diff --git a/CVE-2020-1736.patch b/CVE-2020-1736.patch new file mode 100644 index 0000000000000000000000000000000000000000..46a33ca03f0d7bd2f0780f3a043795037e7420e1 --- /dev/null +++ b/CVE-2020-1736.patch @@ -0,0 +1,78 @@ +From 0243d0ea269014bcb52c71912df6fd9662eec476 Mon Sep 17 00:00:00 2001 +From: Brian Coca +Date: Thu, 16 Sep 2021 15:12:44 +0800 +Subject: [PATCH] stricter permissions on atomic_move when creating new +file + +--- + .../units/module_utils/basic/test_atomic_move.py | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/test/units/module_utils/basic/test_atomic_move.py b/test/units/module_utils/basic/test_atomic_move.py +index d1dc4d7..9e35b1e 100644 +--- a/test/units/module_utils/basic/test_atomic_move.py ++++ b/test/units/module_utils/basic/test_atomic_move.py +@@ -60,6 +60,7 @@ def atomic_mocks(mocker): + def fake_stat(mocker): + stat1 = mocker.MagicMock() + stat1.st_mode = 0o0644 ++ stat1.st_mode = 0o0640 + stat1.st_uid = 0 + stat1.st_gid = 0 + yield stat1 +@@ -75,7 +76,8 @@ def test_new_file(atomic_am, atomic_mocks, mocker, selinux): + atomic_am.atomic_move('/path/to/src', '/path/to/dest') + + atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') +- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)] ++ # 416 is what we expect with default perms set to 0640 ++ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)] + + if selinux: + assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')] +@@ -97,7 +99,7 @@ def test_existing_file(atomic_am, atomic_mocks, fake_stat, mocker, selinux): + + atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') + assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] +- ++ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', 416)] + if selinux: + assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] + assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')] +@@ -119,10 +121,9 @@ def test_no_tty_fallback(atomic_am, atomic_mocks, fake_stat, mocker): + atomic_am.atomic_move('/path/to/src', '/path/to/dest') + + atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') +- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] +- + assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] + assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')] ++ atomic_am.atomic_move('/path/to/src','/path/to/dest') + + + @pytest.mark.parametrize('stdin', [{}], indirect=['stdin']) +@@ -147,9 +148,8 @@ def test_existing_file_stat_perms_failure(atomic_am, atomic_mocks, mocker): + atomic_am.atomic_move('/path/to/src', '/path/to/dest') + + atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') +- # FIXME: Should atomic_move() set a default permission value when it cannot retrieve the +- # existing file's permissions? (Right now it's up to the calling code. +- # assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] ++ #atomic_move() will set a default permission value when it cannot retrieve the ++ #existing file's permissions + assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] + assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')] + +@@ -206,8 +206,8 @@ def test_rename_perms_fail_temp_succeeds(atomic_am, atomic_mocks, fake_stat, moc + atomic_am.atomic_move('/path/to/src', '/path/to/dest') + assert atomic_mocks['rename'].call_args_list == [mocker.call(b'/path/to/src', b'/path/to/dest'), + mocker.call(b'/path/to/tempfile', b'/path/to/dest')] +- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)] + ++ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)] + if selinux: + assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')] + assert atomic_am.set_context_if_different.call_args_list == [mocker.call(b'/path/to/tempfile', mock_context, False), +-- +2.27.0 + diff --git a/ansible.spec b/ansible.spec index 65aaa38a9c5e7bc2c8da9e476ac9f3b30b40cb95..c0b62bfdf1eef931cd886705ecb1f0d508405ce4 100644 --- a/ansible.spec +++ b/ansible.spec @@ -3,12 +3,13 @@ Name: ansible Summary: SSH-based configuration management, deployment, and task execution system Version: 2.5.5 -Release: 1 +Release: 2 License: Python-2.0 and MIT and GPL+ Url: http://ansible.com Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz Patch0: 0001-Changes-to-support-building-docs-with-old-jinja2.patch Patch100: ansible-newer-jinja.patch +Patch101: CVE-2020-1736.patch BuildArch: noarch Provides: ansible-fireball = %{version}-%{release} Obsoletes: ansible-fireball < 1.2.4 @@ -63,6 +64,7 @@ This package installs extensive documentation for ansible %setup -q %patch0 -p1 %patch100 -p1 +%patch101 -p1 %if 0%{?with_python3} rm -rf %{py3dir} cp -a . %{py3dir} @@ -123,5 +125,8 @@ cp -pr docs/docsite/rst . %endif %changelog +* Thu Sep 16 2021 liwu - 2.5.5-2 +- fix CVE-2020-1736 + * Tue Jan 12 2021 yanan li - 2.5.5-1 - Package init