From 0883c2685eaee5489c891f0d941176144bb09635 Mon Sep 17 00:00:00 2001 From: programmer12 <964969108@qq.com> Date: Thu, 28 Oct 2021 17:15:56 +0800 Subject: [PATCH] The upstream community rolls back the patch --- CVE-2020-1736.patch | 74 --------------------------------------------- CVE-2020-1738.patch | 69 ------------------------------------------ ansible.spec | 9 +++--- 3 files changed, 4 insertions(+), 148 deletions(-) delete mode 100644 CVE-2020-1736.patch delete mode 100644 CVE-2020-1738.patch diff --git a/CVE-2020-1736.patch b/CVE-2020-1736.patch deleted file mode 100644 index 933369a..0000000 --- a/CVE-2020-1736.patch +++ /dev/null @@ -1,74 +0,0 @@ -From a2ef19e48a53cc83b3a6f433013d8ff4e8f5d618 Mon Sep 17 00:00:00 2001 -From: Brian Coca -Date: Thu, 2 Apr 2020 11:07:51 -0400 -Subject: [PATCH] stricter permissions on atomic_move when creating new file - ---- - test/units/module_utils/basic/test_atomic_move.py | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/test/units/module_utils/basic/test_atomic_move.py b/test/units/module_utils/basic/test_atomic_move.py -index d1dc4d7..a44ebc5 100644 ---- a/test/units/module_utils/basic/test_atomic_move.py -+++ b/test/units/module_utils/basic/test_atomic_move.py -@@ -59,7 +59,7 @@ def atomic_mocks(mocker): - @pytest.fixture - def fake_stat(mocker): - stat1 = mocker.MagicMock() -- stat1.st_mode = 0o0644 -+ stat1.st_mode = 0o0640 - stat1.st_uid = 0 - stat1.st_gid = 0 - yield stat1 -@@ -75,7 +75,8 @@ def test_new_file(atomic_am, atomic_mocks, mocker, selinux): - atomic_am.atomic_move('/path/to/src', '/path/to/dest') - - atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') -- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)] -+ # 416 is what we expect with default perms set to 0640 -+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)] - - if selinux: - assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')] -@@ -96,7 +97,7 @@ def test_existing_file(atomic_am, atomic_mocks, fake_stat, mocker, selinux): - atomic_am.atomic_move('/path/to/src', '/path/to/dest') - - atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') -- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] -+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', 416)] - - if selinux: - assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] -@@ -119,10 +120,10 @@ def test_no_tty_fallback(atomic_am, atomic_mocks, fake_stat, mocker): - atomic_am.atomic_move('/path/to/src', '/path/to/dest') - - atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest') -- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] - - assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] - assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')] -+ atomic_am.atomic_move('/path/to/src', '/path/to/dest') - - - @pytest.mark.parametrize('stdin', [{}], indirect=['stdin']) -@@ -150,6 +151,8 @@ def test_existing_file_stat_perms_failure(atomic_am, atomic_mocks, mocker): - # FIXME: Should atomic_move() set a default permission value when it cannot retrieve the - # existing file's permissions? (Right now it's up to the calling code. - # assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)] -+ # atomic_move() will set a default permission value whenit cannot retrieve the -+ # existing file's permissions. - assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)] - assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')] - -@@ -206,7 +209,7 @@ def test_rename_perms_fail_temp_succeeds(atomic_am, atomic_mocks, fake_stat, moc - atomic_am.atomic_move('/path/to/src', '/path/to/dest') - assert atomic_mocks['rename'].call_args_list == [mocker.call(b'/path/to/src', b'/path/to/dest'), - mocker.call(b'/path/to/tempfile', b'/path/to/dest')] -- assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)] -+ assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416)] - - if selinux: - assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')] --- -2.23.0 - diff --git a/CVE-2020-1738.patch b/CVE-2020-1738.patch deleted file mode 100644 index 3715e19..0000000 --- a/CVE-2020-1738.