256ccae9cf
- Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733 (bsc#1164140) - Add metadata information to this file to mark which SUSE bugzilla have been already fixed. - bsc#1164140 CVE-2020-1733 - insecure temporary directory when running become_user from become directive - bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe lookup plugin subprocess - bsc#1164137 CVE-2020-1735 - path injection on dest parameter in fetch module - bsc#1164134 CVE-2020-1736 atomic_move primitive sets permissive permissions - bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip module does not check extracted path - bsc#1164136 CVE-2020-1738 module package can be selected by the ansible facts - bsc#1164133 CVE-2020-1739 - svn module leaks password when specified as a parameter - bsc#1164135 CVE-2020-1740 - secrets readable after ansible-vault edit - bsc#1165393 CVE-2020-1746 - information disclosure issue in ldap_attr and ldap_entry modules - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks sensitive information - CVE-2020-10684 - code injection when using ansible_facts as a subkey - bsc#1167440 CVE-2020-10685 - modules which use files encrypted with vault are not properly cleaned up - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2] - update to version 2.9.6 (maintenance release) including OBS-URL: https://build.opensuse.org/request/show/809080 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=183
55 lines
2.3 KiB
Diff
55 lines
2.3 KiB
Diff
From 0a85e91329d4c048e7e4b2cd478f2c17a3dac988 Mon Sep 17 00:00:00 2001
|
|
From: Brian Coca <bcoca@users.noreply.github.com>
|
|
Date: Mon, 13 Apr 2020 17:16:29 -0400
|
|
Subject: [PATCH 1/4] avoid mkdir -p (#68921)
|
|
|
|
* also consolidated temp dir name generation, added pid for more 'uniqness'
|
|
* generalize error message
|
|
* added notes about remote expansion
|
|
|
|
CVE-2020-1733
|
|
fixes #67791
|
|
|
|
(cherry picked from commit 8077d8e40148fe77e2393caa5f2b2ea855149d63)
|
|
---
|
|
changelogs/fragments/remote_mkdir_fix.yml | 2 ++
|
|
lib/ansible/plugins/action/__init__.py | 11 ++++++++---
|
|
lib/ansible/plugins/shell/__init__.py | 14 ++++++++++----
|
|
lib/ansible/plugins/shell/powershell.py | 2 ++
|
|
4 files changed, 22 insertions(+), 7 deletions(-)
|
|
create mode 100644 changelogs/fragments/remote_mkdir_fix.yml
|
|
|
|
--- /dev/null
|
|
+++ b/changelogs/fragments/remote_mkdir_fix.yml
|
|
@@ -0,0 +1,2 @@
|
|
+bugfixes:
|
|
+ - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
|
|
--- a/lib/ansible/plugins/action/__init__.py
|
|
+++ b/lib/ansible/plugins/action/__init__.py
|
|
@@ -340,7 +340,11 @@ class ActionBase(with_metaclass(ABCMeta,
|
|
else:
|
|
# NOTE: shell plugins should populate this setting anyways, but they dont do remote expansion, which
|
|
# we need for 'non posix' systems like cloud-init and solaris
|
|
- tmpdir = self._remote_expand_user(self.get_shell_option('remote_tmp', default='~/.ansible/tmp'), sudoable=False)
|
|
+ try:
|
|
+ tmpdir = self._connection._shell.get_option('remote_tmp')
|
|
+ except AnsibleError:
|
|
+ tmpdir = '~/.ansible/tmp'
|
|
+ tmpdir = self._remote_expand_user(tmpdir, sudoable=False)
|
|
|
|
become_unprivileged = self._is_become_unprivileged()
|
|
basefile = self._connection._shell._generate_temp_dir_name()
|
|
--- a/lib/ansible/plugins/shell/__init__.py
|
|
+++ b/lib/ansible/plugins/shell/__init__.py
|
|
@@ -79,6 +79,10 @@ class ShellBase(AnsiblePlugin):
|
|
def _generate_temp_dir_name():
|
|
return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
|
|
|
|
+ @staticmethod
|
|
+ def _generate_temp_dir_name():
|
|
+ return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
|
|
+
|
|
def env_prefix(self, **kwargs):
|
|
return ' '.join(['%s=%s' % (k, shlex_quote(text_type(v))) for k, v in kwargs.items()])
|
|
|