0ad11aef75
- Update to version 2.8.3: Full changelog is packaged, but also at https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst - (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. - (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. OBS-URL: https://build.opensuse.org/request/show/721576 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=143
80 lines
3.1 KiB
Diff
80 lines
3.1 KiB
Diff
From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
|
|
From: Brian Coca <bcoca@users.noreply.github.com>
|
|
Date: Wed, 24 Jul 2019 16:00:20 -0400
|
|
Subject: [PATCH] prevent templating of passwords from prompt (#59246)
|
|
|
|
* prevent templating of passwords from prompt
|
|
|
|
fixes CVE-2019-10206
|
|
|
|
(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
|
|
---
|
|
.../fragments/dont_template_passwords_from_prompt.yml | 2 ++
|
|
lib/ansible/cli/__init__.py | 8 ++++++++
|
|
lib/ansible/utils/unsafe_proxy.py | 11 +++++++----
|
|
3 files changed, 17 insertions(+), 4 deletions(-)
|
|
create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
|
|
|
|
--- /dev/null
|
|
+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
|
|
@@ -0,0 +1,2 @@
|
|
+bugfixes:
|
|
+ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
|
|
--- a/lib/ansible/cli/__init__.py
|
|
+++ b/lib/ansible/cli/__init__.py
|
|
@@ -29,6 +29,7 @@ from ansible.release import __version__
|
|
from ansible.utils.collection_loader import set_collection_playbook_paths
|
|
from ansible.utils.display import Display
|
|
from ansible.utils.path import unfrackpath
|
|
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
|
|
from ansible.vars.manager import VariableManager
|
|
|
|
|
|
@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
|
|
except EOFError:
|
|
pass
|
|
|
|
+ # we 'wrap' the passwords to prevent templating as
|
|
+ # they can contain special chars and trigger it incorrectly
|
|
+ if sshpass:
|
|
+ sshpass = AnsibleUnsafeBytes(sshpass)
|
|
+ if becomepass:
|
|
+ becomepass = AnsibleUnsafeBytes(becomepass)
|
|
+
|
|
return (sshpass, becomepass)
|
|
|
|
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
|
|
--- a/lib/ansible/utils/unsafe_proxy.py
|
|
+++ b/lib/ansible/utils/unsafe_proxy.py
|
|
@@ -53,7 +53,7 @@
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
-from ansible.module_utils.six import string_types, text_type
|
|
+from ansible.module_utils.six import string_types, text_type, binary_type
|
|
from ansible.module_utils._text import to_text
|
|
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
|
|
|
|
@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
|
|
pass
|
|
|
|
|
|
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
|
|
+ pass
|
|
+
|
|
+
|
|
class UnsafeProxy(object):
|
|
def __new__(cls, obj, *args, **kwargs):
|
|
# In our usage we should only receive unicode strings.
|
|
# This conditional and conversion exists to sanity check the values
|
|
# we're given but we may want to take it out for testing and sanitize
|
|
# our input instead.
|
|
- if isinstance(obj, string_types):
|
|
- obj = to_text(obj, errors='surrogate_or_strict')
|
|
- return AnsibleUnsafeText(obj)
|
|
+ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
|
|
+ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
|
|
return obj
|
|
|
|
|