From eb8390bad99e5904f4dd5dec22123a78500878f9 Mon Sep 17 00:00:00 2001 From: Dimitri Savineau Date: Tue, 12 Nov 2024 16:21:05 -0500 Subject: [PATCH] ansible-core 2.16.13 Fix CVE-2024-8775 (Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging. Fix CVE-2024-9902 (Ansible-core user may read/write unauthorized content) This also adds back the ansible-test subpackage and drops the doc one. Resolves: RHEL-69036 Resolves: RHEL-59076 Resolves: RHEL-69034 Signed-off-by: Dimitri Savineau --- .gitignore | 2 + ansible-core.spec | 212 +++++++++-------------------- ansible-test-data-files.txt | 2 + gating.yaml | 9 +- sources | 4 +- tests/collections_path_warnings.sh | 54 -------- tests/fedora.fmf | 16 --- tests/{smoke1.fmf => smoke.fmf} | 7 +- tests/smoke.sh | 40 ------ tests/smoke2.fmf | 15 -- 10 files changed, 76 insertions(+), 285 deletions(-) create mode 100644 ansible-test-data-files.txt delete mode 100755 tests/collections_path_warnings.sh delete mode 100644 tests/fedora.fmf rename tests/{smoke1.fmf => smoke.fmf} (62%) delete mode 100755 tests/smoke.sh delete mode 100644 tests/smoke2.fmf diff --git a/.gitignore b/.gitignore index 43194d4..52fefaf 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,5 @@ /ansible-documentation-2.16.2.tar.gz /ansible-core-2.16.3.tar.gz /ansible-documentation-2.16.3.tar.gz +/ansible-documentation-2.16.13.tar.gz +/ansible_core-2.16.13.tar.gz diff --git a/ansible-core.spec b/ansible-core.spec index 9a8bf98..cff9ef4 100644 --- a/ansible-core.spec +++ b/ansible-core.spec @@ -2,29 +2,31 @@ # Copyright (C) Fedora Project Authors # License Text: https://spdx.org/licenses/MIT.html -# several test dependencies are unwanted in RHEL -%bcond tests %{undefined rhel} +# Disable shebang munging for specific paths. These files are data files. +# ansible-test munges the shebangs itself. +%global __brp_mangle_shebangs_exclude_from_file %{SOURCE2} -# controls whether to generate shell completions -# may be useful for bootstrapping purposes -%bcond argcomplete 1 - -# disable the python -s shbang flag as we want to be able to find non system modules -%undefine _py3_shebang_s +# RHEL and Fedora add -s to the shebang line. We do *not* use -s -E -S or -I +# with ansible because it has many optional features which users need to +# install libraries on their own to use. For instance, paramiko for the +# network connection plugins or winrm to talk to windows hosts. +# Set this to nil to remove -s +%define py3_shbang_opts %{nil} Name: ansible-core Summary: A radically simple IT automation system Epoch: 1 -Version: 2.16.3 -%global uversion %{version_no_tilde %{quote:%nil}} -Release: 4%{?dist} +Version: 2.16.13 +Release: 1%{?dist} +Group: Development/Libraries # The main license is GPLv3+. Many of the files in lib/ansible/module_utils # are BSD licensed. There are various files scattered throughout the codebase # containing code under different licenses. License: GPL-3.0-or-later AND BSD-2-Clause AND PSF-2.0 AND MIT AND Apache-2.0 -Source0: https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz -Source1: https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz +Source0: https://files.pythonhosted.org/packages/source/a/ansible-core/ansible_core-%{version}.tar.gz +Source1: https://github.com/ansible/ansible-documentation/archive/v%{version}/ansible-documentation-%{version}.tar.gz +Source2: ansible-test-data-files.txt Url: https://ansible.com BuildArch: noarch @@ -48,42 +50,29 @@ Provides: bundled(python3dist(six)) = 1.16.0 # SPDX-License-Identifier: GPL-3.0-or-later Provides: bundled(python3dist(selectors2)) = 1.1.1 -# lib/ansible/module_utils/compat/ipaddress.py -# SPDX-License-Identifier: