The upstream community rolls back the patch
This commit is contained in:
programmer12
parent
28e9842d1f
commit
78519b78ea
@ -1,74 +0,0 @@
|
||||
From a2ef19e48a53cc83b3a6f433013d8ff4e8f5d618 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Coca <brian.coca+git@gmail.com>
|
||||
Date: Thu, 2 Apr 2020 11:07:51 -0400
|
||||
Subject: [PATCH] stricter permissions on atomic_move when creating new file
|
||||
|
||||
---
|
||||
test/units/module_utils/basic/test_atomic_move.py | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/test/units/module_utils/basic/test_atomic_move.py b/test/units/module_utils/basic/test_atomic_move.py
|
||||
index d1dc4d7..a44ebc5 100644
|
||||
--- a/test/units/module_utils/basic/test_atomic_move.py
|
||||
+++ b/test/units/module_utils/basic/test_atomic_move.py
|
||||
@@ -59,7 +59,7 @@ def atomic_mocks(mocker):
|
||||
@pytest.fixture
|
||||
def fake_stat(mocker):
|
||||
stat1 = mocker.MagicMock()
|
||||
- stat1.st_mode = 0o0644
|
||||
+ stat1.st_mode = 0o0640
|
||||
stat1.st_uid = 0
|
||||
stat1.st_gid = 0
|
||||
yield stat1
|
||||
@@ -75,7 +75,8 @@ def test_new_file(atomic_am, atomic_mocks, mocker, selinux):
|
||||
atomic_am.atomic_move('/path/to/src', '/path/to/dest')
|
||||
|
||||
atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
|
||||
- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)]
|
||||
+ # 416 is what we expect with default perms set to 0640
|
||||
+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)]
|
||||
|
||||
if selinux:
|
||||
assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')]
|
||||
@@ -96,7 +97,7 @@ def test_existing_file(atomic_am, atomic_mocks, fake_stat, mocker, selinux):
|
||||
atomic_am.atomic_move('/path/to/src', '/path/to/dest')
|
||||
|
||||
atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
|
||||
- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
|
||||
+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', 416)]
|
||||
|
||||
if selinux:
|
||||
assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
|
||||
@@ -119,10 +120,10 @@ def test_no_tty_fallback(atomic_am, atomic_mocks, fake_stat, mocker):
|
||||
atomic_am.atomic_move('/path/to/src', '/path/to/dest')
|
||||
|
||||
atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
|
||||
- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
|
||||
|
||||
assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
|
||||
assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')]
|
||||
+ atomic_am.atomic_move('/path/to/src', '/path/to/dest')
|
||||
|
||||
|
||||
@pytest.mark.parametrize('stdin', [{}], indirect=['stdin'])
|
||||
@@ -150,6 +151,8 @@ def test_existing_file_stat_perms_failure(atomic_am, atomic_mocks, mocker):
|
||||
# FIXME: Should atomic_move() set a default permission value when it cannot retrieve the
|
||||
# existing file's permissions? (Right now it's up to the calling code.
|
||||
# assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
|
||||
+ # atomic_move() will set a default permission value whenit cannot retrieve the
|
||||
+ # existing file's permissions.
|
||||
assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
|
||||
assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')]
|
||||
|
||||
@@ -206,7 +209,7 @@ def test_rename_perms_fail_temp_succeeds(atomic_am, atomic_mocks, fake_stat, moc
|
||||
atomic_am.atomic_move('/path/to/src', '/path/to/dest')
|
||||
assert atomic_mocks['rename'].call_args_list == [mocker.call(b'/path/to/src', b'/path/to/dest'),
|
||||
mocker.call(b'/path/to/tempfile', b'/path/to/dest')]
|
||||
- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)]
|
||||
+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)]
|
||||
|
||||
if selinux:
|
||||
assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')]
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,69 +0,0 @@
|
||||
From b1fd71de03ae3843ac556d9b726b5f3b2441c3ed Mon Sep 17 00:00:00 2001
|
||||
From: Abhijeet Kasurde <akasurde@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 11:42:12 +0530
|
||||
Subject: [PATCH] Add whitelisting for package and service module
|
||||
|
||||
**security issue** (CVE-2020-1738)
|
||||
When 'use' parameter is not used in package and service module,
|
||||
ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'.
|
||||
|
||||
This would allow arbitrary code execution on the managed node.
|
||||
|
||||
Fix is added by adding a whitelist of allowed package manager modules and
|
||||
service manager modules to avoid arbitrary code execution on the managed node.
