Hello community, here is the log from the commit of package ansible for openSUSE:Factory checked in at 2019-08-09 16:53:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ansible (Old) and /work/SRC/openSUSE:Factory/.ansible.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ansible" Fri Aug 9 16:53:56 2019 rev:51 rq:721780 version:2.8.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ansible/ansible.changes 2019-06-19 21:08:44.674529825 +0200 +++ /work/SRC/openSUSE:Factory/.ansible.new.9556/ansible.changes 2019-08-09 16:54:02.973459129 +0200 @@ -1,0 +2,19 @@ +Wed Aug 7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com> + +- Update to version 2.8.3: + Full changelog is packaged, but also at + https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8... +- (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing + CVE-2019-10206: ansible-playbook -k and ansible cli tools + prompt passwords by expanding them from templates as they could + contain special characters. Passwords should be wrapped to + prevent templates trigger and exposing them. +- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch + CVE-2019-10217: Fields managing sensitive data should be set as + such by no_log feature. Some of these fields in GCP modules are + not set properly. service_account_contents() which is common + class for all gcp modules is not setting no_log to True. Any + sensitive data managed by that function would be leak as an + output when running ansible playbooks. + +------------------------------------------------------------------- Old: ---- ansible-2.8.1.tar.gz New: ---- CVE-2019-10206-data-disclosure.patch CVE-2019-10217-gcp-modules-sensitive-fields.patch ansible-2.8.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ansible.spec ++++++ --- /var/tmp/diff_new_pack.OpVsfm/_old 2019-08-09 16:54:04.117458855 +0200 +++ /var/tmp/diff_new_pack.OpVsfm/_new 2019-08-09 16:54:04.121458854 +0200 @@ -36,7 +36,7 @@ BuildArch: noarch %endif Name: ansible -Version: 2.8.1 +Version: 2.8.3 Release: 0 Summary: Software automation engine License: GPL-3.0-or-later @@ -44,6 +44,12 @@ Url: https://ansible.com/ Source: https://releases.ansible.com/ansible/ansible-%{version}.tar.gz Source99: ansible-rpmlintrc +# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com +# prevent templating of passwords from prompt gh#ansible/ansible#59552 +Patch0: CVE-2019-10206-data-disclosure.patch +# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com +# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly +Patch1: CVE-2019-10217-gcp-modules-sensitive-fields.patch # SuSE/openSuSE %if 0%{?suse_version} %if %{with python3} @@ -65,7 +71,6 @@ BuildRequires: %{python}-PyYAML BuildRequires: %{python}-paramiko BuildRequires: %{python}-pycrypto >= 2.6 -BuildRequires: fdupes Requires: %{python}-Jinja2 Requires: %{python}-PyYAML Requires: %{python}-paramiko @@ -109,6 +114,7 @@ BuildRequires: perl(Exporter) %endif %if 0%{?fedora} >= 18 +BuildRequires: fdupes BuildRequires: python-devel BuildRequires: python-setuptools Requires: PyYAML @@ -130,6 +136,9 @@ %prep %setup -q -n ansible-%{version} +%patch0 -p1 +%patch1 -p1 + find . -name .git_keep -delete find contrib/ -type f -exec chmod 644 {} + @@ -145,9 +154,6 @@ mkdir -p %{buildroot}/%{_mandir}/man1/ cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/ mkdir -p %{buildroot}/%{_datadir}/ansible -%if 0%{?suse_version} >= 01130 -%fdupes %{buildroot}/%{python_sitelib}/ansible/ -%endif %files %defattr(-,root,root,-) ++++++ CVE-2019-10206-data-disclosure.patch ++++++
From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001 From: Brian Coca <bcoca@users.noreply.github.com> Date: Wed, 24 Jul 2019 16:00:20 -0400 Subject: [PATCH] prevent templating of passwords from prompt (#59246)
* prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b) --- .../fragments/dont_template_passwords_from_prompt.yml | 2 ++ lib/ansible/cli/__init__.py | 8 ++++++++ lib/ansible/utils/unsafe_proxy.py | 11 +++++++---- 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml --- /dev/null +++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml @@ -0,0 +1,2 @@ +bugfixes: + - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters. --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -29,6 +29,7 @@ from ansible.release import __version__ from ansible.utils.collection_loader import set_collection_playbook_paths from ansible.utils.display import Display from ansible.utils.path import unfrackpath +from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes from ansible.vars.manager import VariableManager @@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object except EOFError: pass + # we 'wrap' the passwords to prevent templating as + # they can contain special chars and trigger it incorrectly + if sshpass: + sshpass = AnsibleUnsafeBytes(sshpass) + if becomepass: + becomepass = AnsibleUnsafeBytes(becomepass) + return (sshpass, becomepass) def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False): --- a/lib/ansible/utils/unsafe_proxy.py +++ b/lib/ansible/utils/unsafe_proxy.py @@ -53,7 +53,7 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -from ansible.module_utils.six import string_types, text_type +from ansible.module_utils.six import string_types, text_type, binary_type from ansible.module_utils._text import to_text from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set @@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib pass +class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe): + pass + + class UnsafeProxy(object): def __new__(cls, obj, *args, **kwargs): # In our usage we should only receive unicode strings. # This conditional and conversion exists to sanity check the values # we're given but we may want to take it out for testing and sanitize # our input instead. - if isinstance(obj, string_types): - obj = to_text(obj, errors='surrogate_or_strict') - return AnsibleUnsafeText(obj) + if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes): + obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict')) return obj ++++++ CVE-2019-10217-gcp-modules-sensitive-fields.patch ++++++
From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde <akasurde@redhat.com> Date: Tue, 23 Jul 2019 14:14:13 +0530 Subject: [PATCH] gcp_utils: Handle JSON decode exception
Handle json.loads exception rather than providing stacktrace Fixes: #56269 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> --- lib/ansible/module_utils/gcp_utils.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/lib/ansible/module_utils/gcp_utils.py +++ b/lib/ansible/module_utils/gcp_utils.py @@ -18,7 +18,7 @@ except ImportError: from ansible.module_utils.basic import AnsibleModule, env_fallback from ansible.module_utils.six import string_types -from ansible.module_utils._text import to_text +from ansible.module_utils._text import to_text, to_native import ast import os import json @@ -157,7 +157,12 @@ class GcpSession(object): path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes']) elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'): - cred = json.loads(self.module.params.get('service_account_contents')) + try: + cred = json.loads(self.module.params.get('service_account_contents')) + except json.decoder.JSONDecodeError as e: + self.module.fail_json( + msg="Unable to decode service_account_contents as JSON : %s" % to_native(e) + ) return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes']) elif cred_type == 'machineaccount': return google.auth.compute_engine.Credentials( ++++++ ansible-2.8.1.tar.gz -> ansible-2.8.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/ansible/ansible-2.8.1.tar.gz /work/SRC/openSUSE:Factory/.ansible.new.9556/ansible-2.8.3.tar.gz differ: char 5, line 1