From 0428179232d82cfad0dd6db3bfc64bd2d8f287e4 Mon Sep 17 00:00:00 2001
From: Michael Stahnke <stahnma@puppetlabs.com>
Date: Oct 11 2014 05:32:09 +0000
Subject: Patch facter 1.6 series for Bug 1107891 - CVE-2014-3248


See http://puppetlabs.com/security/cve/cve-2014-3248 for more
information from upstream.

---

diff --git a/0001-FACT-480-Remove-current-directory-from-Ruby-load-pat.patch b/0001-FACT-480-Remove-current-directory-from-Ruby-load-pat.patch
new file mode 100644
index 0000000..fc18927
--- /dev/null
+++ b/0001-FACT-480-Remove-current-directory-from-Ruby-load-pat.patch
@@ -0,0 +1,37 @@
+From ce6ab75842178d300e1c9b47b9f54afbf65da185 Mon Sep 17 00:00:00 2001
+From: Peter Huene <peter.huene@puppetlabs.com>
+Date: Tue, 6 May 2014 14:33:11 -0700
+Subject: [PATCH] (FACT-480) Remove current directory from Ruby load path.
+
+The current directory ('.') is on the load path for Ruby 1.8.7.
+This is a security vulnerability as it allows arbitrary code loading if
+users create ruby source files with names that correspond to those that
+facter is trying to load.
+
+The fix is to explicitly remove '.' from the load path before any code
+is loaded by facter.
+---
+ bin/facter | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bin/facter b/bin/facter
+index 0616157..7aec067 100755
+--- a/bin/facter
++++ b/bin/facter
+@@ -55,6 +55,10 @@
+ # Copyright (c) 2011 Puppet Labs, Inc
+ # Licensed under the Apache 2.0 license
+
++# For security reasons, ensure that '.' is not on the load path
++# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
++$LOAD_PATH.delete '.'
++
+ # Bundler and rubygems maintain a set of directories from which to
+ # load gems. If Bundler is loaded, let it determine what can be
+ # loaded. If it's not loaded, then use rubygems. But do this before
+
+
+-- 
+2.1.2
+
+
diff --git a/facter.spec b/facter.spec
index 14bee87..65949cb 100644
--- a/facter.spec
+++ b/facter.spec
@@ -16,7 +16,7 @@
 
 Name:           facter
 Version:        1.6.18
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Command and ruby library for gathering system information
 
 Group:          System Environment/Base
@@ -27,7 +27,8 @@ Source1:        http://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.g
 # https://bugzilla.redhat.com/719611
 # https://projects.puppetlabs.com/issues/19989
 Patch0:         0001-19989-Filter-virt-what-warnings-from-virtual-fact.patch
-Patch1:		0002-976942-correct-ipaddress-non-loopback.patch
+Patch1:         0002-976942-correct-ipaddress-non-loopback.patch
+Patch2:         0001-FACT-480-Remove-current-directory-from-Ruby-load-pat.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  ruby >= 1.8.1
@@ -71,6 +72,7 @@ key off the values returned by facts.
 %setup -q
 %patch0 -p1
 %patch1 -p0
+%patch2 -p1
 
 
 %build
@@ -114,6 +116,10 @@ rspec spec
 
 
 %changelog
+* Fri Oct 10 2014 Michael Stahnke <stahnma@fedoraproject.org> - 1.6.18-5
+- Fix for Bug 1107891 - CVE-2014-3248
+- Backported patch from 1.7.6
+
 * Fri Jun 21 2013 Sam Kottler <skottler@fedoraproject.org> 1.6.18-4
 - Apply upstream patch to ensure the first non-127.0.0.1 interface