Accepting request 721780 from systemsmanagement

OBS-URL: https://build.opensuse.org/request/show/721780 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ansible?expand=0&rev=51
2019-08-09 14:53:56 +00:00 · 2019-08-09 14:53:56 +00:00 · 8afd693020
commit 8afd693020
parent fc6f88a0a5 0ad11aef75
6 changed files with 151 additions and 8 deletions
--- a/CVE-2019-10206-data-disclosure.patch
+++ b/CVE-2019-10206-data-disclosure.patch
@ -0,0 +1,79 @@
+From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
+From: Brian Coca <bcoca@users.noreply.github.com>
+Date: Wed, 24 Jul 2019 16:00:20 -0400
+Subject: [PATCH] prevent templating of passwords from prompt (#59246)
+
+* prevent templating of passwords from prompt
+
+  fixes CVE-2019-10206
+
+(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
+---
+ .../fragments/dont_template_passwords_from_prompt.yml |  2 ++
+ lib/ansible/cli/__init__.py                           |  8 ++++++++
+ lib/ansible/utils/unsafe_proxy.py                     | 11 +++++++----
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+ create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
+
+--- /dev/null
+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
+@@ -0,0 +1,2 @@
+bugfixes:
+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
+--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
+@@ -29,6 +29,7 @@ from ansible.release import __version__
+ from ansible.utils.collection_loader import set_collection_playbook_paths
+ from ansible.utils.display import Display
+ from ansible.utils.path import unfrackpath
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
+ from ansible.vars.manager import VariableManager
+ 
+ 
+@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
+         except EOFError:
+             pass
+ 
+        # we 'wrap' the passwords to prevent templating as
+        # they can contain special chars and trigger it incorrectly
+        if sshpass:
+            sshpass = AnsibleUnsafeBytes(sshpass)
+        if becomepass:
+            becomepass = AnsibleUnsafeBytes(becomepass)
+
+         return (sshpass, becomepass)
+ 
+     def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
+--- a/lib/ansible/utils/unsafe_proxy.py
+++ b/lib/ansible/utils/unsafe_proxy.py
+@@ -53,7 +53,7 @@
+ from __future__ import (absolute_import, division, print_function)
+ __metaclass__ = type
+ 
+-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
+ from ansible.module_utils._text import to_text
+ from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
+ 
+@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
+     pass
+ 
+ 
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+    pass
+
+
+ class UnsafeProxy(object):
+     def __new__(cls, obj, *args, **kwargs):
+         # In our usage we should only receive unicode strings.
+         # This conditional and conversion exists to sanity check the values
+         # we're given but we may want to take it out for testing and sanitize
+         # our input instead.
+-        if isinstance(obj, string_types):
+-            obj = to_text(obj, errors='surrogate_or_strict')
+-            return AnsibleUnsafeText(obj)
+        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
+         return obj
+ 
+ 
--- a/CVE-2019-10217-gcp-modules-sensitive-fields.patch
+++ b/CVE-2019-10217-gcp-modules-sensitive-fields.patch
@ -0,0 +1,39 @@
+From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
+From: Abhijeet Kasurde <akasurde@redhat.com>
+Date: Tue, 23 Jul 2019 14:14:13 +0530
+Subject: [PATCH] gcp_utils: Handle JSON decode exception
+
+Handle json.loads exception rather than providing stacktrace
+
+Fixes: #56269
+
+Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
+---
+ lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/lib/ansible/module_utils/gcp_utils.py
+++ b/lib/ansible/module_utils/gcp_utils.py
+@@ -18,7 +18,7 @@ except ImportError:
+ 
+ from ansible.module_utils.basic import AnsibleModule, env_fallback
+ from ansible.module_utils.six import string_types
+-from ansible.module_utils._text import to_text
+from ansible.module_utils._text import to_text, to_native
+ import ast
+ import os
+ import json
+@@ -157,7 +157,12 @@ class GcpSession(object):
+             path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
+             return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
+         elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
+-            cred = json.loads(self.module.params.get('service_account_contents'))
+            try:
+                cred = json.loads(self.module.params.get('service_account_contents'))
+            except json.decoder.JSONDecodeError as e:
+                self.module.fail_json(
+                    msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
+                )
+             return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
+         elif cred_type == 'machineaccount':
+             return google.auth.compute_engine.Credentials(
--- a/ansible-2.8.1.tar.gz
+++ b/ansible-2.8.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e1d51d3a88e21238f9e7a49b2b17a49e76c13880242b936ac8a37aee4fe84445
-size 14299403
--- a/ansible-2.8.3.tar.gz
+++ b/ansible-2.8.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05f9ed3ca3e06dffaa87a73a8e6f7f322825bc3f609f8b71c4fe22dbbdf72abc
+size 14343746
--- a/ansible.changes
+++ b/ansible.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Aug  7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
+
+- Update to version 2.8.3:
+  Full changelog is packaged, but also at
+  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
+- (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing
+  CVE-2019-10206: ansible-playbook -k and ansible cli tools
+  prompt passwords by expanding them from templates as they could
+  contain special characters. Passwords should be wrapped to
+  prevent templates trigger and exposing them.
+- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
+  CVE-2019-10217: Fields managing sensitive data should be set as
+  such by no_log feature. Some of these fields in GCP modules are
+  not set properly. service_account_contents() which is common
+  class for all gcp modules is not setting no_log to True. Any
+  sensitive data managed by that function would be leak as an
+  output when running ansible playbooks.
+
 -------------------------------------------------------------------
 Sat Jun  8 16:33:53 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>

