Accepting request 721780 from systemsmanagement

OBS-URL: https://build.opensuse.org/request/show/721780
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ansible?expand=0&rev=51
This commit is contained in:
Dominique Leuenberger 2019-08-09 14:53:56 +00:00 committed by Git OBS Bridge
commit 8afd693020
6 changed files with 151 additions and 8 deletions

View File

@ -0,0 +1,79 @@
From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Wed, 24 Jul 2019 16:00:20 -0400
Subject: [PATCH] prevent templating of passwords from prompt (#59246)
* prevent templating of passwords from prompt
fixes CVE-2019-10206
(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
---
.../fragments/dont_template_passwords_from_prompt.yml | 2 ++
lib/ansible/cli/__init__.py | 8 ++++++++
lib/ansible/utils/unsafe_proxy.py | 11 +++++++----
3 files changed, 17 insertions(+), 4 deletions(-)
create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
--- /dev/null
+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
@@ -0,0 +1,2 @@
+bugfixes:
+ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
@@ -29,6 +29,7 @@ from ansible.release import __version__
from ansible.utils.collection_loader import set_collection_playbook_paths
from ansible.utils.display import Display
from ansible.utils.path import unfrackpath
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
from ansible.vars.manager import VariableManager
@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
except EOFError:
pass
+ # we 'wrap' the passwords to prevent templating as
+ # they can contain special chars and trigger it incorrectly
+ if sshpass:
+ sshpass = AnsibleUnsafeBytes(sshpass)
+ if becomepass:
+ becomepass = AnsibleUnsafeBytes(becomepass)
+
return (sshpass, becomepass)
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
--- a/lib/ansible/utils/unsafe_proxy.py
+++ b/lib/ansible/utils/unsafe_proxy.py
@@ -53,7 +53,7 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
from ansible.module_utils._text import to_text
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
pass
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+ pass
+
+
class UnsafeProxy(object):
def __new__(cls, obj, *args, **kwargs):
# In our usage we should only receive unicode strings.
# This conditional and conversion exists to sanity check the values
# we're given but we may want to take it out for testing and sanitize
# our input instead.
- if isinstance(obj, string_types):
- obj = to_text(obj, errors='surrogate_or_strict')
- return AnsibleUnsafeText(obj)
+ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
+ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
return obj

View File

@ -0,0 +1,39 @@
From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 23 Jul 2019 14:14:13 +0530
Subject: [PATCH] gcp_utils: Handle JSON decode exception
Handle json.loads exception rather than providing stacktrace
Fixes: #56269
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/lib/ansible/module_utils/gcp_utils.py
+++ b/lib/ansible/module_utils/gcp_utils.py
@@ -18,7 +18,7 @@ except ImportError:
from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible.module_utils.six import string_types
-from ansible.module_utils._text import to_text
+from ansible.module_utils._text import to_text, to_native
import ast
import os
import json
@@ -157,7 +157,12 @@ class GcpSession(object):
path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
- cred = json.loads(self.module.params.get('service_account_contents'))
+ try:
+ cred = json.loads(self.module.params.get('service_account_contents'))
+ except json.decoder.JSONDecodeError as e:
+ self.module.fail_json(
+ msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
+ )
return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
elif cred_type == 'machineaccount':
return google.auth.compute_engine.Credentials(

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e1d51d3a88e21238f9e7a49b2b17a49e76c13880242b936ac8a37aee4fe84445
size 14299403

3
ansible-2.8.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:05f9ed3ca3e06dffaa87a73a8e6f7f322825bc3f609f8b71c4fe22dbbdf72abc
size 14343746

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Wed Aug 7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Update to version 2.8.3:
Full changelog is packaged, but also at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing
CVE-2019-10206: ansible-playbook -k and ansible cli tools
prompt passwords by expanding them from templates as they could
contain special characters. Passwords should be wrapped to
prevent templates trigger and exposing them.
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
CVE-2019-10217: Fields managing sensitive data should be set as
such by no_log feature. Some of these fields in GCP modules are
not set properly. service_account_contents() which is common
class for all gcp modules is not setting no_log to True. Any
sensitive data managed by that function would be leak as an
output when running ansible playbooks.
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Jun 8 16:33:53 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de> Sat Jun 8 16:33:53 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>

View File

@ -36,7 +36,7 @@
BuildArch: noarch BuildArch: noarch
%endif %endif
Name: ansible Name: ansible
Version: 2.8.1 Version: 2.8.3
Release: 0 Release: 0
Summary: Software automation engine Summary: Software automation engine
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -44,6 +44,12 @@ Group: Development/Languages/Python
Url: https://ansible.com/ Url: https://ansible.com/
Source: https://releases.ansible.com/ansible/ansible-%{version}.tar.gz Source: https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
Source99: ansible-rpmlintrc Source99: ansible-rpmlintrc
# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com
# prevent templating of passwords from prompt gh#ansible/ansible#59552
Patch0: CVE-2019-10206-data-disclosure.patch
# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com
# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly
Patch1: CVE-2019-10217-gcp-modules-sensitive-fields.patch
# SuSE/openSuSE # SuSE/openSuSE
%if 0%{?suse_version} %if 0%{?suse_version}
%if %{with python3} %if %{with python3}
@ -65,7 +71,6 @@ BuildRequires: %{python}-Jinja2
BuildRequires: %{python}-PyYAML BuildRequires: %{python}-PyYAML
BuildRequires: %{python}-paramiko BuildRequires: %{python}-paramiko
BuildRequires: %{python}-pycrypto >= 2.6 BuildRequires: %{python}-pycrypto >= 2.6
BuildRequires: fdupes
Requires: %{python}-Jinja2 Requires: %{python}-Jinja2
Requires: %{python}-PyYAML Requires: %{python}-PyYAML
Requires: %{python}-paramiko Requires: %{python}-paramiko
@ -109,6 +114,7 @@ Requires: python2-cryptography
BuildRequires: perl(Exporter) BuildRequires: perl(Exporter)
%endif %endif
%if 0%{?fedora} >= 18 %if 0%{?fedora} >= 18
BuildRequires: fdupes
BuildRequires: python-devel BuildRequires: python-devel
BuildRequires: python-setuptools BuildRequires: python-setuptools
Requires: PyYAML Requires: PyYAML
@ -130,6 +136,9 @@ like zero downtime rolling updates with load balancers.
%prep %prep
%setup -q -n ansible-%{version} %setup -q -n ansible-%{version}
%patch0 -p1
%patch1 -p1
find . -name .git_keep -delete find . -name .git_keep -delete
find contrib/ -type f -exec chmod 644 {} + find contrib/ -type f -exec chmod 644 {} +
@ -145,9 +154,6 @@ cp examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/
mkdir -p %{buildroot}/%{_mandir}/man1/ mkdir -p %{buildroot}/%{_mandir}/man1/
cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/ cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
mkdir -p %{buildroot}/%{_datadir}/ansible mkdir -p %{buildroot}/%{_datadir}/ansible
%if 0%{?suse_version} >= 01130
%fdupes %{buildroot}/%{python_sitelib}/ansible/
%endif
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)