Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 516564 (CVE-2014-4657)

Summary: <app-admin/ansible-1.6.8: Unspecified Arbitrary Code Execution Vulnerabilities (CVE-2014-{4657,4678}
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jlec, pinkbyte
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/59412/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 517770    
Bug Blocks:    

Description Tomáš Mózes 2014-07-07 05:33:54 UTC 
Ebuild for 1.6.1 works for 1.6.6 (tested on amd64).

1.6.6 "And the Cradle Will Rock" - Jul 01, 2014

    Security updates to further protect against the incorrect execution of untrusted data

1.6.5 "And the Cradle Will Rock" - Jun 25, 2014

    Additional tweaks to prevent the incorrect execution of untrusted data

1.6.4 "And the Cradle Will Rock" - Jun 25, 2014

    Security update to prevent local operations from executing as the result of specifically crafted untrusted data

1.6.3 "And the Cradle Will Rock" - Jun 09, 2014

    Corrects a regression where handlers were run across all hosts, not just those that triggered the handler.
    Fixed a bug in which modules did not support properly moving a file atomically when su was in use.
    Fixed two bugs related to symlinks with directories when using the file module.
    Fixed a bug related to MySQL master replication syntax.
    Corrects a regression in the order of variable merging done by the internal runner code.
    Various other minor bug fixes.

1.6.2 "And the Cradle Will Rock" - May 23, 2014

    If an improper locale is specified, core modules will now automatically revert to using the 'C' locale.
    Modules using the fetch_url utility will now obey proxy environment variables.
    The SSL validation step in fetch_url will likewise obey proxy settings, however only proxies using the http protocol are supported.
    Fixed multiple bugs in docker module related to version changes upstream.
    Fixed a bug in the ec2_group module where egress rules were lost when a VPC was specified.
    Fixed two bugs in the synchronize module:
        a trailing slash might be lost when calculating relative paths, resulting in an incorrect destination.
        the sync might use the inventory directory incorrectly instead of the playbook or role directory.
    Files will now only be chown'd on an atomic move if the src/dest uid/gid do not match.
Comment 1 Agostino Sarubbo gentoo-dev 2014-07-18 09:46:25 UTC 
This is a security bug.
Comment 2 Tomáš Mózes 2014-07-22 14:11:31 UTC 
Version 1.6.6 is also vulnerable:
https://bugs.gentoo.org/show_bug.cgi?id=517770
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2014-07-23 07:53:22 UTC 
It seems the issues are fixed in >1.6.6. Could someone please confirm this?
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-23 08:06:09 UTC 
My understanding is that these issues are fixed in 1.6.6 and in higher versions. The issue tracked in bug 517770 is a separate issue, but require a higher version to fix, marking this bug as depends on the other one and we can continue there.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2014-07-23 08:47:02 UTC 
+*ansible-1.6.8 (23 Jul 2014)
+
+  23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.7.ebuild,
+  +ansible-1.6.8.ebuild:
+  Version BUmp
+
Comment 6 Sergey Popov (RETIRED) gentoo-dev 2014-07-31 06:08:00 UTC 
Added to existing GLSA request
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 18:15:58 UTC 
This issue was resolved and addressed in
 GLSA 201411-09 at http://security.gentoo.org/glsa/glsa-201411-09.xml
by GLSA coordinator Sean Amoss (ackle).