Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749369 (CVE-2020-25635, CVE-2020-25636)

Summary: <app-admin/ansible-2.10.0-r2: information leak vulnerabilities (CVE-2020-{25635,25636})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: calchan, chainsaw, hydrapolic, monsieurp, prometheanfire
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C4 [noglsa]
Package list:
app-admin/ansible-2.10.0-r2 *
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 02:13:51 UTC 
CVE-2020-25635:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.

CVE-2020-25636:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.

Patch for both: https://github.com/ansible-collections/community.aws/commit/921bd53103c2b543e95c9e6b863702db3ff54d0c

Maintainers, please advise if Gentoo versions of Ansible are affected.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 02:57:15 UTC 
patch doesn't apply cleanly,  I think ansible-2.10.0-r1 is hit by this.  Modified paths in patch.
Comment 2 Larry the Git Cow gentoo-dev 2020-10-16 02:58:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d23da514953be1ad0fd02a9aab9e5a24ca3449d

commit 7d23da514953be1ad0fd02a9aab9e5a24ca3449d
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 02:57:56 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 02:58:10 +0000

    app-admin/ansible: Fix CVE
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/ansible-2.10.0-r2.ebuild         | 82 ++++++++++++++++++++++
 .../files/ansible-2.10.0-CVE-2020-25635-6.patch    | 54 ++++++++++++++
 2 files changed, 136 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:03:11 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> patch doesn't apply cleanly,  I think ansible-2.10.0-r1 is hit by this. 
> Modified paths in patch.

Only 2.10?
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:07:58 UTC 
probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with older releases.  Ansible recently split their package to ansible and ansible-base which has been... annoying to deal with.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:10:57 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #4)
> probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with
> older releases.  Ansible recently split their package to ansible and
> ansible-base which has been... annoying to deal with.

That does make it easier :)

Please continue with stabilization when ready.
Comment 6 Larry the Git Cow gentoo-dev 2020-10-16 03:26:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d4eb2055684936f71e5b2f2317ca43ca509ed8

commit 28d4eb2055684936f71e5b2f2317ca43ca509ed8
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 03:25:56 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 03:25:56 +0000

    app-admin/ansible: clean up for sec bug
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/Manifest                 |  2 -
 app-admin/ansible/ansible-2.10.0-r1.ebuild | 80 ------------------------------
 app-admin/ansible/ansible-2.9.13.ebuild    | 69 --------------------------
 app-admin/ansible/ansible-2.9.14.ebuild    | 69 --------------------------
 4 files changed, 220 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=251de145bd1920939f0f64e33f269b156eea510d

commit 251de145bd1920939f0f64e33f269b156eea510d
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 03:25:00 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 03:25:00 +0000

    app-admin/ansible: 2.10.0-r2 stable amd64/arm64/x86
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/ansible-2.10.0-r2.ebuild | 2 +-
 app-admin/ansible/ansible-2.9.14.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:28:30 UTC 
Thanks! C4 -> noglsa. Closing.