisions/e32f980fd7c6291abc2841ede397c962798d9a9c/diff

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 551073@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: control@bugs.debian.org

Cc: 518831@bugs.debian.org, 551055@bugs.debian.org, 551073@bugs.debian.org, 559092@bugs.debian.org, 561231@bugs.debian.org

Subject: setting package to puppet puppetmaster, tagging 518831, tagging 561231, tagging 551073 ...

Date: Wed, 16 Dec 2009 11:40:17 -0800

# Automatically generated email from bts, devscripts version 2.10.35lenny7
# via tagpending 
#
# puppet (0.25.1-3) unstable; urgency=low
#
#  * Require modification of /etc/default/puppet to start puppet client daemon.
#    (closes: #518831)
#  * cherry pick upstream fix for puppetrun with tags (closes: #559092)
#  * cherry pick upstream fix for supplementary groups not being reset.
#    (CVE-2009-3564) (closes: #551073)
#  * debian/{puppet,puppetmaster}.pid: Correct the path to the pidfiles
#    (closes: #561231)
#  * debian/control: version the build dependency on facter (closes: #551055) 

package puppet puppetmaster
tags 518831 + pending
tags 561231 + pending
tags 551073 + pending
tags 551055 + pending
tags 559092 + pending

Message #22 received at 551073@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: control@bugs.debian.org

Cc: 551073@bugs.debian.org, 559092@bugs.debian.org, 561231@bugs.debian.org

Subject: setting package to puppet puppetmaster, tagging 561231, tagging 551073, tagging 559092

Date: Wed, 16 Dec 2009 11:33:53 -0800

# Automatically generated email from bts, devscripts version 2.10.35lenny7
# via tagpending 
#
# puppet (0.25.1-3) unstable; urgency=low
#
#  * cherry pick upstream fix for puppetrun with tags (closes: #559092)
#  * cherry pick upstream fix for supplementary groups not being reset.
#    (CVE-2009-3564) (closes: #551073)
#  * debian/{puppet,puppetmaster}.pid: Correct the path to the pidfiles
#    (closes: #561231)
#

package puppet puppetmaster
tags 561231 + pending
tags 551073 + pending
tags 559092 + pending

Message #27 received at 551073-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: 551073-close@bugs.debian.org

Subject: Bug#551073: fixed in puppet 0.25.1-3

Date: Wed, 16 Dec 2009 21:43:38 +0000

Source: puppet
Source-Version: 0.25.1-3

We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive:

puppet_0.25.1-3.diff.gz
  to main/p/puppet/puppet_0.25.1-3.diff.gz
puppet_0.25.1-3.dsc
  to main/p/puppet/puppet_0.25.1-3.dsc
puppet_0.25.1-3_all.deb
  to main/p/puppet/puppet_0.25.1-3_all.deb
puppetmaster_0.25.1-3_all.deb
  to main/p/puppet/puppetmaster_0.25.1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 551073@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Pollock <apollock@debian.org> (supplier of updated puppet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Dec 2009 11:36:39 -0800
Source: puppet
Binary: puppet puppetmaster
Architecture: source all
Version: 0.25.1-3
Distribution: unstable
Urgency: low
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Andrew Pollock <apollock@debian.org>
Description: 
 puppet     - centralised configuration management for networks
 puppetmaster - centralised configuration management control daemon
Closes: 518831 551055 551073 559092 561231
Changes: 
 puppet (0.25.1-3) unstable; urgency=low
 .
   [ Nigel Kersten ]
   * Require modification of /etc/default/puppet to start puppet client daemon.
     (closes: #518831)
   * cherry pick upstream fix for puppetrun with tags (closes: #559092)
   * cherry pick upstream fix for supplementary groups not being reset.
     (CVE-2009-3564) (closes: #551073)
 .
   [ Andrew Pollock ]
   * debian/{puppet,puppetmaster}.pid: Correct the path to the pidfiles
     (closes: #561231)
   * debian/control: version the build dependency on facter (closes: #551055)
Checksums-Sha1: 
 e2060b19a12bacec02fdbc725b3445ebcd58a3c7 1433 puppet_0.25.1-3.dsc
 705de10c8159864f586686390f395841a25dbe24 14879 puppet_0.25.1-3.diff.gz
 0a98454b3ed9078584e0ce1008174aa8f51c7abd 683212 puppet_0.25.1-3_all.deb
 c34031813e0fc8f9537e4991460dc84777bf4263 151976 puppetmaster_0.25.1-3_all.deb
Checksums-Sha256: 
 b42d6edffe6d06ed72b45eb65174817a987f8c3f6990f79782fe835c49890e3e 1433 puppet_0.25.1-3.dsc
 ef8208b7c224dae03d2950f6be9671dd6bd1ee33187da9a60b786525f8b84600 14879 puppet_0.25.1-3.diff.gz
 5d86714b05fbdc6cb8d77a4be79bef56324aa449d79fae061bc0780484bdd26f 683212 puppet_0.25.1-3_all.deb
 9f5d8f0e7c8427083d2a3323ca130d36758837e17e56f0daed72c5c6d6e403db 151976 puppetmaster_0.25.1-3_all.deb
Files: 
 4a448764f3de3ae421c35453a6757cac 1433 admin optional puppet_0.25.1-3.dsc
 c91ad14f7389e361302681c6f49dbfa3 14879 admin optional puppet_0.25.1-3.diff.gz
 bb48c08fe42320b58ac0c829aa54a354 683212 admin optional puppet_0.25.1-3_all.deb
 95acf3e03af2cc8ff109d67417a72f00 151976 admin optional puppetmaster_0.25.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkspSeoACgkQIblXXKfZFgKmywCgj2SNRhPAOj/D7WUrU3z+vXfo
9CQAn0r+9zQjrK//cHt7ncEzz77EnYTs
=aoso
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.