Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ansible: v2.9.2 → v2.9.7, v2.8.7 → v2.8.11, v2.7.15 → v2.7.17 #86980

Merged
merged 3 commits into from May 5, 2020

Conversation

@mweinelt
Copy link
Member

mweinelt commented May 5, 2020

Motivation for this change

Fixes a bunch of CVEs. The version identifiers in the CVE descriptions are not always correct, I validated all CVEs against the source tree.

  • CVE-2020-10684
    • A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
  • CVE-2020-1733
    • A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p "; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.
  • CVE-2020-1735
    • A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
  • CVE-2020-1739
    • A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
  • CVE-2020-1740
    • A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
       

The following CVEs are yet to be fixed:

  • CVE-2020-1736 (unfixed ansible/ansible#67794)
    • A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
  • CVE-2020-1738 (unfixed, unimportant, requires remote to be compromised already ansible/ansible#67796 (comment))
    • A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
mweinelt added 3 commits May 5, 2020
Fixes: CVE-2020-10684, CVE-2020-1733, CVE-2020-1735, CVE-2020-1739, CVE-2020-1740
Fixes: CVE-2020-10684, CVE-2020-1733, CVE-2020-1735, CVE-2020-1739, CVE-2020-1740
Fixes: CVE-2020-10684, CVE-2020-1733, CVE-2020-1735, CVE-2020-1739, CVE-2020-1740
@mweinelt mweinelt requested review from FRidh and jonringer as code owners May 5, 2020
@ofborg ofborg bot added the 6.topic: python label May 5, 2020
@mweinelt mweinelt mentioned this pull request May 5, 2020
4 of 10 tasks complete
@ofborg ofborg bot requested a review from costrouc May 5, 2020
@FRidh FRidh merged commit eb264a9 into NixOS:master May 5, 2020
16 checks passed
16 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
ansible, ansible.passthru.tests on aarch64-linux Success
Details
ansible, ansible.passthru.tests on x86_64-linux Success
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="e829499"; rev="e829499d696b34cf06ef4085ca0319181ca88c7b"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@mweinelt mweinelt deleted the mweinelt:pr/ansible/v2.9.7 branch May 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.