[Pkg-puppet-devel] Bug#989224: puppet: Cron Provider breaks on crontab with certain environment variables (easy DOS for a user)
Joerg Jaspert
joerg at debian.org
Sat May 29 11:56:44 BST 2021
Source: puppet
Severity: important
Dear Maintainer,
puppets cron provider contains a bug that allows any local user to
easily turn off the puppet service.
A crontab that contains an environment variable with a - breaks puppet.
Change - to _ and it works.
Yes, POSIX does not allow that, sure, but users can be stupid, software
should deal with it.
Test:
Create a crontab like
MAILTO=test at example.com
CONSOLE-LOG=/var/log/file
*/15 * * * * /bin/bash -c "echo test"
And puppet goes boom, it couldn't parse the line, followed by a stack
trace and out it is.
Now change the - to _ and voila, puppet does not go boom.
I personally had this on puppet6, but had a DSA member try on their
machines, the bug exists on puppet5 buster and bullseye too.
Upstream does not care, see
https://tickets.puppetlabs.com/browse/PUP-10998 if you want, but I think
it would be nice if we do not ship such a bug in Debian.
--
bye, Joerg
More information about the Pkg-puppet-devel
mailing list