From 7af40c347900edec36680ca5258634c9e8a5c874 Mon Sep 17 00:00:00 2001
From: Lars Vogdt <lrupp@suse.com>
Date: Thu, 28 May 2020 22:37:12 +0000
Subject: [PATCH] Accepting request 810010 from
 home:mcepl:branches:systemsmanagement

- Correct ID of CVE and rename the patch to
  CVE-2020-1744_avoid_mkdir_p.patch

  - bsc#1167532 CVE-2020-10684 - code injection when using
    ansible_facts as a subkey
  * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133)
  + Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
    from current working directory allowing possible code execution

OBS-URL: https://build.opensuse.org/request/show/810010
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=184
---
 ...dir_p.patch => CVE-2020-1744_avoid_mkdir_p.patch |  0
 ansible.changes                                     | 13 +++++++++++--
 ansible.spec                                        |  4 ++--
 3 files changed, 13 insertions(+), 4 deletions(-)
 rename CVE-2020-1733_avoid_mkdir_p.patch => CVE-2020-1744_avoid_mkdir_p.patch (100%)

diff --git a/CVE-2020-1733_avoid_mkdir_p.patch b/CVE-2020-1744_avoid_mkdir_p.patch
similarity index 100%
rename from CVE-2020-1733_avoid_mkdir_p.patch
rename to CVE-2020-1744_avoid_mkdir_p.patch
diff --git a/ansible.changes b/ansible.changes
index e697cb6..609f13c 100644
--- a/ansible.changes
+++ b/ansible.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu May 28 13:57:38 UTC 2020 - Matej Cepl <mcepl@suse.com>
+
+- Correct ID of CVE and rename the patch to
+  CVE-2020-1744_avoid_mkdir_p.patch
+
 -------------------------------------------------------------------
 Tue May 26 13:02:10 UTC 2020 - Matej Cepl <mcepl@suse.com>
 
@@ -43,7 +49,8 @@ Fri Apr 17 06:49:56 UTC 2020 - Michael Ströder <michael@stroeder.com>
     ldap_attr and ldap_entry modules
   - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
     sensitive information
-  - CVE-2020-10684 - code injection when using ansible_facts as a subkey
+  - bsc#1167532 CVE-2020-10684 - code injection when using
+    ansible_facts as a subkey
   - bsc#1167440 CVE-2020-10685 - modules which use files
     encrypted with vault are not properly cleaned up
   - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
@@ -518,7 +525,7 @@ Sun Feb 24 10:06:31 UTC 2019 - Michael Ströder <michael@stroeder.com>
   * openstack inventory plugin * send logs from sdk to stderr so they do not combine with output
   * psrp * do not display bootstrap wrapper for each module exec run
   * redfish_utils * get standard properties for firmware entries (https://github.com/ansible/ansible/issues/49832)
-  * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828) (https://github.com/ansible/ansible/pull/52133)
+  * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133)
   * ufw * when using ``state: reset`` in check mode, ``ufw --dry-run reset`` was executed, which causes a loss of firewall rules. The ``ufw`` module was adjusted to no longer run ``ufw --dry-run reset`` to prevent this from happening.
   * ufw: make sure that only valid values for ``direction`` are passed on.
   * update GetBiosBootOrder to use standard Redfish resources (https://github.com/ansible/ansible/issues/47571)
@@ -895,6 +902,8 @@ Mon Jul 30 15:05:07 UTC 2018 - lars@linux-schulserver.de
   + Restore module_utils.basic.BOOLEANS variable for backwards compatibility
     with the module API in older ansible releases.
   Bugfixes:
+  + Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
+    from current working directory allowing possible code execution
   + Add text output along with structured output in nxos_facts 
   + Allow more than one page of results by using the right pagination 
     indicator ('NextMarker' instead of 'NextToken').
diff --git a/ansible.spec b/ansible.spec
index c3c13ac..90475a3 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -229,9 +229,9 @@ URL:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source1:        https://releases.ansible.com/ansible/ansible-%{version}.tar.gz.sha
 Source99:       ansible-rpmlintrc
-# PATCH-FIX-UPSTREAM CVE-2020-1733_avoid_mkdir_p.patch bsc#1171823 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2020-1744_avoid_mkdir_p.patch bsc#1171823 mcepl@suse.com
 # gh#ansible/ansible#67791 avoid race condition and insecure directory creation
-Patch0:         CVE-2020-1733_avoid_mkdir_p.patch
+Patch0:         CVE-2020-1744_avoid_mkdir_p.patch
 BuildArch:      noarch
 # extented documentation
 %if 0%{?with_docs}