Accepting request 721780 from systemsmanagement
OBS-URL: https://build.opensuse.org/request/show/721780 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ansible?expand=0&rev=51
This commit is contained in:
commit
8afd693020
79
CVE-2019-10206-data-disclosure.patch
Normal file
79
CVE-2019-10206-data-disclosure.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Coca <bcoca@users.noreply.github.com>
|
||||||
|
Date: Wed, 24 Jul 2019 16:00:20 -0400
|
||||||
|
Subject: [PATCH] prevent templating of passwords from prompt (#59246)
|
||||||
|
|
||||||
|
* prevent templating of passwords from prompt
|
||||||
|
|
||||||
|
fixes CVE-2019-10206
|
||||||
|
|
||||||
|
(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
|
||||||
|
---
|
||||||
|
.../fragments/dont_template_passwords_from_prompt.yml | 2 ++
|
||||||
|
lib/ansible/cli/__init__.py | 8 ++++++++
|
||||||
|
lib/ansible/utils/unsafe_proxy.py | 11 +++++++----
|
||||||
|
3 files changed, 17 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
|
||||||
|
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+bugfixes:
|
||||||
|
+ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
|
||||||
|
--- a/lib/ansible/cli/__init__.py
|
||||||
|
+++ b/lib/ansible/cli/__init__.py
|
||||||
|
@@ -29,6 +29,7 @@ from ansible.release import __version__
|
||||||
|
from ansible.utils.collection_loader import set_collection_playbook_paths
|
||||||
|
from ansible.utils.display import Display
|
||||||
|
from ansible.utils.path import unfrackpath
|
||||||
|
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
|
||||||
|
from ansible.vars.manager import VariableManager
|
||||||
|
|
||||||
|
|
||||||
|
@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
|
||||||
|
except EOFError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
+ # we 'wrap' the passwords to prevent templating as
|
||||||
|
+ # they can contain special chars and trigger it incorrectly
|
||||||
|
+ if sshpass:
|
||||||
|
+ sshpass = AnsibleUnsafeBytes(sshpass)
|
||||||
|
+ if becomepass:
|
||||||
|
+ becomepass = AnsibleUnsafeBytes(becomepass)
|
||||||
|
+
|
||||||
|
return (sshpass, becomepass)
|
||||||
|
|
||||||
|
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
|
||||||
|
--- a/lib/ansible/utils/unsafe_proxy.py
|
||||||
|
+++ b/lib/ansible/utils/unsafe_proxy.py
|
||||||
|
@@ -53,7 +53,7 @@
|
||||||
|
from __future__ import (absolute_import, division, print_function)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
-from ansible.module_utils.six import string_types, text_type
|
||||||
|
+from ansible.module_utils.six import string_types, text_type, binary_type
|
||||||
|
from ansible.module_utils._text import to_text
|
||||||
|
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
|
||||||
|
|
||||||
|
@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class UnsafeProxy(object):
|
||||||
|
def __new__(cls, obj, *args, **kwargs):
|
||||||
|
# In our usage we should only receive unicode strings.
|
||||||
|
# This conditional and conversion exists to sanity check the values
|
||||||
|
# we're given but we may want to take it out for testing and sanitize
|
||||||
|
# our input instead.
|
||||||
|
- if isinstance(obj, string_types):
|
||||||
|
- obj = to_text(obj, errors='surrogate_or_strict')
|
||||||
|
- return AnsibleUnsafeText(obj)
|
||||||
|
+ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
|
||||||
|
+ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
|
||||||
|
return obj
|
||||||
|
|
||||||
|
|
39
CVE-2019-10217-gcp-modules-sensitive-fields.patch
Normal file
39
CVE-2019-10217-gcp-modules-sensitive-fields.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Abhijeet Kasurde <akasurde@redhat.com>
|
||||||
|
Date: Tue, 23 Jul 2019 14:14:13 +0530
|
||||||
|
Subject: [PATCH] gcp_utils: Handle JSON decode exception
|
||||||
|
|
||||||
|
Handle json.loads exception rather than providing stacktrace
|
||||||
|
|
||||||
|
Fixes: #56269
|
||||||
|
|
||||||
|
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/lib/ansible/module_utils/gcp_utils.py
|
||||||
|
+++ b/lib/ansible/module_utils/gcp_utils.py
|
||||||
|
@@ -18,7 +18,7 @@ except ImportError:
|
||||||
|
|
||||||
|
from ansible.module_utils.basic import AnsibleModule, env_fallback
|
||||||
|
from ansible.module_utils.six import string_types
|
||||||
|
-from ansible.module_utils._text import to_text
|
||||||
|
+from ansible.module_utils._text import to_text, to_native
|
||||||
|
import ast
|
||||||
|
import os
|
||||||
|
import json
|
||||||
|
@@ -157,7 +157,12 @@ class GcpSession(object):
|
||||||
|
path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
|
||||||
|
return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
|
||||||
|
elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
|
||||||
|
- cred = json.loads(self.module.params.get('service_account_contents'))
|
||||||
|
+ try:
|
||||||
|
+ cred = json.loads(self.module.params.get('service_account_contents'))
|
||||||
|
+ except json.decoder.JSONDecodeError as e:
|
||||||
|
+ self.module.fail_json(
|
||||||
|
+ msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
|
||||||
|
+ )
|
||||||
|
return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
|
||||||
|
elif cred_type == 'machineaccount':
|
||||||
|
return google.auth.compute_engine.Credentials(
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e1d51d3a88e21238f9e7a49b2b17a49e76c13880242b936ac8a37aee4fe84445
|
|
||||||
size 14299403
|
|
3
ansible-2.8.3.tar.gz
Normal file
3
ansible-2.8.3.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:05f9ed3ca3e06dffaa87a73a8e6f7f322825bc3f609f8b71c4fe22dbbdf72abc
|
||||||
|
size 14343746
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Update to version 2.8.3:
|
||||||
|
Full changelog is packaged, but also at
|
||||||
|
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
|
||||||
|
- (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing
|
||||||
|
CVE-2019-10206: ansible-playbook -k and ansible cli tools
|
||||||
|
prompt passwords by expanding them from templates as they could
|
||||||
|
contain special characters. Passwords should be wrapped to
|
||||||
|
prevent templates trigger and exposing them.
