Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

solaris_zone: Allow only valid characters in zone name #65686

Merged
merged 1 commit into from
Dec 10, 2019

Conversation

Akasurde
Copy link
Member

SUMMARY

CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that.
However, there is no user input validation done while performing actions.
A malicious user could provide a crafted zone name which allows executing commands
into the server manipulating the module behaviour.

Adding user input validation as per Solaris Zone documentation fixes this issue.

Signed-off-by: Abhijeet Kasurde akasurde@redhat.com

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

changelogs/fragments/solaris_zone_name_fix.yml
lib/ansible/modules/system/solaris_zone.py

CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that.
However, there is no user input validation done while performing actions.
A malicious user could provide a crafted zone name which allows executing commands
into the server manipulating the module behaviour.

Adding user input validation as per Solaris Zone documentation fixes this issue.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
@Akasurde
Copy link
Member Author

cc @mattclay @nitzmahone

@ansibot
Copy link
Contributor

ansibot commented Dec 10, 2019

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. solaris Solaris community support:community This issue/PR relates to code supported by the Ansible community. system System category labels Dec 10, 2019
@mator
Copy link
Contributor

mator commented Dec 10, 2019

LGTM

@ansibot ansibot added automerge This PR was automatically merged by ansibot. shipit This PR is ready to be merged by Core and removed community_review In order to be merged, this PR must follow the community review workflow. needs_triage Needs a first human triage before being processed. labels Dec 10, 2019
@ansibot ansibot merged commit 7d2ae7e into ansible:devel Dec 10, 2019
@Akasurde Akasurde deleted the cve_solaris_zone branch December 10, 2019 14:45
anshulbehl pushed a commit to anshulbehl/ansible that referenced this pull request Dec 10, 2019
CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that.
However, there is no user input validation done while performing actions.
A malicious user could provide a crafted zone name which allows executing commands
into the server manipulating the module behaviour.

Adding user input validation as per Solaris Zone documentation fixes this issue.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
@ansible ansible locked and limited conversation to collaborators Jan 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.10 This issue/PR affects Ansible v2.10 automerge This PR was automatically merged by ansibot. bug This issue/PR relates to a bug. module This issue/PR relates to a module. shipit This PR is ready to be merged by Core solaris Solaris community support:community This issue/PR relates to code supported by the Ansible community. system System category
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants