From https://bugzilla.redhat.com/show_bug.cgi?id=998227 : Since version 1.2 of ansible, failed run ( due to connexion errors, or config error ) are listed into /var/tmp/ansible/$script_name.yml , with $script_name being the script name used ( or rather the playbook, in ansible linguo ) There is no verification on the file or directory here, and /var/tmp is world writable. Worst, due to it using a subdirectory under /var/tmp, some symlink protection may not apply ( not tested ). For example, if i create a directory /var/tmp/ansible with owner misc:users and a symlink to a file of joe, the kernel would permit to follow since the symlink and owner of the directory match. This permit to erase file content among others. I am not sure what kind of specific attack could be made by injecting ip and hostname in a specific file, but I am sure this exist. Code is on https://github.com/ansible/ansible/blob/devel/lib/ansible/playbook/__init__.py#L480 Upstream was not notified yet AFAIK. I do have a patch almost ready that do : - verify the permission/owner of directory - create a unique directory derived from username ( so predictable ) with proper permission if doesn't exist I just need to review and test. The current code do cope with lack of permission on the directory so even if someone create a directory in advance, this will be handled "gracefully" ( I think a message would be better )
From https://bugzilla.redhat.com/show_bug.cgi?id=998223 : by default, ansible try to create a ControlMaster file in a predictible location in /tmp. This is vulnerable to a ssh socket injection attack like this : ~ $ sudo ln -s /tmp/ansible-ssh-elspeth.example.org-22-misc /tmp/ansible-ssh-sisay.example.org-22-misc ~ $ ansible -i 'elspeth.example.org,sisay.example.org' all -m shell -u misc -a hostname elspeth.example.org | success | rc=0 >> elspeth.example.org sisay.example.org | success | rc=0 >> elspeth.example.org I also did a test without using root, that's the same. Based on this attack, someone could divert the ssh connexion to another server, make it connect to a server under the control of attacker, and steal configuration file ( with passwords ), or steal password with a fake sudo ( since ansible can also use sudo ) Please note that you need to : - disable selinux # setenforce 0 - disable latest protection from the kernel # sysctl -w fs.protected_symlinks=0 # sysctl -w fs.protected_hardlinks=0 to make sure this work. I didn't found how/where ssh control the socket file for suitability, maybe it should I am not sure what could be a good fix. I do have a patch that put the socket in $XDG_RUNTIME_DIR but it is a very weak mitigation technique that do not work on older platform such as RHEL 6. Another solution would be to make sure the socket is created in specific temporary directory, but this could make the software much slower. And checking if the socket exist first is prone to race condition. Upstream was not contacted yet, and plan to release 1.3 around 2 weeks. Issue is not public ( but quite easy to spot ) @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I assume B3 for now, waiting for upstream...
1.2.3 released - https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg
+ 02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild, + ansible-9999.ebuild: + Version bump, wrt bug #482152. Sync live ebuild Ready for stabilization. Arches, please test and mark stable =app-admin/ansible-1.2.3 Target keywords: amd64 x86
(In reply to Sergey Popov from comment #4) > + 02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild, > + ansible-9999.ebuild: > + Version bump, wrt bug #482152. Sync live ebuild I guess there happened a mistake, I don't see that version in tree. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/
(In reply to Agostino Sarubbo from comment #5) > I guess there happened a mistake, I don't see that version in tree. > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/ Yeah, sorry for that. Now - really commited.
amd64 stable
x86 stable
Thanks for your work GLSA vote: no
CVE-2013-4260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4260): lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. CVE-2013-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4259): runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.
GLSA vote: yes.
GLSA vote: no. Closing as [noglsa]