From 96821db61477af232f9ada8d02cf47abdc9a2027 Mon Sep 17 00:00:00 2001
From: Lars Vogdt <lrupp@suse.com>
Date: Fri, 13 Sep 2019 09:07:20 +0000
Subject: [PATCH] - Update to version 2.8.5:   Full changelog is packaged at
 /usr/share/doc/packages/ansible/changelogs/   and also available online at  
 https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
 - removed patches fixed upstream:   + CVE-2019-10206-data-disclosure.patch  
 + CVE-2019-10217-gcp-modules-sensitive-fields.patch

OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=148
---
 CVE-2019-10206-data-disclosure.patch          | 79 -------------------
 ...9-10217-gcp-modules-sensitive-fields.patch | 39 ---------
 ansible-2.8.3.tar.gz                          |  3 -
 ansible-2.8.5.tar.gz                          |  3 +
 ansible-2.8.5.tar.gz.sha                      |  1 +
 ansible.changes                               | 11 +++
 ansible.spec                                  | 10 +--
 7 files changed, 16 insertions(+), 130 deletions(-)
 delete mode 100644 CVE-2019-10206-data-disclosure.patch
 delete mode 100644 CVE-2019-10217-gcp-modules-sensitive-fields.patch
 delete mode 100644 ansible-2.8.3.tar.gz
 create mode 100644 ansible-2.8.5.tar.gz
 create mode 100644 ansible-2.8.5.tar.gz.sha

