Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command used in subversion module is problematic #67797

Closed
samdoran opened this issue Feb 26, 2020 · 2 comments · Fixed by #67829
Closed

Command used in subversion module is problematic #67797

samdoran opened this issue Feb 26, 2020 · 2 comments · Fixed by #67829
Assignees
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. module This issue/PR relates to a module. security Related to a vulnerability or CVE source_control Source-control category support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@samdoran
Copy link
Contributor

SUMMARY

CVE-2020-1739

The password is used in the svn command that is run by the subversion module. The password should be passed in via some other mechanism other than as a parameter to avoid the password being read at /proc/<pid>/cmdline on the managed node.

Problematic code:

bits.extend(["--password", self.password])
bits.extend(args)
rc, out, err = self.module.run_command(bits, check_rc)

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/modules/source_control/subversion.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
- subversion:
    repo: svn+ssh://an.example.org/path/to/repo
    dest: /src/checkout
    checkout: no
    update: no
    password: "{{ vault_svn_pass }}"
EXPECTED RESULTS

Password is not visible.

ACTUAL RESULTS

Password can be observed at /proc/<pid>/cmdline on the managed node.

@samdoran samdoran added the security Related to a vulnerability or CVE label Feb 26, 2020
@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2020

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2020

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. module This issue/PR relates to a module. source_control Source-control category support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Feb 26, 2020
@ansible ansible locked and limited conversation to collaborators May 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. module This issue/PR relates to a module. security Related to a vulnerability or CVE source_control Source-control category support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants