From: Eric Putnam Date: Thu, 1 Feb 2018 17:54:33 +0000 (-0800) Subject: Merge pull request #2 from puppetlabs/cve-2018-6508 X-Git-Tag: 4.5.1^0 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=21a1264f9b81950d83da626dc51faa9e45285eab;hp=9adccd02b6930d9af1c8cb7013f8d7e631eca66d;p=puppet-modules%2Fpuppetlabs-apt.git Merge pull request #2 from puppetlabs/cve-2018-6508 (RE-10220) Fix CVE-2018-6508 --- diff --git a/CHANGELOG.md b/CHANGELOG.md index c163e15..cc0169f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## Supported Release [4.5.1] +### Summary +This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks. + +### Fixed +- Fix init task for arbitrary remote code + ## Supported Release [4.5.0] ### Summary This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes. diff --git a/metadata.json b/metadata.json index 2706528..d5b31f2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-apt", - "version": "4.5.0", + "version": "4.5.1", "author": "Puppet Labs", "summary": "Provides an interface for managing Apt source, key, and definitions with Puppet", "license": "Apache-2.0", diff --git a/tasks/init.rb b/tasks/init.rb index 5db86eb..d256468 100755 --- a/tasks/init.rb +++ b/tasks/init.rb @@ -4,9 +4,9 @@ require 'open3' require 'puppet' def apt_get(action) - cmd_string = "apt-get #{action}" - cmd_string << ' -y' if action == 'upgrade' - stdout, stderr, status = Open3.capture3(cmd_string) + cmd = ['apt-get', action] + cmd << ' -y' if action == 'upgrade' + stdout, stderr, status = Open3.capture3(*cmd) raise Puppet::Error, stderr if status != 0 { status: stdout.strip } end