Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.7: user: do not pass ssh_key_passphrase on cmdline #47445

Merged
merged 4 commits into from
Oct 23, 2018
Merged

2.7: user: do not pass ssh_key_passphrase on cmdline #47445

merged 4 commits into from
Oct 23, 2018

Conversation

mkrizek
Copy link
Contributor

@mkrizek mkrizek commented Oct 22, 2018
edited

SUMMARY

CVE-2018-16837

Co-authored-by: Toshio Kuratomi a.badger@gmail.com
(cherry picked from commit a0aa53d)

Backport of #47436

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

user

ANSIBLE VERSION
2.7
ADDITIONAL INFORMATION

@ansibot
Copy link
Contributor

ansibot commented Oct 23, 2018

Hi @mkrizek, thank you for submitting this pull-request!

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Oct 23, 2018

The test ansible-test sanity --test changelog [explain] failed with the error:

Command "/usr/bin/python test/sanity/code-smell/changelog.py" returned exit status 1.
>>> Standard Error
Traceback (most recent call last):
  File "packaging/release/changelogs/changelog.py", line 814, in <module>
    main()
  File "packaging/release/changelogs/changelog.py", line 98, in main
    args.func(args)
  File "packaging/release/changelogs/changelog.py", line 109, in command_lint
    lint_fragments(fragments, exceptions)
  File "packaging/release/changelogs/changelog.py", line 227, in lint_fragments
    errors += linter.lint(fragment)
  File "packaging/release/changelogs/changelog.py", line 307, in lint
    errors += [(fragment.path, 0, 0, result[1]) for result in results]
  File "packaging/release/changelogs/changelog.py", line 307, in <listcomp>
    errors += [(fragment.path, 0, 0, result[1]) for result in results]
  File "/usr/local/lib/python3.6/dist-packages/rstcheck.py", line 169, in check
    find_ignored_languages(source)
  File "/usr/local/lib/python3.6/dist-packages/rstcheck.py", line 235, in find_ignored_languages
    for (index, line) in enumerate(source.splitlines()):
AttributeError: 'dict' object has no attribute 'splitlines'
Traceback (most recent call last):
  File "test/sanity/code-smell/changelog.py", line 14, in <module>
    main()
  File "test/sanity/code-smell/changelog.py", line 10, in main
    subprocess.check_call(cmd)
  File "/usr/lib/python3.6/subprocess.py", line 291, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['packaging/release/changelogs/changelog.py', 'lint', 'changelogs/fragments/user-do-not-pass-ssh_key_passphrase-on-cmdline.yaml']' returned non-zero exit status 1.

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/modules/system/user.py:876:21: E210 subprocess.Popen call found. Should be module.run_command

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Oct 23, 2018

cc @samdoran @sfromm
click here for bot help

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. module This issue/PR relates to a module. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Oct 23, 2018
@abadger abadger mentioned this pull request Oct 23, 2018
Merged
mkrizek and others added 2 commits October 22, 2018 18:29
@mkrizek @abadger
user: do not pass ssh_key_passphrase on cmdline
5b8c535 
CVE-2018-16837

Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
(cherry picked from commit a0aa53d)
@mattclay @abadger
Ignore user module use of subprocess.
2454f65 
(cherry picked from commit 8d00afc)
@abadger abadger mentioned this pull request Oct 23, 2018
Merged
@ansibot
Copy link
Contributor

ansibot commented Oct 23, 2018

cc @mattclay
click here for bot help

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. test This PR relates to tests. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Oct 23, 2018
@abadger abadger merged commit b618339 into ansible:stable-2.7 Oct 23, 2018
@abadger
Copy link
Contributor

abadger commented Oct 23, 2018

Merged for the 2.7.1 release.

@mattclay @nitzmahone, you'll probably want to cherry-pick from this PR for the stable-2.6 and stable-2.5 branches as it consolidates the fix and all of the follow on commits.

@mkrizek mkrizek deleted the backport/2.7/47436 branch October 23, 2018 05:38
@webknjaz webknjaz removed needs_triage Needs a first human triage before being processed. labels Oct 23, 2018
nitzmahone pushed a commit to nitzmahone/ansible that referenced this pull request Oct 24, 2018
@mkrizek @nitzmahone
2.7: user: do not pass ssh_key_passphrase on cmdline (ansible#47445)
7f8e4f2 
* user: do not pass ssh_key_passphrase on cmdline

CVE-2018-16837

Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
(cherry picked from commit a0aa53d)

* Ignore user module use of subprocess.

(cherry picked from commit 8d00afc)

* Fix python3 problem in user module cve fix

(cherry picked from commit 9088671)

* Fix changelog entry for user module CVE fix

(cherry picked from commit 210a43e)
(cherry picked from commit b618339)
@ansible ansible locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. module This issue/PR relates to a module. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mkrizek @ansibot @abadger @webknjaz @mattclay