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b1fd71de03ae3843ac556d9b726b5f3b2441c3ed Mon Sep 17 00:00:00 2001 -From: Abhijeet Kasurde -Date: Thu, 27 Feb 2020 11:42:12 +0530 -Subject: [PATCH] Add whitelisting for package and service module - -**security issue** (CVE-2020-1738) -When 'use' parameter is not used in package and service module, -ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. - -This would allow arbitrary code execution on the managed node. - -Fix is added by adding a whitelist of allowed package manager modules and -service manager modules to avoid arbitrary code execution on the managed node. - -Fixes: #67796 - -Signed-off-by: Abhijeet Kasurde ---- - changelogs/fragments/67796-package-service-fact_fix.yml | 4 ++++ - lib/ansible/plugins/action/package.py | 8 ++++++++ - lib/ansible/plugins/action/service.py | 5 +++++ - 3 files changed, 17 insertions(+) - create mode 100644 changelogs/fragments/67796-package-service-fact_fix.yml - -diff --git a/changelogs/fragments/67796-package-service-fact_fix.yml b/changelogs/fragments/67796-package-service-fact_fix.yml -new file mode 100644 -index 0000000000000..ce1ee71da08e0 ---- /dev/null -+++ b/changelogs/fragments/67796-package-service-fact_fix.yml -@@ -0,0 +1,4 @@ -+bugfixes: -+ - > -+ **security issue** Add a whitelist of modules for package and service module -+ when 'use' is not used and engine relies on pkg_mgr and service_mgr facts (CVE-2020-1738). -diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py -index 932acccb04b66..8884086d8d6c5 100644 ---- a/lib/ansible/plugins/action/package.py -+++ b/lib/ansible/plugins/action/package.py -@@ -56,6 +56,14 @@ def run(self, tmp=None, task_vars=None): - module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto') - - if module != 'auto': -+ if module not in ['apk', 'apt_rpm', 'apt', 'dnf', 'homebrew_cask', -+ 'homebrew_tap', 'homebrew', 'installp', 'macports', 'mas', -+ 'openbsd_pkg', 'opkg', 'pacman', 'pkg5', 'pkgin', -+ 'pkgng', 'pkgutil', 'portage', 'portinstall', 'slackpkg', -+ 'snap', 'sorcery', 'svr4pkg', 'swdepot', 'swupd', -+ 'urpmi', 'xbps', 'yum', 'zypper']: -+ raise AnsibleActionFail('Could not find a module for package manager %s.' -+ 'Try setting the "use" option.' % module) - - if module not in self._shared_loader_obj.module_loader: - raise AnsibleActionFail('Could not find a module for %s.' % module) -diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py -index 3ebd0ae17dc90..e11ab1e287164 100644 ---- a/lib/ansible/plugins/action/service.py -+++ b/lib/ansible/plugins/action/service.py -@@ -61,6 +61,11 @@ def run(self, tmp=None, task_vars=None): - module = 'service' - - if module != 'auto': -+ # Check if auto detected module is valid module name or not -+ if module not in ['nosh', 'openwrt_init', 'runit', -+ 'svc', 'systemd', 'sysvinit', 'service']: -+ raise AnsibleActionFail('Could not find module for "%s" service manager. ' -+ 'Try setting the "use" option.' % module) - # run the 'service' module - new_module_args = self._task.args.copy() - if 'use' in new_module_args: diff --git a/ansible.spec b/ansible.spec index f4c4cd2..a733c8c 100644 --- a/ansible.spec +++ b/ansible.spec @@ -3,7 +3,7 @@ Name: ansible Summary: SSH-based configuration management, deployment, and task execution system Version: 2.5.5 -Release: 2 +Release: 3 License: Python-2.0 and MIT and GPL+ Url: http://ansible.com Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz @@ -13,9 +13,7 @@ Patch101: CVE-2019-14904.patch Patch102: CVE-2020-10684.patch Patch103: CVE-2020-10729.patch Patch104: CVE-2020-1735.patch -Patch105: CVE-2020-1736.patch Patch106: CVE-2020-1737.patch -Patch107: CVE-2020-1738.patch Patch108: CVE-2020-1739.patch Patch109: CVE-2020-1740.patch Patch110: CVE-2020-1753.patch @@ -78,9 +76,7 @@ This package installs extensive documentation for ansible %patch102 -p1 %patch103 -p1 %patch104 -p1 -%patch105 -p1 %patch106 -p1 -%patch107 -p1 %patch108 -p1 %patch109 -p1 %patch110 -p1 @@ -146,6 +142,9 @@ cp -pr docs/docsite/rst . %endif %changelog +* Thu Oct 28 2021 liwu - 2.5.5-3 +- The upstream community rolls back the patch + * Fri Sep 17 2021 yaoxin - 2.5.5-2 - Fix CVE-2019-14904 CVE-2020-10684 CVE-2020-10729 CVE-2020-1735-to-CVE-2020-1740 CVE-2020-1753 CVE-2021-20191 -- Gitee