PSF-2.0 -Provides: bundled(python3dist(ipaddress)) = 1.0.22 +# We obsolete old ansible, and any version of ansible-base. +Obsoletes: ansible < 2.10.0 +Obsoletes: ansible-base < 2.11.0 -Conflicts: ansible <= 2.9.99 -# -# obsoletes/provides for ansible-base -# -Provides: ansible-base = %{version}-%{release} -Obsoletes: ansible-base < 2.10.6-1 - -BuildRequires: make -BuildRequires: python%{python3_pkgversion}-devel -# This is only used in %%prep to relax the required setuptools version, -# which is not necessary in RHEL 10+. -# Not using it in RHEL avoids unwanted dependencies. -%if %{undefined rhel} -BuildRequires: tomcli >= 0.3.0 -%endif -# Needed to build manpages from source. -BuildRequires: python%{python3_pkgversion}-docutils - -%if %{with tests} BuildRequires: git-core -BuildRequires: glibc-all-langpacks -BuildRequires: python%{python3_pkgversion}-systemd -%endif - -%if %{with argcomplete} -Requires: python%{python3_pkgversion}-argcomplete -%endif -%if 0%{?fedora} >= 39 -BuildRequires: python3-libdnf5 -Recommends: python3-libdnf5 -%endif +BuildRequires: make +BuildRequires: pyproject-rpm-macros +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-docutils +BuildRequires: python%{python3_pkgversion}-jinja2 +BuildRequires: python%{python3_pkgversion}-pip +BuildRequires: python%{python3_pkgversion}-pyyaml +BuildRequires: python%{python3_pkgversion}-rpm-macros +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-wheel +Requires: git-core +Requires: python%{python3_pkgversion}-cryptography +Requires: python%{python3_pkgversion}-jinja2 >= 3.0.0 +Requires: python%{python3_pkgversion}-packaging +Requires: python%{python3_pkgversion}-pyyaml >= 5.1 +Requires: python%{python3_pkgversion}-resolvelib >= 0.5.3 +Requires: python%{python3_pkgversion}-resolvelib < 1.1.0 %global _description %{expand: Ansible is a radically simple model-driven configuration management, @@ -94,99 +83,30 @@ are transferred to managed machines automatically.} %description %_description -This is the base part of ansible (the engine). +%package -n ansible-test +Summary: Tool for testing ansible plugin and module code +Requires: %{name} = %{epoch}:%{version}-%{release} -%package doc -Summary: Documentation for Ansible Core -Provides: ansible-base-doc = %{version}-%{release} -Obsoletes: ansible-base-doc < 2.10.6-1 - -%description doc %_description - -This package installs extensive documentation for ansible-core +%description -n ansible-test %_description +This package installs the ansible-test command for testing modules and plugins +developed for ansible. %prep -%autosetup -p1 -n ansible-%{uversion} -a1 -# Relax setuptools constraint on Fedora -# Future RHELs have new enough setuptools -%if %{undefined rhel} -tomcli-set pyproject.toml lists replace \ - 'build-system.requires' 'setuptools >=.*' 'setuptools' -%endif - -sed -i -s 's|/usr/bin/env python|%{python3}|' \ - bin/ansible-test \ - test/lib/ansible_test/_util/target/cli/ansible_test_cli_stub.py - - -# TODO: Investigate why hostname is the only module that still has a shebang -# and file an upstream issue if needed. -sed -i -e '1{\@^#!.*@d}' lib/ansible/modules/hostname.py - -sed '/^mock$/d' test/lib/ansible_test/_data/requirements/units.txt > _requirements.txt - - -%generate_buildrequires -%pyproject_buildrequires %{?with_tests:_requirements.txt test/units/requirements.txt} -%if %{with argcomplete} -# Shell completions -echo 'python%{python3_pkgversion}-argcomplete' -%endif +%autosetup -n ansible_core-%{version} -a1 +# Fix all Python shebangs recursively in ansible-test +%{py3_shebang_fix} test/lib/ansible_test %build -%pyproject_wheel +%{pyproject_wheel} # Build manpages mkdir -p docs/man/man1 %{python3} packaging/cli-doc/build.py man --output-dir docs/man/man1 - -%if %{with argcomplete} -# Build shell completions -( - cd bin - for shell in bash fish; do - mkdir -p "../${shell}_completions" - for bin in *; do - if grep -q PYTHON_ARGCOMPLETE_OK "${bin}"; then - case "${shell}" in - bash) - format="${bin}" - ;; - fish) - format="${bin}.${shell}" - ;; - esac - register-python-argcomplete --shell "${shell}" "${bin}" > "../${shell}_completions/${format}" - else - echo "Skipped generating completions for ${bin}" - fi - done - done -) -%endif - - %install -%pyproject_install -%pyproject_save_files ansible ansible_test - -# These files are executable when they shouldn't be. -# Only the actual "binaries" in %%{_bindir} need to be executable -# and have shebangs. -while read -r file; do - sed -i -e '1{\@^#!.*@d}' "${file}" -done < <(find \ - %{buildroot}%{python3_sitelib}/ansible/cli/*.py \ - %{buildroot}%{python3_sitelib}/ansible/cli/scripts/ansible_connection_cli_stub.py \ - -type f ! -executable) - -%if %{with argcomplete} -install -Dpm 0644 bash_completions/* -t %{buildroot}%{bash_completions_dir} -install -Dpm 0644 fish_completions/* -t %{buildroot}%{fish_completions_dir} -%endif +%{pyproject_install} # Create system directories that Ansible defines as default locations in # ansible/config/base.yml @@ -212,7 +132,7 @@ DATADIR_LOCATIONS='%{_datadir}/ansible/collections %{_datadir}/ansible/plugins/test %{_datadir}/ansible/plugins/vars' -UPSTREAM_DATADIR_LOCATIONS=$(grep -ri default lib/ansible/config/base.yml| tr ':' '\n' | grep '/usr/share/ansible') +UPSTREAM_DATADIR_LOCATIONS=$(grep -ri default lib/ansible/config/base.yml | tr ':' '\n' | grep '/usr/share/ansible') if [ "$SYSTEM_LOCATIONS" != "$UPSTREAM_SYSTEM_LOCATIONS" ] ; then echo "The upstream Ansible datadir locations have changed. Spec file needs to be updated" @@ -226,8 +146,8 @@ done mkdir -p %{buildroot}%{_sysconfdir}/ansible/ mkdir -p %{buildroot}%{_sysconfdir}/ansible/roles/ -cp ansible-documentation-%{uversion}/examples/hosts %{buildroot}/etc/ansible/ -cp ansible-documentation-%{uversion}/examples/ansible.cfg %{buildroot}/etc/ansible/ +cp ansible-documentation-%{version}/examples/hosts %{buildroot}%{_sysconfdir}/ansible/ +cp ansible-documentation-%{version}/examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/ mkdir -p %{buildroot}/%{_mandir}/man1 cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/ @@ -239,14 +159,8 @@ cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/ %global _pkglicensedir %{_licensedir}/ansible-core install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir} -%check -%if %{with tests} -%{python3} bin/ansible-test \ - units --local --python-interpreter %{python3} -vv -%endif - - -%files -f %{pyproject_files} +%files +%defattr(-,root,root) %license COPYING %license %{_pkglicensedir}/{Apache-License,MIT-license,PSF-license,simplified_bsd}.txt %doc README.md changelogs/CHANGELOG-v2.1?.rst @@ -254,20 +168,24 @@ install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir} %config(noreplace) %{_sysconfdir}/ansible/* %{_bindir}/ansible* %{_datadir}/ansible/ -%if %{with argcomplete} -%{bash_completions_dir}/ansible* -%{fish_completions_dir}/ansible*.fish -%endif %{_mandir}/man1/ansible* +%{python3_sitelib}/ansible* +%exclude %{_bindir}/ansible-test +%exclude %{python3_sitelib}/ansible_test -%files doc -%doc ansible-documentation-%{uversion}/docs/docsite/rst -%if %{with docs} -%doc ansible-documentation-%{uversion}/docs/docsite/_build/html -%endif - +%files -n ansible-test +%{_bindir}/ansible-test +%{python3_sitelib}/ansible_test %changelog +* Tue Nov 26 2024 Dimitri Savineau - 1:2.16.13-1 +- ansible-core 2.16.13 release (RHEL-69036) +- Add back ansible-test subpackage and drop doc subpackage +- Fix CVE-2024-8775 (Exposure of Sensitive Information in Ansible + Vault Files Due to Improper Logging) (RHEL-59076) +- Fix CVE-2024-9902 (Ansible-core user may read/write unauthorized + content) (RHEL-69034) + * Tue Oct 29 2024 Troy Dawson - 1:2.16.3-4 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 diff --git a/ansible-test-data-files.txt b/ansible-test-data-files.txt new file mode 100644 index 0000000..3f785f2 --- /dev/null +++ b/ansible-test-data-files.txt @@ -0,0 +1,2 @@ +/usr/lib/python[0-9]+\.[0-9]+/site-packages/ansible_test/_data/.* +/usr/lib/python[0-9]+\.[0-9]+/site-packages/ansible_test/_util/.* diff --git a/gating.yaml b/gating.yaml index 5480e33..0184a84 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,10 +1,7 @@ --- !Policy product_versions: - - fedora-* -decision_contexts: - - bodhi_update_push_testing - - bodhi_update_push_stable -subject_type: koji_build + - rhel-10 +decision_context: osci_compose_gate rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} ... diff --git a/sources b/sources index d2cc7c9..63f71ec 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ansible-core-2.16.3.tar.gz) = 2bc88dbd2d30e50cb999bf8c744070accc042a2c4f1317558ee3edae45592002a0595ba57c3d89d1cc92e512d462734a241e3e392475326d44b8c2ee3c4aa0b0 -SHA512 (ansible-documentation-2.16.3.tar.gz) = c073b0b961e38bee560be78e2c12534facec891f6e375df14fdcaf99241f711cf6955ee58b936f7f23ab62a732d2dbde5fd279976989be06e747c2bf3db41661 +SHA512 (ansible_core-2.16.13.tar.gz) = 54435f9973137461887b5cc542ab92d520236bea3f6fb65cb4c785c2fc322612a6e8c65adb26f5027f8d521149f09d3271cd0d6c0af4d5724f256af15b7dd4c3 +SHA512 (ansible-documentation-2.16.13.tar.gz) = 2fe14706af4def874549b99de3e701ca00afa7cc0c6dc6adb6253872f338f2c54ec2325f3ea6322afcb48342bdb4d680825af50a02169799a6ae55640e9b9167 diff --git a/tests/collections_path_warnings.sh b/tests/collections_path_warnings.sh deleted file mode 100755 index c4409e1..0000000 --- a/tests/collections_path_warnings.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/bash - -set -xeuo pipefail - -export NO_COLOR=1 - -TMP=$(mktemp -d) - -trap "rm -rf $TMP" EXIT - -testcase() { - set +x - echo - echo - echo "$1" - echo - echo - set -x -} - -fix_log() { - tr '\n' ' ' inventory -[all] -localhost ansible_connection=local -EOF -export ANSIBLE_INVENTORY=inventory - -chroot="fedora-rawhide-x86_64" - -ansible localhost -bm setup |& tee out - -if ! grep Fedora out; then - chroot="epel-9-x86_64" -fi - -ansible localhost -b \ - -m package \ - -a name=filesystem \ - |& tee out -grep -F 'localhost | SUCCESS' out -(! grep -F 'localhost | CHANGED' out) - -ansible localhost -b \ - -m community.general.copr \ - -a "name=gotmax23/community.general.copr_integration_tests chroot=${chroot}" \ - |& tee out -grep -F 'localhost | CHANGED' out - -ansible localhost -b \ - -m package \ - -a name=copr-module-integration-dummy-package \ - |& tee out -grep -F 'localhost | CHANGED' out - -rpm -ql copr-module-integration-dummy-package diff --git a/tests/smoke2.fmf b/tests/smoke2.fmf deleted file mode 100644 index cfd06d1..0000000 --- a/tests/smoke2.fmf +++ /dev/null @@ -1,15 +0,0 @@ -summary: Run smoke tests with the standalone ansible-collection-community-general installed -discover: - - name: Smoke tests with community.general - how: shell - tests: - - name: Run tests/smoke.sh - test: tests/smoke.sh - require: - - python3 - - python3-dnf - - dnf-plugins-core - - ansible-core - - ansible-collection-community-general -execute: - how: tmt