Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 #68596

Merged
merged 1 commit into from Mar 31, 2020
Merged

ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 #68596

merged 1 commit into from Mar 31, 2020

Conversation

jborean93
Copy link
Contributor

SUMMARY

A specially crafted path tarfile could have ansible-galaxy collection install place files outside of the collection directory. This adds a check on the filename and will fail if it ever occurs.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

ansible-galaxy

@jborean93
Copy link
Contributor Author

cc @felixfontein

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Mar 31, 2020
felixfontein
felixfontein approved these changes Mar 31, 2020
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ansibot ansibot added shipit This PR is ready to be merged by Core needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. shipit This PR is ready to be merged by Core labels Mar 31, 2020
@jborean93 jborean93 merged commit a20a527 into ansible:devel Mar 31, 2020
@jborean93 jborean93 deleted the galaxy-tar branch March 31, 2020 20:39
jborean93 added a commit to jborean93/ansible that referenced this pull request Mar 31, 2020
@jborean93
ansible-galaxy - Fix tar path traversal issue during install - CVE-20…
be25ba2 
…20-10691 (ansible#68596)

(cherry picked from commit a20a527)
jborean93 added a commit to jborean93/ansible that referenced this pull request Mar 31, 2020
@jborean93
ansible-galaxy - Fix tar path traversal issue during install - CVE-20…
44b953d 
…20-10691 (ansible#68596)

(cherry picked from commit a20a527)
@jborean93 jborean93 mentioned this pull request Mar 31, 2020
Merged
@jborean93
Copy link
Contributor Author

Backport PR to stable-2.9 #68601.

@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Apr 1, 2020
mattclay pushed a commit that referenced this pull request Apr 15, 2020
@jborean93
ansible-galaxy - Fix tar path traversal issue during install - CVE-20…
b2551bb 
…20-10691 - 2.9 (#68601)

* ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 (#68596)

(cherry picked from commit a20a527)

* Remove extra tests missing from rebase
@ansible ansible locked and limited conversation to collaborators Apr 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@felixfontein felixfontein felixfontein approved these changes

Assignees
No one assigned
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jborean93 @felixfontein @mkrizek @ansibot