diff --git a/CVE-2019-10206-data-disclosure.patch b/CVE-2019-10206-data-disclosure.patch
deleted file mode 100644
index 7873bfe..0000000
--- a/CVE-2019-10206-data-disclosure.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
-From: Brian Coca <bcoca@users.noreply.github.com>
-Date: Wed, 24 Jul 2019 16:00:20 -0400
-Subject: [PATCH] prevent templating of passwords from prompt (#59246)
-
-* prevent templating of passwords from prompt
-
-  fixes CVE-2019-10206
-
-(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
----
- .../fragments/dont_template_passwords_from_prompt.yml |  2 ++
- lib/ansible/cli/__init__.py                           |  8 ++++++++
- lib/ansible/utils/unsafe_proxy.py                     | 11 +++++++----
- 3 files changed, 17 insertions(+), 4 deletions(-)
- create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
-
---- /dev/null
-+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
-@@ -0,0 +1,2 @@
-+bugfixes:
-+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
---- a/lib/ansible/cli/__init__.py
-+++ b/lib/ansible/cli/__init__.py
-@@ -29,6 +29,7 @@ from ansible.release import __version__
- from ansible.utils.collection_loader import set_collection_playbook_paths
- from ansible.utils.display import Display
- from ansible.utils.path import unfrackpath
-+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
- from ansible.vars.manager import VariableManager
- 
- 
-@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
-         except EOFError:
-             pass
- 
-+        # we 'wrap' the passwords to prevent templating as
-+        # they can contain special chars and trigger it incorrectly
-+        if sshpass:
-+            sshpass = AnsibleUnsafeBytes(sshpass)
-+        if becomepass:
-+            becomepass = AnsibleUnsafeBytes(becomepass)
-+
-         return (sshpass, becomepass)
- 
-     def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
---- a/lib/ansible/utils/unsafe_proxy.py
-+++ b/lib/ansible/utils/unsafe_proxy.py
-@@ -53,7 +53,7 @@
- from __future__ import (absolute_import, division, print_function)
- __metaclass__ = type
- 
--from ansible.module_utils.six import string_types, text_type
-+from ansible.module_utils.six import string_types, text_type, binary_type
- from ansible.module_utils._text import to_text
- from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
- 
-@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
-     pass
- 
- 
-+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
-+    pass
-+
-+
- class UnsafeProxy(object):
-     def __new__(cls, obj, *args, **kwargs):
-         # In our usage we should only receive unicode strings.
-         # This conditional and conversion exists to sanity check the values
-         # we're given but we may want to take it out for testing and sanitize
-         # our input instead.
--        if isinstance(obj, string_types):
--            obj = to_text(obj, errors='surrogate_or_strict')
--            return AnsibleUnsafeText(obj)
-+        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
-+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
-         return obj
- 
- 
diff --git a/CVE-2019-10217-gcp-modules-sensitive-fields.patch b/CVE-2019-10217-gcp-modules-sensitive-fields.patch
deleted file mode 100644
index cd0d4f4..0000000
--- a/CVE-2019-10217-gcp-modules-sensitive-fields.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Tue, 23 Jul 2019 14:14:13 +0530
-Subject: [PATCH] gcp_utils: Handle JSON decode exception
-
-Handle json.loads exception rather than providing stacktrace
-
-Fixes: #56269
-
-Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
----
- lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/lib/ansible/module_utils/gcp_utils.py
-+++ b/lib/ansible/module_utils/gcp_utils.py
-@@ -18,7 +18,7 @@ except ImportError:
- 
- from ansible.module_utils.basic import AnsibleModule, env_fallback
- from ansible.module_utils.six import string_types
--from ansible.module_utils._text import to_text
-+from ansible.module_utils._text import to_text, to_native
- import ast
- import os
- import json
-@@ -157,7 +157,12 @@ class GcpSession(object):
-             path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
-             return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
-         elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
--            cred = json.loads(self.module.params.get('service_account_contents'))
-+            try:
-+                cred = json.loads(self.module.params.get('service_account_contents'))
-+            except json.decoder.JSONDecodeError as e:
-+                self.module.fail_json(
-+                    msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
-+                )
-             return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
-         elif cred_type == 'machineaccount':
-             return google.auth.compute_engine.Credentials(
diff --git a/ansible-2.8.3.tar.gz b/ansible-2.8.3.tar.gz
deleted file mode 100644
index fb1d799..0000000
--- a/ansible-2.8.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:05f9ed3ca3e06dffaa87a73a8e6f7f322825bc3f609f8b71c4fe22dbbdf72abc
-size 14343746
diff --git a/ansible-2.8.5.tar.gz b/ansible-2.8.5.tar.gz
new file mode 100644
index 0000000..c2a0852
--- /dev/null
+++ b/ansible-2.8.5.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8e9403e755ce8ef27b6066cdd7a4c567aa80ebe2fd90d0ff8efa0a725d246986
+size 14352036
diff --git a/ansible-2.8.5.tar.gz.sha b/ansible-2.8.5.tar.gz.sha
new file mode 100644
index 0000000..271afe1
--- /dev/null
+++ b/ansible-2.8.5.tar.gz.sha
@@ -0,0 +1 @@
+8e9403e755ce8ef27b6066cdd7a4c567aa80ebe2fd90d0ff8efa0a725d246986  ansible-2.8.5.tar.gz
diff --git a/ansible.changes b/ansible.changes
index f5d5caa..ea369b1 100644
--- a/ansible.changes
+++ b/ansible.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Sep 13 09:02:36 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>
+
+- Update to version 2.8.5:
+  Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
+  and also available online at
+  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
+- removed patches fixed upstream:
+  + CVE-2019-10206-data-disclosure.patch
+  + CVE-2019-10217-gcp-modules-sensitive-fields.patch
+
 -------------------------------------------------------------------
 Wed Aug  7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
 
diff --git a/ansible.spec b/ansible.spec
index dce107c..6c9d9d7 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -36,7 +36,7 @@
 BuildArch:      noarch
 %endif
 Name:           ansible
-Version:        2.8.3
+Version:        2.8.5
 Release:        0
 Summary:        Software automation engine
 License:        GPL-3.0-or-later
@@ -44,12 +44,6 @@ Group:          Development/Languages/Python
 Url:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source99:       ansible-rpmlintrc
-# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com
-# prevent templating of passwords from prompt gh#ansible/ansible#59552
-Patch0:         CVE-2019-10206-data-disclosure.patch
-# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com
-# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly
-Patch1:         CVE-2019-10217-gcp-modules-sensitive-fields.patch
 # SuSE/openSuSE
 %if 0%{?suse_version}
 %if %{with python3}
@@ -136,8 +130,6 @@ like zero downtime rolling updates with load balancers.
 
 %prep
 %setup -q -n ansible-%{version}
-%patch0 -p1
-%patch1 -p1
 
 find . -name .git_keep -delete
 find contrib/ -type f -exec chmod 644 {} +