The Ansible platform suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables. The first vulnerability involves the escalation of a local permission access level into arbitrary code execution. The code execution can be triggered by interpolation of file names maliciously crafted as lookup plugin commands, in combination with its pipe feature. The second vulnerability concerns the unsafe parsing of action arguments in the face of an attacker controlling variable data (whether fact data, with_fileglob data, or other sources), allowing an attacker to supply their own options to an action. The impact of this is dependent on the action module the attacker targets. For example, an attacker controlling variables passed to the copy or template actions would be able to trigger arbitrary code execution (in addition to simple information leakage) via the validate option's acceptance of arbitrary shell code. Affected version: Ansible <= 1.6.6 Fixed version: Ansible >= 1.6.7 Credit: vulnerability report received from Brian Harring <ferringb AT gmail.com>. CVEs: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)
Tested 1.6.7, works okey on amd64 (same ebuild as 1.6.1).
+*ansible-1.6.7 (23 Jul 2014) + + 23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.1.ebuild, + +ansible-1.6.7.ebuild, +files/README.gentoo: + Version Bump + @arches, Please stable, testsuite is fine.
ansible 1.6.8 is released, fixing a regression with "shell quoting introduced in the 1.6.7 security release. The same fix was merged into devel earlier in the day, so users experiencing issues with the command/shell modules should upgrade to resolve the issue." (https://groups.google.com/forum/#!topic/ansible-announce/NqGgSCEhJq0 ) As I'm not using ansible I don't know how common this configuration is, but Caveat Emptor
+*ansible-1.6.8 (23 Jul 2014) + + 23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.7.ebuild, + +ansible-1.6.8.ebuild: + Version BUmp +
@arch teams, target is version 1.6.8.
We had this in our playbook: shell: find {{dir}} -type d -not -perm 2775 -exec chmod 2775 {} \; This stopped working in 1.6.7 because of that bug, we tested on 1.6.8, it works like before. Thanks for the bump.
Arches, please test and mark stable: =app-admin/ansible-1.6.8 Target Keywords : "amd6 x86" Thank you!
amd64/x86 stable. Old vulnerable version has been dropped GLSA request filed Thanks, guys
This issue was resolved and addressed in GLSA 201411-09 at http://security.gentoo.org/glsa/glsa-201411-09.xml by GLSA coordinator Sean Amoss (ackle).
