From a80e725148fcd780c4df6aa8c43285eee8edfd78 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 5 Feb 2024 20:47:26 +0800
Subject: [PATCH] Fix CVE-2024-0690

---
 CVE-2024-0690.patch | 91 +++++++++++++++++++++++++++++++++++++++++++++
 ansible.spec        |  7 +++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-0690.patch

diff --git a/CVE-2024-0690.patch b/CVE-2024-0690.patch
new file mode 100644
index 0000000..8a436cb
--- /dev/null
+++ b/CVE-2024-0690.patch
@@ -0,0 +1,91 @@
+From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001
+From: Matt Martz <matt@sivel.net>
+Date: Thu, 18 Jan 2024 17:17:23 -0600
+Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected
+ (CVE-2024-0690) (#82565) (#82568)
+
+Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1
+
+(cherry picked from commit 6935c8e)
+
+---
+ changelogs/fragments/cve-2024-0690.yml            |  2 ++
+ lib/ansible/playbook/base.py                      |  2 +-
+ lib/ansible/playbook/play_context.py              |  4 ----
+ test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
+ test/integration/targets/no_log/runme.sh          |  5 +++++
+ 5 files changed, 21 insertions(+), 5 deletions(-)
+ create mode 100644 changelogs/fragments/cve-2024-0690.yml
+ create mode 100644 test/integration/targets/no_log/no_log_config.yml
+
+diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
+new file mode 100644
+index 0000000..0e030d8
+--- /dev/null
++++ b/changelogs/fragments/cve-2024-0690.yml
+@@ -0,0 +1,2 @@
++security_fixes:
++- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
+diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
+index 5fae511..733fa83 100644
+--- a/lib/ansible/playbook/base.py
++++ b/lib/ansible/playbook/base.py
+@@ -154,7 +154,7 @@ class Base(with_metaclass(BaseMeta, object)):
+ 
+     # flags and misc. settings
+     _environment = FieldAttribute(isa='list', extend=True, prepend=True)
+-    _no_log = FieldAttribute(isa='bool')
++    _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
+     _always_run = FieldAttribute(isa='bool')
+     _run_once = FieldAttribute(isa='bool')
+     _ignore_errors = FieldAttribute(isa='bool')
+diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
+index ea8bb87..8ca03cd 100644
+--- a/lib/ansible/playbook/play_context.py
++++ b/lib/ansible/playbook/play_context.py
+@@ -432,10 +432,6 @@ class PlayContext(Base):
+                 new_info.connection_user = new_info.remote_user
+             new_info.remote_user = pwd.getpwuid(os.getuid()).pw_name
+ 
+-        # set no_log to default if it was not previously set
+-        if new_info.no_log is None:
+-            new_info.no_log = C.DEFAULT_NO_LOG
+-
+         if task.always_run:
+             display.deprecated("always_run is deprecated. Use check_mode = no instead.", version="2.4", removed=False)
+             new_info.check_mode = False
+diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
+new file mode 100644
+index 0000000..8a50880
+--- /dev/null
++++ b/test/integration/targets/no_log/no_log_config.yml
+@@ -0,0 +1,13 @@
++- hosts: testhost
++  gather_facts: false
++  tasks:
++    - debug:
++      no_log: true
++
++    - debug:
++      no_log: false
++
++    - debug:
++
++    - debug:
++      loop: '{{ range(3) }}'
+diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
+index e20bb08..b78dc94 100755
+--- a/test/integration/targets/no_log/runme.sh
++++ b/test/integration/targets/no_log/runme.sh
+@@ -7,3 +7,8 @@ set -eux
+ 
+ [ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" | awk \
+ 'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ]
++
++# test variations on ANSIBLE_NO_LOG
++[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
++[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
++[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
+-- 
+2.33.0
+
diff --git a/ansible.spec b/ansible.spec
index c09abd4..43f6d1e 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -3,7 +3,7 @@
 Name:                ansible
 Summary:             SSH-based configuration management, deployment, and task execution system
 Version:             2.5.5
-Release:             6
+Release:             7
 License:             Python-2.0 and MIT and GPL+
 Url:                 http://ansible.com
 Source0:             https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@@ -22,6 +22,7 @@ Patch112:            CVE-2019-10156-1.patch
 Patch113:            CVE-2019-10156-2.patch
 Patch114:            CVE-2020-1735.patch
 Patch115:            CVE-2019-3828.patch
+Patch116:            CVE-2024-0690.patch
 BuildArch:           noarch
 Provides:            ansible-fireball = %{version}-%{release}
 Obsoletes:           ansible-fireball < 1.2.4
@@ -89,6 +90,7 @@ This package installs extensive documentation for ansible
 %patch113 -p1
 %patch114 -p1
 %patch115 -p1
+%patch116 -p1
 %if 0%{?with_python3}
 rm -rf %{py3dir}
 cp -a . %{py3dir}
@@ -149,6 +151,9 @@ cp -pr docs/docsite/rst .
 %endif
 
 %changelog
+* Mon Feb 05 2024 wangkai <13474090681@163.com> - 2.5.5-7
+- Fix CVE-2024-0690
+
 * Mon Feb 28 2022 wangkai <wangkai385@huawei.com> - 2.5.5-6
 - Fix CVE-2019-3828
 
-- 
Gitee