--- a/ansible.spec
+++ b/ansible.spec
@ -36,7 +36,7 @@
 BuildArch:      noarch
 %endif
 Name:           ansible
-Version:        2.8.1
+Version:        2.8.3
 Release:        0
 Summary:        Software automation engine
 License:        GPL-3.0-or-later
@ -44,6 +44,12 @@ Group:          Development/Languages/Python
 Url:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source99:       ansible-rpmlintrc
+# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com
+# prevent templating of passwords from prompt gh#ansible/ansible#59552
+Patch0:         CVE-2019-10206-data-disclosure.patch
+# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com
+# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly
+Patch1:         CVE-2019-10217-gcp-modules-sensitive-fields.patch
 # SuSE/openSuSE
 %if 0%{?suse_version}
 %if %{with python3}
@ -65,7 +71,6 @@ BuildRequires:  %{python}-Jinja2
 BuildRequires:  %{python}-PyYAML
 BuildRequires:  %{python}-paramiko
 BuildRequires:  %{python}-pycrypto >= 2.6
-BuildRequires:  fdupes
 Requires:       %{python}-Jinja2
 Requires:       %{python}-PyYAML
 Requires:       %{python}-paramiko
@ -109,6 +114,7 @@ Requires:       python2-cryptography
 BuildRequires:  perl(Exporter)
 %endif
 %if 0%{?fedora} >= 18
+BuildRequires:  fdupes
 BuildRequires:  python-devel
 BuildRequires:  python-setuptools
 Requires:       PyYAML
@ -130,6 +136,9 @@ like zero downtime rolling updates with load balancers.

 %prep
 %setup -q -n ansible-%{version}
+%patch0 -p1
+%patch1 -p1
+
 find . -name .git_keep -delete
 find contrib/ -type f -exec chmod 644 {} +

@ -145,9 +154,6 @@ cp examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/
 mkdir -p %{buildroot}/%{_mandir}/man1/
 cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
 mkdir -p %{buildroot}/%{_datadir}/ansible
-%if 0%{?suse_version} >= 01130
-%fdupes %{buildroot}/%{python_sitelib}/ansible/
-%endif

 %files
 %defattr(-,root,root,-)