|
||||||
|
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
|
||||||
|
CVE-2019-10217: Fields managing sensitive data should be set as
|
||||||
|
such by no_log feature. Some of these fields in GCP modules are
|
||||||
|
not set properly. service_account_contents() which is common
|
||||||
|
class for all gcp modules is not setting no_log to True. Any
|
||||||
|
sensitive data managed by that function would be leak as an
|
||||||
|
output when running ansible playbooks.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Jun 8 16:33:53 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>
|
Sat Jun 8 16:33:53 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>
|
||||||
|
|
||||||
|
16
ansible.spec
16
ansible.spec
@ -36,7 +36,7 @@
|
|||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%endif
|
%endif
|
||||||
Name: ansible
|
Name: ansible
|
||||||
Version: 2.8.1
|
Version: 2.8.3
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Software automation engine
|
Summary: Software automation engine
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
@ -44,6 +44,12 @@ Group: Development/Languages/Python
|
|||||||
Url: https://ansible.com/
|
Url: https://ansible.com/
|
||||||
Source: https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
|
Source: https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
|
||||||
Source99: ansible-rpmlintrc
|
Source99: ansible-rpmlintrc
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com
|
||||||
|
# prevent templating of passwords from prompt gh#ansible/ansible#59552
|
||||||
|
Patch0: CVE-2019-10206-data-disclosure.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com
|
||||||
|
# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly
|
||||||
|
Patch1: CVE-2019-10217-gcp-modules-sensitive-fields.patch
|
||||||
# SuSE/openSuSE
|
# SuSE/openSuSE
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
@ -65,7 +71,6 @@ BuildRequires: %{python}-Jinja2
|
|||||||
BuildRequires: %{python}-PyYAML
|
BuildRequires: %{python}-PyYAML
|
||||||
BuildRequires: %{python}-paramiko
|
BuildRequires: %{python}-paramiko
|
||||||
BuildRequires: %{python}-pycrypto >= 2.6
|
BuildRequires: %{python}-pycrypto >= 2.6
|
||||||
BuildRequires: fdupes
|
|
||||||
Requires: %{python}-Jinja2
|
Requires: %{python}-Jinja2
|
||||||
Requires: %{python}-PyYAML
|
Requires: %{python}-PyYAML
|
||||||
Requires: %{python}-paramiko
|
Requires: %{python}-paramiko
|
||||||
@ -109,6 +114,7 @@ Requires: python2-cryptography
|
|||||||
BuildRequires: perl(Exporter)
|
BuildRequires: perl(Exporter)
|
||||||
%endif
|
%endif
|
||||||
%if 0%{?fedora} >= 18
|
%if 0%{?fedora} >= 18
|
||||||
|
BuildRequires: fdupes
|
||||||
BuildRequires: python-devel
|
BuildRequires: python-devel
|
||||||
BuildRequires: python-setuptools
|
BuildRequires: python-setuptools
|
||||||
Requires: PyYAML
|
Requires: PyYAML
|
||||||
@ -130,6 +136,9 @@ like zero downtime rolling updates with load balancers.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n ansible-%{version}
|
%setup -q -n ansible-%{version}
|
||||||
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
find . -name .git_keep -delete
|
find . -name .git_keep -delete
|
||||||
find contrib/ -type f -exec chmod 644 {} +
|
find contrib/ -type f -exec chmod 644 {} +
|
||||||
|
|
||||||
@ -145,9 +154,6 @@ cp examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/
|
|||||||
mkdir -p %{buildroot}/%{_mandir}/man1/
|
mkdir -p %{buildroot}/%{_mandir}/man1/
|
||||||
cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
|
cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
|
||||||
mkdir -p %{buildroot}/%{_datadir}/ansible
|
mkdir -p %{buildroot}/%{_datadir}/ansible
|
||||||
%if 0%{?suse_version} >= 01130
|
|
||||||
%fdupes %{buildroot}/%{python_sitelib}/ansible/
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
|
Loading…
Reference in New Issue
Block a user