From 81879be960d5723016e3d0b4ff155ee704261bbc Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Wed, 31 Jan 2018 17:08:02 -0800 Subject: [PATCH] (RE-10220) Fix CVE-2018-6508 --- CHANGELOG.md | 7 +++++++ metadata.json | 2 +- tasks/init.rb | 6 +++--- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c163e15..cc0169f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## Supported Release [4.5.1] +### Summary +This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks. + +### Fixed +- Fix init task for arbitrary remote code + ## Supported Release [4.5.0] ### Summary This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes. diff --git a/metadata.json b/metadata.json index 2706528..d5b31f2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-apt", - "version": "4.5.0", + "version": "4.5.1", "author": "Puppet Labs", "summary": "Provides an interface for managing Apt source, key, and definitions with Puppet", "license": "Apache-2.0", diff --git a/tasks/init.rb b/tasks/init.rb index 5db86eb..d256468 100755 --- a/tasks/init.rb +++ b/tasks/init.rb @@ -4,9 +4,9 @@ require 'open3' require 'puppet' def apt_get(action) - cmd_string = "apt-get #{action}" - cmd_string << ' -y' if action == 'upgrade' - stdout, stderr, status = Open3.capture3(cmd_string) + cmd = ['apt-get', action] + cmd << ' -y' if action == 'upgrade' + stdout, stderr, status = Open3.capture3(*cmd) raise Puppet::Error, stderr if status != 0 { status: stdout.strip } end -- 2.45.2