Actions
Bug #4648
closed
CVE-2014-0135 - Kafo does not handle default_values.yaml securely
Description
/tmp/default_values.yaml file has world readable permissions and does not check for existence when it's being created. Therefore it's prone to race-condition attacks. This file contains default values for all parameters (usually autogenerated passwords)
Proposed fix steps:- we'll use mktmpdir which will be passed to kafo_configure puppet module as a parameter
- kafo_configure puppet module will safely create file (check for non-existence, create file with 0600, then dumps data)
- packages (rpm, deb, gem) will remove any existing /tmp/default_values.yaml
Files
Updated by Marek Hulán about 11 years ago
- File 0001-Fix-4648-store-default-values-securely.patch 0001-Fix-4648-store-default-values-securely.patch added
- Status changed from Assigned to Ready For Testing
Updated by 
Updated by
Updated by Marek Hulán about 11 years ago
- Subject changed from Kafo does not handle default_values.yaml securely to CVE-2014-0135 - Kafo does not handle default_values.yaml securely
Updated by Marek Hulán almost 11 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Actions