Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517770 (CVE-2014-4966)

Summary: <app-admin/ansible-1.6.8: input sanitization errors - possible arbitrary code execution (CVE-2014-{4966,4967})
Product: Gentoo Security Reporter: Kristian Fiskerstrand <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, jlec, pinkbyte
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q3/208
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 517870    
Bug Blocks: 516564    

Description Kristian Fiskerstrand gentoo-dev Security 2014-07-22 10:21:04 UTC
The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option's acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT
        gmail.com>.

CVEs: 
CVE-2014-4966 (lookup function), 
CVE-2014-4967 (action arguments)
Comment 1 Tomáš Mózes 2014-07-22 14:12:33 UTC
Tested 1.6.7, works okey on amd64 (same ebuild as 1.6.1).
Comment 2 Justin Lecher gentoo-dev 2014-07-23 07:51:05 UTC
+*ansible-1.6.7 (23 Jul 2014)
+
+  23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.1.ebuild,
+  +ansible-1.6.7.ebuild, +files/README.gentoo:
+  Version Bump
+

@arches, Please stable, testsuite is fine.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2014-07-23 08:03:25 UTC
ansible 1.6.8 is released, fixing a regression with "shell quoting introduced in the 1.6.7 security release. The same fix was merged into devel earlier in the day, so users experiencing issues with the command/shell modules should upgrade to resolve the issue." (https://groups.google.com/forum/#!topic/ansible-announce/NqGgSCEhJq0 ) 

As I'm not using ansible I don't know how common this configuration is, but Caveat Emptor
Comment 4 Justin Lecher gentoo-dev 2014-07-23 08:47:26 UTC
+*ansible-1.6.8 (23 Jul 2014)
+
+  23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.7.ebuild,
+  +ansible-1.6.8.ebuild:
+  Version BUmp
+
Comment 5 Justin Lecher gentoo-dev 2014-07-23 08:47:44 UTC
@arch teams, target is version 1.6.8.
Comment 6 Tomáš Mózes 2014-07-23 09:11:38 UTC
We had this in our playbook:

shell: find {{dir}} -type d -not -perm 2775 -exec chmod 2775 {} \;

This stopped working in 1.6.7 because of that bug, we tested on 1.6.8, it works like before. Thanks for the bump.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-07-30 04:40:59 UTC
Arches, please test and mark stable:

=app-admin/ansible-1.6.8

Target Keywords : "amd6 x86"

Thank you!
Comment 8 Sergey Popov gentoo-dev 2014-07-31 06:05:48 UTC
amd64/x86 stable.

Old vulnerable version has been dropped

GLSA request filed

Thanks, guys
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 18:16:05 UTC
This issue was resolved and addressed in
 GLSA 201411-09 at http://security.gentoo.org/glsa/glsa-201411-09.xml
by GLSA coordinator Sean Amoss (ackle).