(RE-10220) Fix CVE-2018-6508

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c163e15454c607559695f52a5d99d61ebfb8361a..cc0169f15c705dda5b77d8231d0245164c0ec8ed 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org).
 
+## Supported Release [4.5.1]
+### Summary
+This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks.
+
+### Fixed
+- Fix init task for arbitrary remote code
+
 ## Supported Release [4.5.0]
 ### Summary
 This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes.

diff --git a/metadata.json b/metadata.json
index 2706528ea1bc6aa45d7c525ea88e497cc23f56fa..d5b31f2428e5ac56ccb376aa733413a719b5d5ac 100644 (file)
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-apt",
-  "version": "4.5.0",
+  "version": "4.5.1",
   "author": "Puppet Labs",
   "summary": "Provides an interface for managing Apt source, key, and definitions with Puppet",
   "license": "Apache-2.0",

diff --git a/tasks/init.rb b/tasks/init.rb
index 5db86ebb0c00b0fca3ca3883e6156129287306cc..d256468b64a739fdaa6446f49b1d5069bc46891d 100755 (executable)
--- a/tasks/init.rb
+++ b/tasks/init.rb
@@ -4,9 +4,9 @@ require 'open3'
 require 'puppet'
 
 def apt_get(action)
-  cmd_string = "apt-get #{action}"
-  cmd_string << ' -y' if  action == 'upgrade'
-  stdout, stderr, status = Open3.capture3(cmd_string)
+  cmd = ['apt-get', action]
+  cmd << ' -y' if action == 'upgrade'
+  stdout, stderr, status = Open3.capture3(*cmd)
   raise Puppet::Error, stderr if status != 0
   { status: stdout.strip }
 end