New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ansible-vault edit race condition #67798
ansible-vault edit race condition #67798
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
|
We should just pass the filehandle and ensure secure access by using that instead of the generated path string. Creating the file with stricter permissions still does not matter as controlling the directory will trump that. We get some mitigation from 6452a82 , as this forces usage of |
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes #67798 Co-authored-by: samdoran
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes ansible#67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes #67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes #67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
* when possible, use filedescriptors from mkstemp to avoid race * when using path strings, ensure we are always creating the file CVE-2020-1740 Fixes #67798 Co-authored-by: samdoran (cherry picked from commit 28f9fbd)
SUMMARY
CVE-2020-1740
A race condition exists in
ansible-vault editwhich could allow another user on the same computer can read the old and new secret.When executing
ansible-vault edit, the methodVaultEditor._edit_file_helper()creates the temporary file withtempfile.mkstemp(). However, the returned file descriptor is closed andVaultEditor.write_data()is called to write to the file.VaultEditor.write_data()will delete the file and recreate it. A malicious user can create the file with permissions allowing them access to the file after the unlink.The proposed solution is to write directly to the file descriptor in
VaultEditor._edit_file_helper()rather than deleting and creating a new file.Relevant code:
ansible/lib/ansible/parsing/vault/__init__.py
Lines 851 to 859 in 79dfae9
ISSUE TYPE
COMPONENT NAME
lib/ansible/parsing/vault/__init__.pyANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: