!65 Fix CVE-2024-0690

From: @wk333 Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2024-02-06 01:15:47 +00:00 · 2024-02-06 01:15:47 +00:00 · 6c06026883
commit 6c06026883
parent 41b73e864d f8f97e411f
2 changed files with 97 additions and 1 deletions
--- a/CVE-2024-0690.patch
+++ b/CVE-2024-0690.patch
@ -0,0 +1,91 @@
+From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001
+From: Matt Martz <matt@sivel.net>
+Date: Thu, 18 Jan 2024 17:17:23 -0600
+Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected
+ (CVE-2024-0690) (#82565) (#82568)
+
+Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1
+
+(cherry picked from commit 6935c8e)
+
+---
+ changelogs/fragments/cve-2024-0690.yml            |  2 ++
+ lib/ansible/playbook/base.py                      |  2 +-
+ lib/ansible/playbook/play_context.py              |  4 ----
+ test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
+ test/integration/targets/no_log/runme.sh          |  5 +++++
+ 5 files changed, 21 insertions(+), 5 deletions(-)
+ create mode 100644 changelogs/fragments/cve-2024-0690.yml
+ create mode 100644 test/integration/targets/no_log/no_log_config.yml
+
+diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
+new file mode 100644
+index 0000000..0e030d8
+--- /dev/null
+++ b/changelogs/fragments/cve-2024-0690.yml
+@@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
+diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
+index 5fae511..733fa83 100644
+--- a/lib/ansible/playbook/base.py
+++ b/lib/ansible/playbook/base.py
+@@ -154,7 +154,7 @@ class Base(with_metaclass(BaseMeta, object)):
+ 
+     # flags and misc. settings
+     _environment = FieldAttribute(isa='list', extend=True, prepend=True)
+-    _no_log = FieldAttribute(isa='bool')
+    _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
+     _always_run = FieldAttribute(isa='bool')
+     _run_once = FieldAttribute(isa='bool')
+     _ignore_errors = FieldAttribute(isa='bool')
+diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
+index ea8bb87..8ca03cd 100644
+--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
+@@ -432,10 +432,6 @@ class PlayContext(Base):
+                 new_info.connection_user = new_info.remote_user
+             new_info.remote_user = pwd.getpwuid(os.getuid()).pw_name
+ 
+-        # set no_log to default if it was not previously set
+-        if new_info.no_log is None:
+-            new_info.no_log = C.DEFAULT_NO_LOG
+-
+         if task.always_run:
+             display.deprecated("always_run is deprecated. Use check_mode = no instead.", version="2.4", removed=False)
+             new_info.check_mode = False
+diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
+new file mode 100644
+index 0000000..8a50880
+--- /dev/null
+++ b/test/integration/targets/no_log/no_log_config.yml
+@@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
+diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
+index e20bb08..b78dc94 100755
+--- a/test/integration/targets/no_log/runme.sh
+++ b/test/integration/targets/no_log/runme.sh
+@@ -7,3 +7,8 @@ set -eux
+ 
+ [ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" | awk \
+ 'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
+-- 
+2.33.0
+
--- a/ansible.spec
+++ b/ansible.spec
@ -3,7 +3,7 @@
 Name:                ansible
 Summary:             SSH-based configuration management, deployment, and task execution system
 Version:             2.5.5
-Release:             6
+Release:             7
 License:             Python-2.0 and MIT and GPL+
 Url:                 http://ansible.com
 Source0:             https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@ -22,6 +22,7 @@ Patch113:            CVE-2019-10156-2.patch
 Patch114:            CVE-2020-1735.patch
 Patch115:            CVE-2019-3828.patch
 Patch116:            ansible-2.5.5-openEuler-hostname.patch
+Patch117:            CVE-2024-0690.patch
 BuildArch:           noarch
 Provides:            ansible-fireball = %{version}-%{release}
 Obsoletes:           ansible-fireball < 1.2.4
@ -89,6 +90,7 @@ This package installs extensive documentation for ansible
 %patch114 -p1
 %patch115 -p1
 %patch116 -p1
+%patch117 -p1
 %if 0%{?with_python3}
 rm -rf %{py3dir}
 cp -a . %{py3dir}
@ -149,6 +151,9 @@ cp -pr docs/docsite/rst .
 %endif

 %changelog
+* Mon Feb 05 2024 wangkai <13474090681@163.com> - 2.5.5-7
+- Fix CVE-2024-0690
+
 * Fri Oct 13 2023 Ge Wang <wang__ge@126.com> - 2.5.5-6
 - Change BuildRequire python3-winrm to python3-pywinrm