Issue #6955 has been updated by Josh Cooper. Target version changed from 2.0.0 to 1.7.0
This was actually released in 1.7.0, but wasn't apparent, likely due to the facter 2.x branch issue <https://groups.google.com/forum/?fromgroups=#!topic/puppet-dev/eHmSzwHoFAk> ---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955#change-89945 * Author: Jacek Masiulaniec * Status: Closed * Priority: Urgent * Assignee: Jeff Weiss * Category: library * Target version: 1.7.0 * Keywords: * Branch: https://github.com/puppetlabs/facter/pull/203 * Affected Facter version: ---------------------------------------- Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
