diff --git a/CVE-2024-0690.patch b/CVE-2024-0690.patch new file mode 100644 index 0000000000000000000000000000000000000000..e96ab50a836759437ba4ccd6c035b1baa2185428 --- /dev/null +++ b/CVE-2024-0690.patch @@ -0,0 +1,91 @@ +From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001 +From: Matt Martz +Date: Thu, 18 Jan 2024 17:17:23 -0600 +Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected + (CVE-2024-0690) (#82565) (#82568) + +Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1 + +(cherry picked from commit 6935c8e) + +--- + changelogs/fragments/cve-2024-0690.yml | 2 ++ + lib/ansible/playbook/base.py | 2 +- + lib/ansible/playbook/play_context.py | 4 ---- + test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++ + test/integration/targets/no_log/runme.sh | 5 +++++ + 5 files changed, 21 insertions(+), 5 deletions(-) + create mode 100644 changelogs/fragments/cve-2024-0690.yml + create mode 100644 test/integration/targets/no_log/no_log_config.yml + +diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml +new file mode 100644 +index 00000000..0e030d88 +--- /dev/null ++++ b/changelogs/fragments/cve-2024-0690.yml +@@ -0,0 +1,2 @@ ++security_fixes: ++- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690) +diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py +index 0f4dc4e4..172963a2 100644 +--- a/lib/ansible/playbook/base.py ++++ b/lib/ansible/playbook/base.py +@@ -613,7 +613,7 @@ class Base(FieldAttributeBase): + + # flags and misc. settings + _environment = FieldAttribute(isa='list', extend=True, prepend=True) +- _no_log = FieldAttribute(isa='bool') ++ _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG) + _run_once = FieldAttribute(isa='bool') + _ignore_errors = FieldAttribute(isa='bool') + _ignore_unreachable = FieldAttribute(isa='bool') +diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py +index 10dd57aa..5b8b2852 100644 +--- a/lib/ansible/playbook/play_context.py ++++ b/lib/ansible/playbook/play_context.py +@@ -318,10 +318,6 @@ class PlayContext(Base): + if not new_info.connection_user: + new_info.connection_user = new_info.remote_user + +- # set no_log to default if it was not previously set +- if new_info.no_log is None: +- new_info.no_log = C.DEFAULT_NO_LOG +- + if task.check_mode is not None: + new_info.check_mode = task.check_mode + +diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml +new file mode 100644 +index 00000000..8a508805 +--- /dev/null ++++ b/test/integration/targets/no_log/no_log_config.yml +@@ -0,0 +1,13 @@ ++- hosts: testhost ++ gather_facts: false ++ tasks: ++ - debug: ++ no_log: true ++ ++ - debug: ++ no_log: false ++ ++ - debug: ++ ++ - debug: ++ loop: '{{ range(3) }}' +diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh +index bb5c048f..8bfe019b 100755 +--- a/test/integration/targets/no_log/runme.sh ++++ b/test/integration/targets/no_log/runme.sh +@@ -19,3 +19,8 @@ set -eux + + # test invalid data passed to a suboption + [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ] ++ ++# test variations on ANSIBLE_NO_LOG ++[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ] ++[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ] ++[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ] +-- +2.33.0 + diff --git a/ansible.spec b/ansible.spec index 2b0afc74089f2e6af9c06e569fcaa8bc49532f90..739e7c25ccbd9edaf6fa9a637f286cc0a130ec60 100644 --- a/ansible.spec +++ b/ansible.spec @@ -1,5 +1,4 @@ %global with_docs 0 -%global with_python3 1 %global common_desc \ Ansible is a radically simple model-driven configuration