ansible/CVE-2019-10206-data-disclosure.patch
Lars Vogdt 0ad11aef75 Accepting request 721576 from home:mcepl:branches:systemsmanagement
- Update to version 2.8.3:
  Full changelog is packaged, but also at
  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing
  CVE-2019-10206: ansible-playbook -k and ansible cli tools
  prompt passwords by expanding them from templates as they could
  contain special characters. Passwords should be wrapped to
  prevent templates trigger and exposing them.
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
  CVE-2019-10217: Fields managing sensitive data should be set as
  such by no_log feature. Some of these fields in GCP modules are
  not set properly. service_account_contents() which is common
  class for all gcp modules is not setting no_log to True. Any
  sensitive data managed by that function would be leak as an
  output when running ansible playbooks.

OBS-URL: https://build.opensuse.org/request/show/721576
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=143
2019-08-08 14:01:06 +00:00

80 lines
3.1 KiB
Diff

From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Wed, 24 Jul 2019 16:00:20 -0400
Subject: [PATCH] prevent templating of passwords from prompt (#59246)
* prevent templating of passwords from prompt
fixes CVE-2019-10206
(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
---
.../fragments/dont_template_passwords_from_prompt.yml | 2 ++
lib/ansible/cli/__init__.py | 8 ++++++++
lib/ansible/utils/unsafe_proxy.py | 11 +++++++----
3 files changed, 17 insertions(+), 4 deletions(-)
create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
--- /dev/null
+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
@@ -0,0 +1,2 @@
+bugfixes:
+ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
@@ -29,6 +29,7 @@ from ansible.release import __version__
from ansible.utils.collection_loader import set_collection_playbook_paths
from ansible.utils.display import Display
from ansible.utils.path import unfrackpath
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
from ansible.vars.manager import VariableManager
@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
except EOFError:
pass
+ # we 'wrap' the passwords to prevent templating as
+ # they can contain special chars and trigger it incorrectly
+ if sshpass:
+ sshpass = AnsibleUnsafeBytes(sshpass)
+ if becomepass:
+ becomepass = AnsibleUnsafeBytes(becomepass)
+
return (sshpass, becomepass)
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
--- a/lib/ansible/utils/unsafe_proxy.py
+++ b/lib/ansible/utils/unsafe_proxy.py
@@ -53,7 +53,7 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
from ansible.module_utils._text import to_text
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
pass
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+ pass
+
+
class UnsafeProxy(object):
def __new__(cls, obj, *args, **kwargs):
# In our usage we should only receive unicode strings.
# This conditional and conversion exists to sanity check the values
# we're given but we may want to take it out for testing and sanitize
# our input instead.
- if isinstance(obj, string_types):
- obj = to_text(obj, errors='surrogate_or_strict')
- return AnsibleUnsafeText(obj)
+ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
+ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
return obj