|
||||
|
||||
Fixes: #67796
|
||||
|
||||
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
||||
---
|
||||
changelogs/fragments/67796-package-service-fact_fix.yml | 4 ++++
|
||||
lib/ansible/plugins/action/package.py | 8 ++++++++
|
||||
lib/ansible/plugins/action/service.py | 5 +++++
|
||||
3 files changed, 17 insertions(+)
|
||||
create mode 100644 changelogs/fragments/67796-package-service-fact_fix.yml
|
||||
|
||||
diff --git a/changelogs/fragments/67796-package-service-fact_fix.yml b/changelogs/fragments/67796-package-service-fact_fix.yml
|
||||
new file mode 100644
|
||||
index 0000000000000..ce1ee71da08e0
|
||||
--- /dev/null
|
||||
+++ b/changelogs/fragments/67796-package-service-fact_fix.yml
|
||||
@@ -0,0 +1,4 @@
|
||||
+bugfixes:
|
||||
+ - >
|
||||
+ **security issue** Add a whitelist of modules for package and service module
|
||||
+ when 'use' is not used and engine relies on pkg_mgr and service_mgr facts (CVE-2020-1738).
|
||||
diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
|
||||
index 932acccb04b66..8884086d8d6c5 100644
|
||||
--- a/lib/ansible/plugins/action/package.py
|
||||
+++ b/lib/ansible/plugins/action/package.py
|
||||
@@ -56,6 +56,14 @@ def run(self, tmp=None, task_vars=None):
|
||||
module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
|
||||
|
||||
if module != 'auto':
|
||||
+ if module not in ['apk', 'apt_rpm', 'apt', 'dnf', 'homebrew_cask',
|
||||
+ 'homebrew_tap', 'homebrew', 'installp', 'macports', 'mas',
|
||||
+ 'openbsd_pkg', 'opkg', 'pacman', 'pkg5', 'pkgin',
|
||||
+ 'pkgng', 'pkgutil', 'portage', 'portinstall', 'slackpkg',
|
||||
+ 'snap', 'sorcery', 'svr4pkg', 'swdepot', 'swupd',
|
||||
+ 'urpmi', 'xbps', 'yum', 'zypper']:
|
||||
+ raise AnsibleActionFail('Could not find a module for package manager %s.'
|
||||
+ 'Try setting the "use" option.' % module)
|
||||
|
||||
if module not in self._shared_loader_obj.module_loader:
|
||||
raise AnsibleActionFail('Could not find a module for %s.' % module)
|
||||
diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py
|
||||
index 3ebd0ae17dc90..e11ab1e287164 100644
|
||||
--- a/lib/ansible/plugins/action/service.py
|
||||
+++ b/lib/ansible/plugins/action/service.py
|
||||
@@ -61,6 +61,11 @@ def run(self, tmp=None, task_vars=None):
|
||||
module = 'service'
|
||||
|
||||
if module != 'auto':
|
||||
+ # Check if auto detected module is valid module name or not
|
||||
+ if module not in ['nosh', 'openwrt_init', 'runit',
|
||||
+ 'svc', 'systemd', 'sysvinit', 'service']:
|
||||
+ raise AnsibleActionFail('Could not find module for "%s" service manager. '
|
||||
+ 'Try setting the "use" option.' % module)
|
||||
# run the 'service' module
|
||||
new_module_args = self._task.args.copy()
|
||||
if 'use' in new_module_args:
|
||||
@ -3,7 +3,7 @@
|
||||
Name: ansible
|
||||
Summary: SSH-based configuration management, deployment, and task execution system
|
||||
Version: 2.5.5
|
||||
Release: 3
|
||||
Release: 4
|
||||
License: Python-2.0 and MIT and GPL+
|
||||
Url: http://ansible.com
|
||||
Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
|
||||
@ -13,9 +13,7 @@ Patch101: CVE-2019-14904.patch
|
||||
Patch102: CVE-2020-10684.patch
|
||||
Patch103: CVE-2020-10729.patch
|
||||
Patch104: CVE-2020-1735.patch
|
||||
Patch105: CVE-2020-1736.patch
|
||||
Patch106: CVE-2020-1737.patch
|
||||
Patch107: CVE-2020-1738.patch
|
||||
Patch108: CVE-2020-1739.patch
|
||||
Patch109: CVE-2020-1740.patch
|
||||
Patch110: CVE-2020-1753.patch
|
||||
@ -80,9 +78,7 @@ This package installs extensive documentation for ansible
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
%patch104 -p1
|
||||
%patch105 -p1
|
||||
%patch106 -p1
|
||||
%patch107 -p1
|
||||
%patch108 -p1
|
||||
%patch109 -p1
|
||||
%patch110 -p1
|
||||
@ -150,6 +146,9 @@ cp -pr docs/docsite/rst .
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Oct 28 2021 liwu <liwu13@huawei.com> - 2.5.5-4
|
||||
- The upstream community rolls back the patch
|
||||
|
||||
* Wed Oct 13 2021 yaoxin <yaoxin30@huawei.com> - 2.5.5-3
|
||||
- Fix CVE-2019-10156
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user