management,\ multi-node deployment, and remote task execution system. Ansible works \ @@ -11,41 +10,34 @@ Name: ansible Summary: SSH-based configuration management, deployment, and task execution system Version: 2.9.27 -Release: 2 +Release: 4 License: Python-2.0 and MIT and GPL+ Url: http://ansible.com Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz Patch0: hostname-module-support-openEuler.patch +Patch1: CVE-2024-0690.patch BuildArch: noarch Provides: ansible-fireball = %{version}-%{release} Obsoletes: ansible-fireball < 1.2.4 -BuildRequires: python3-jinja2 python3-devel python3-packaging python3-pyyaml +BuildRequires: python3-jinja2 python3-devel python3-packaging python3-pyyaml python3-setuptools +BuildRequires: python3-PyYAML python3-paramiko python3-cryptography +BuildRequires: python3-pexpect python3-pywinrm git-core +BuildRequires: python3-six python3-pytest python3-pytest-xdist +BuildRequires: python3-pytest-mock python3-requests python3-coverage python3-mock +BuildRequires: python3-boto3 python3-botocore python3-passlib Requires: python3-PyYAML python3-cryptography python3-paramiko Requires: python3-setuptools python3-six sshpass python3-httplib2 Requires: python3-jmespath python3-jinja2 Recommends: %{name}-help = %{version}-%{release} -%description -%{common_desc} -%if 0%{?with_python3} Provides: ansible-python3 = %{version}-%{release} Obsoletes: ansible-python3 < %{version}-%{release} -BuildRequires: python3-devel python3-setuptools -BuildRequires: python3-PyYAML python3-paramiko python3-cryptography python3-packaging -BuildRequires: python3-pexpect python3-winrm -BuildRequires: git-core %if %with_docs BuildRequires: python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif -BuildRequires: python3-six python3-nose python3-pytest python3-pytest-xdist -BuildRequires: python3-pytest-mock python3-requests python3-coverage python3-mock -BuildRequires: python3-boto3 python3-botocore python3-passlib python3-jinja2 -Requires: python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six -Requires: python3-jinja2 sshpass python3-jmespath %description %{common_desc} -%endif %package -n ansible-help Summary: Documentation for Ansible @@ -55,15 +47,11 @@ Obsoletes: %{name}-doc < %{name}-%{release} %{common_desc} %prep -%setup -q -%patch0 -p1 -%if 0%{?with_python3} +%autosetup -p1 rm -rf %{py3dir} cp -a . %{py3dir} -%endif %build -%if 0%{?with_python3} pushd %{py3dir} %py3_build %if %with_docs @@ -71,10 +59,8 @@ pushd %{py3dir} make PYTHON=/usr/bin/python3 SPHINXBUILD=sphinx-build-3 webdocs %endif popd -%endif %install -%if 0%{?with_python3} pushd %{py3dir} %{__python3} setup.py install --root=$RPM_BUILD_ROOT popd @@ -84,7 +70,6 @@ for i in $RPM_BUILD_ROOT/%{_bindir}/ansible* ; do ln -s %{_bindir}/$(basename $i)-%{python3_version} $i-3 fi done -%endif mkdir -p $RPM_BUILD_ROOT/etc/ansible/ mkdir -p $RPM_BUILD_ROOT/etc/ansible/roles/ cp examples/hosts $RPM_BUILD_ROOT/etc/ansible/ @@ -105,9 +90,7 @@ cp -pr docs/docsite/rst . %{_bindir}/ansible* %config(noreplace) %{_sysconfdir}/ansible/ %doc %{_mandir}/man1/ansible* -%if 0%{?with_python3} %{python3_sitelib}/ansible* -%endif %files -n ansible-help %doc rst @@ -116,6 +99,12 @@ cp -pr docs/docsite/rst . %endif %changelog +* Mon Feb 05 2024 wangkai <13474090681@163.com> - 2.9.27-4 +- Fix CVE-2024-0690 + +* Wed Apr 19 2023 liyanan - 2.9.27-3 +- Remove with_python3 macros and python3-nose buildRequire + * Fri Mar 18 2022 huangtianhua - 2.9.27-2 - Remove require python-keyczar and modify require crypto to cryptography