Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516564 (CVE-2014-4657) - <app-admin/ansible-1.6.8: Unspecified Arbitrary Code Execution Vulnerabilities (CVE-2014-{4657,4678}
Summary: <app-admin/ansible-1.6.8: Unspecified Arbitrary Code Execution Vulnerabilitie...
Alias: CVE-2014-4657
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: CVE-2014-4966
  Show dependency tree
Reported: 2014-07-07 05:33 UTC by Tomáš Mózes
Modified: 2014-11-23 18:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2014-07-07 05:33:54 UTC
Ebuild for 1.6.1 works for 1.6.6 (tested on amd64).

1.6.6 "And the Cradle Will Rock" - Jul 01, 2014

    Security updates to further protect against the incorrect execution of untrusted data

1.6.5 "And the Cradle Will Rock" - Jun 25, 2014

    Additional tweaks to prevent the incorrect execution of untrusted data

1.6.4 "And the Cradle Will Rock" - Jun 25, 2014

    Security update to prevent local operations from executing as the result of specifically crafted untrusted data

1.6.3 "And the Cradle Will Rock" - Jun 09, 2014

    Corrects a regression where handlers were run across all hosts, not just those that triggered the handler.
    Fixed a bug in which modules did not support properly moving a file atomically when su was in use.
    Fixed two bugs related to symlinks with directories when using the file module.
    Fixed a bug related to MySQL master replication syntax.
    Corrects a regression in the order of variable merging done by the internal runner code.
    Various other minor bug fixes.

1.6.2 "And the Cradle Will Rock" - May 23, 2014

    If an improper locale is specified, core modules will now automatically revert to using the 'C' locale.
    Modules using the fetch_url utility will now obey proxy environment variables.
    The SSL validation step in fetch_url will likewise obey proxy settings, however only proxies using the http protocol are supported.
    Fixed multiple bugs in docker module related to version changes upstream.
    Fixed a bug in the ec2_group module where egress rules were lost when a VPC was specified.
    Fixed two bugs in the synchronize module:
        a trailing slash might be lost when calculating relative paths, resulting in an incorrect destination.
        the sync might use the inventory directory incorrectly instead of the playbook or role directory.
    Files will now only be chown'd on an atomic move if the src/dest uid/gid do not match.
Comment 1 Agostino Sarubbo gentoo-dev 2014-07-18 09:46:25 UTC
This is a security bug.
Comment 2 Tomáš Mózes 2014-07-22 14:11:31 UTC
Version 1.6.6 is also vulnerable:
Comment 3 Justin Lecher gentoo-dev 2014-07-23 07:53:22 UTC
It seems the issues are fixed in >1.6.6. Could someone please confirm this?
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-07-23 08:06:09 UTC
My understanding is that these issues are fixed in 1.6.6 and in higher versions. The issue tracked in bug 517770 is a separate issue, but require a higher version to fix, marking this bug as depends on the other one and we can continue there.
Comment 5 Justin Lecher gentoo-dev 2014-07-23 08:47:02 UTC
+*ansible-1.6.8 (23 Jul 2014)
+  23 Jul 2014; Justin Lecher <> -ansible-1.6.7.ebuild,
+  +ansible-1.6.8.ebuild:
+  Version BUmp
Comment 6 Sergey Popov gentoo-dev 2014-07-31 06:08:00 UTC
Added to existing GLSA request
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 18:15:58 UTC
This issue was resolved and addressed in
 GLSA 201411-09 at
by GLSA coordinator Sean Amoss (ackle).