Issue #6955 has been updated by Jeff Weiss. Status changed from Accepted to In Topic Branch Pending Review Assignee changed from Hailee Kenney to Jeff Weiss Branch set to https://github.com/puppetlabs/facter/pull/203
---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955#change-62640 Author: Jacek Masiulaniec Status: In Topic Branch Pending Review Priority: Urgent Assignee: Jeff Weiss Category: library Target version: 2.0.0 Keywords: Branch: https://github.com/puppetlabs/facter/pull/203 Affected Facter version: Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
