rpms/ansible-core
6
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Mitigate CVE-2024-0690.

Browse Source
This commit is contained in:
Maxwell G 2024-01-18 23:55:36 +00:00
parent 4050056a1b
commit 6e04299ce9
No known key found for this signature in database
GPG Key ID: F79E4E25E8C661F8
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
CVE-2024-0690.patch Normal file
View File

@ -0,0 +1,85 @@
From b9a03bbf5a63459468baf8895ff74a62e9be4532 Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Thu, 18 Jan 2024 17:41:55 -0600
Subject: [PATCH] [stable-2.16] Ensure ANSIBLE_NO_LOG is respected
(CVE-2024-0690) (#82565) (#82566)
(cherry picked from commit 6935c8e)
---
changelogs/fragments/cve-2024-0690.yml | 2 ++
lib/ansible/playbook/base.py | 2 +-
lib/ansible/playbook/play_context.py | 4 ----
test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
test/integration/targets/no_log/runme.sh | 5 +++++
5 files changed, 21 insertions(+), 5 deletions(-)
create mode 100644 changelogs/fragments/cve-2024-0690.yml
create mode 100644 test/integration/targets/no_log/no_log_config.yml
diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
new file mode 100644
index 00000000000000..0e030d88864ca5
--- /dev/null
+++ b/changelogs/fragments/cve-2024-0690.yml
@@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
index d08b826772bcfc..81ce502b9c3886 100644
--- a/lib/ansible/playbook/base.py
+++ b/lib/ansible/playbook/base.py
@@ -731,7 +731,7 @@ class Base(FieldAttributeBase):
# flags and misc. settings
environment = FieldAttribute(isa='list', extend=True, prepend=True)
- no_log = FieldAttribute(isa='bool')
+ no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
run_once = FieldAttribute(isa='bool')
ignore_errors = FieldAttribute(isa='bool')
ignore_unreachable = FieldAttribute(isa='bool')
diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
index d9bb040ed0e810..af65e86f496ed9 100644
--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
@@ -318,10 +318,6 @@ def set_task_and_variable_override(self, task, variables, templar):
display.warning('The "%s" connection plugin has an improperly configured remote target value, '
'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
- # set no_log to default if it was not previously set
- if new_info.no_log is None:
- new_info.no_log = C.DEFAULT_NO_LOG
-
if task.check_mode is not None:
new_info.check_mode = task.check_mode
diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
new file mode 100644
index 00000000000000..8a5088059db424
--- /dev/null
+++ b/test/integration/targets/no_log/no_log_config.yml
@@ -0,0 +1,13 @@
+- hosts: testhost
+ gather_facts: false
+ tasks:
+ - debug:
+ no_log: true
+
+ - debug:
+ no_log: false
+
+ - debug:
+
+ - debug:
+ loop: '{{ range(3) }}'
diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
index 795730bddd78f4..bf764bf9abc588 100755
--- a/test/integration/targets/no_log/runme.sh
+++ b/test/integration/targets/no_log/runme.sh
@@ -19,3 +19,8 @@ set -eux
# test invalid data passed to a suboption
[ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]

7
ansible-core.spec
View File

@ -16,7 +16,7 @@ Name: ansible-core
Summary: A radically simple IT automation system Summary: A radically simple IT automation system
Version: 2.16.2 Version: 2.16.2
%global uversion %{version_no_tilde %{quote:%nil}} %global uversion %{version_no_tilde %{quote:%nil}}
Release: 1%{?dist} Release: 2%{?dist}
# The main license is GPLv3+. Many of the files in lib/ansible/module_utils # The main license is GPLv3+. Many of the files in lib/ansible/module_utils
# are BSD licensed. There are various files scattered throughout the codebase # are BSD licensed. There are various files scattered throughout the codebase
# containing code under different licenses. # containing code under different licenses.
@ -24,6 +24,8 @@ License: GPL-3.0-or-later AND BSD-2-Clause AND PSF-2.0 AND MIT AND Apache-2.0
Source0: https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz Source0: https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz
Source1: https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz Source1: https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz
# Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82566)
Patch: https://github.com/ansible/ansible/commit/b9a03bbf5a63459468baf8895ff74a62e9be4532.patch#/CVE-2024-0690.patch
Url: https://ansible.com Url: https://ansible.com
BuildArch: noarch BuildArch: noarch
@ -267,6 +269,9 @@ install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir}
%changelog %changelog
* Thu Jan 18 2024 Maxwell G <maxwell@gtmx.me> - 2.16.2-2
- Mitigate CVE-2024-0690.
* Mon Dec 11 2023 Maxwell G <maxwell@gtmx.me> - 2.16.2-1 * Mon Dec 11 2023 Maxwell G <maxwell@gtmx.me> - 2.16.2-1
- Update to 2.16.2. Fixes rhbz#2254093. - Update to 2.16.2. Fixes rhbz#2254093.