ansible/CVE-2019-10217-gcp-modules-sensitive-fields.patch

From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 23 Jul 2019 14:14:13 +0530
Subject: [PATCH] gcp_utils: Handle JSON decode exception

Handle json.loads exception rather than providing stacktrace

Fixes: #56269

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/lib/ansible/module_utils/gcp_utils.py
+++ b/lib/ansible/module_utils/gcp_utils.py
@@ -18,7 +18,7 @@ except ImportError:
 
 from ansible.module_utils.basic import AnsibleModule, env_fallback
 from ansible.module_utils.six import string_types
-from ansible.module_utils._text import to_text
+from ansible.module_utils._text import to_text, to_native
 import ast
 import os
 import json
@@ -157,7 +157,12 @@ class GcpSession(object):
             path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
             return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
         elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
-            cred = json.loads(self.module.params.get('service_account_contents'))
+            try:
+                cred = json.loads(self.module.params.get('service_account_contents'))
+            except json.decoder.JSONDecodeError as e:
+                self.module.fail_json(
+                    msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
+                )
             return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
         elif cred_type == 'machineaccount':
             return google.auth.compute_engine.Credentials(
fix former mistake and re-establish the older, but better package version - Update to version 2.8.3: Full changelog is packaged, but also at https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst - (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. - (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. - Update to version 2.8.1 Full changelog is at /usr/share/doc/packages/ansible/changelogs/ Bugfixes -------- - ACI - DO not encode query_string - ACI modules - Fix non-signature authentication - Add missing directory provided via ``--playbook-dir`` to adjacent collection loading - Fix "Interface not found" errors when using eos_l2_interface with nonexistant interfaces configured - Fix cannot get credential when `source_auth` set to `credential_file`. - Fix netconf_config backup string issue - Fix privilege escalation support for the docker connection plugin when OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=146 2019-08-13 18:26:53 +02:00			`From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001`
			`From: Abhijeet Kasurde <akasurde@redhat.com>`
			`Date: Tue, 23 Jul 2019 14:14:13 +0530`
			`Subject: [PATCH] gcp_utils: Handle JSON decode exception`

			`Handle json.loads exception rather than providing stacktrace`

			`Fixes: #56269`

			`Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>`
			`---`
			`lib/ansible/module_utils/gcp_utils.py \| 9 +++++++--`
			`1 file changed, 7 insertions(+), 2 deletions(-)`

			`--- a/lib/ansible/module_utils/gcp_utils.py`
			`+++ b/lib/ansible/module_utils/gcp_utils.py`
			`@@ -18,7 +18,7 @@ except ImportError:`

			`from ansible.module_utils.basic import AnsibleModule, env_fallback`
			`from ansible.module_utils.six import string_types`
			`-from ansible.module_utils._text import to_text`
			`+from ansible.module_utils._text import to_text, to_native`
			`import ast`
			`import os`
			`import json`
			`@@ -157,7 +157,12 @@ class GcpSession(object):`
			`path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))`
			`return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])`
			`elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):`
			`- cred = json.loads(self.module.params.get('service_account_contents'))`
			`+ try:`
			`+ cred = json.loads(self.module.params.get('service_account_contents'))`
			`+ except json.decoder.JSONDecodeError as e:`
			`+ self.module.fail_json(`
			`+ msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)`
			`+ )`
			`return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])`
			`elif cred_type == 'machineaccount':`
			`return google.auth.compute_engine.Credentials(`