diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2019-09-12 13:31:47 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-09-12 13:32:36 +0200 |
commit | c2ee36626b02eea017fc2f4b14191904f952bc5d (patch) | |
tree | 2a2ad1ee06cb6370db68f9198161b4178f8e1120 | |
parent | 7e54a7f5951458ed9cb54587080165d03b20d06d (diff) | |
download | aports-c2ee36626b02eea017fc2f4b14191904f952bc5d.tar.bz2 aports-c2ee36626b02eea017fc2f4b14191904f952bc5d.tar.xz |
main/ansible: backport fix for CVE-2019-10206
fixes #10755
-rw-r--r-- | main/ansible/APKBUILD | 11 | ||||
-rw-r--r-- | main/ansible/CVE-2019-10206.patch | 125 |
2 files changed, 133 insertions, 3 deletions
diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD index 8413cbb195..ab79ce646f 100644 --- a/main/ansible/APKBUILD +++ b/main/ansible/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=ansible pkgver=2.4.6.0 -pkgrel=0 +pkgrel=1 pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework" url="https://ansible.com" arch="noarch" @@ -13,10 +13,14 @@ _py=py2 depends="python2 $_py-yaml $_py-paramiko $_py-jinja2 $_py-markupsafe $_py-crypto" makedepends="python2-dev py-setuptools" subpackages="$pkgname-doc" -source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz + CVE-2019-10206.patch + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.4.6.0-r1: +# - CVE-2019-10206 # 2.4.6.0-r0: # - CVE-2018-10855 @@ -39,4 +43,5 @@ package() { install -m644 README.md "$pkgdir"/usr/share/doc/$pkgname } -sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b ansible-2.4.6.0.tar.gz" +sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b ansible-2.4.6.0.tar.gz +cdc065686625c1724e1f286f2a4986920195c8714fea640c90b663499aa9e8709c52e11590b7816dcd753c68c5c5787d964056bdd8252bc06ff6ca1731a38bc2 CVE-2019-10206.patch" diff --git a/main/ansible/CVE-2019-10206.patch b/main/ansible/CVE-2019-10206.patch new file mode 100644 index 0000000000..004035ce5b --- /dev/null +++ b/main/ansible/CVE-2019-10206.patch @@ -0,0 +1,125 @@ +From d0f7adc5c629475111cdf50bacdeccf247423cf2 Mon Sep 17 00:00:00 2001 +From: Brian Coca <bcoca@users.noreply.github.com> +Date: Wed, 24 Jul 2019 16:00:20 -0400 +Subject: [PATCH 1/2] prevent templating of passwords from prompt (#59246) + +* prevent templating of passwords from prompt + + fixes CVE-2019-10206 + +(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b) +--- + .../fragments/dont_template_passwords_from_prompt.yml | 2 ++ + lib/ansible/cli/__init__.py | 8 ++++++++ + lib/ansible/utils/unsafe_proxy.py | 11 +++++++---- + 3 files changed, 17 insertions(+), 4 deletions(-) + create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml + +diff --git a/changelogs/fragments/dont_template_passwords_from_prompt.yml b/changelogs/fragments/dont_template_passwords_from_prompt.yml +new file mode 100644 +index 000000000000..86a0e6122f94 +--- /dev/null ++++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml +@@ -0,0 +1,2 @@ ++bugfixes: ++ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters. +diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py +index 380ddc4e2a43..76d652f7c8f0 100644 +--- a/lib/ansible/cli/__init__.py ++++ b/lib/ansible/cli/__init__.py +@@ -42,6 +42,7 @@ + from ansible.release import __version__ + from ansible.utils.path import unfrackpath + from ansible.utils.vars import load_extra_vars, load_options_vars ++from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes + from ansible.vars.manager import VariableManager + from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret + +@@ -342,6 +343,13 @@ def ask_passwords(self): + except EOFError: + pass + ++ # we 'wrap' the passwords to prevent templating as ++ # they can contain special chars and trigger it incorrectly ++ if sshpass: ++ sshpass = AnsibleUnsafeBytes(sshpass) ++ if becomepass: ++ becomepass = AnsibleUnsafeBytes(becomepass) ++ + return (sshpass, becomepass) + + def normalize_become_options(self): +diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py +index 963798a08762..abefc1524914 100644 +--- a/lib/ansible/utils/unsafe_proxy.py ++++ b/lib/ansible/utils/unsafe_proxy.py +@@ -55,7 +55,7 @@ + + from collections import Mapping, MutableSequence, Set + +-from ansible.module_utils.six import string_types, text_type ++from ansible.module_utils.six import string_types, text_type, binary_type + from ansible.module_utils._text import to_text + + +@@ -70,15 +70,18 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe): + pass + + ++class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe): ++ pass ++ ++ + class UnsafeProxy(object): + def __new__(cls, obj, *args, **kwargs): + # In our usage we should only receive unicode strings. + # This conditional and conversion exists to sanity check the values + # we're given but we may want to take it out for testing and sanitize + # our input instead. +- if isinstance(obj, string_types): +- obj = to_text(obj, errors='surrogate_or_strict') +- return AnsibleUnsafeText(obj) ++ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes): ++ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict')) + return obj + + + +From 9f435f433ed5af11801a2b4c4da27ab413914b84 Mon Sep 17 00:00:00 2001 +From: Toshio Kuratomi <a.badger@gmail.com> +Date: Wed, 7 Aug 2019 09:11:56 -0500 +Subject: [PATCH 2/2] Improve performane of UnsafeProxy __new__ + +This adds an early return to the __new__ method of the UnsafeProxy object +which avoids creating the unsafe object if the incoming object is already +unsafe. + +(cherry picked from commit c1e23c22a9fedafaaa88c2119b26dc123ff1392e) +(cherry picked from commit 490f17c7f959ce153765c1f033fdc30becf0faf7) +--- + lib/ansible/utils/unsafe_proxy.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py +index abefc1524914..6221e7339390 100644 +--- a/lib/ansible/utils/unsafe_proxy.py ++++ b/lib/ansible/utils/unsafe_proxy.py +@@ -76,11 +76,17 @@ class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe): + + class UnsafeProxy(object): + def __new__(cls, obj, *args, **kwargs): ++ if isinstance(obj, AnsibleUnsafe): ++ # Already marked unsafe ++ return obj ++ + # In our usage we should only receive unicode strings. + # This conditional and conversion exists to sanity check the values + # we're given but we may want to take it out for testing and sanitize + # our input instead. +- if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes): ++ # Note that this does the wrong thing if we're *intentionall* passing a byte string to this ++ # function. ++ if isinstance(obj, string_types): + obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict')) + return obj + |