Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749369 (CVE-2020-25635, CVE-2020-25636) - <app-admin/ansible-2.10.0-r2: information leak vulnerabilities (CVE-2020-{25635,25636})
Summary: <app-admin/ansible-2.10.0-r2: information leak vulnerabilities (CVE-2020-{256...
Status: RESOLVED FIXED
Alias: CVE-2020-25635, CVE-2020-25636
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-16 02:13 UTC by John Helmert III
Modified: 2020-10-16 15:05 UTC (History)
5 users (show)

See Also:
Package list:
app-admin/ansible-2.10.0-r2 *
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 02:13:51 UTC
CVE-2020-25635:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.

CVE-2020-25636:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.

Patch for both: https://github.com/ansible-collections/community.aws/commit/921bd53103c2b543e95c9e6b863702db3ff54d0c

Maintainers, please advise if Gentoo versions of Ansible are affected.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 02:57:15 UTC
patch doesn't apply cleanly,  I think ansible-2.10.0-r1 is hit by this.  Modified paths in patch.
Comment 2 Larry the Git Cow gentoo-dev 2020-10-16 02:58:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d23da514953be1ad0fd02a9aab9e5a24ca3449d

commit 7d23da514953be1ad0fd02a9aab9e5a24ca3449d
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 02:57:56 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 02:58:10 +0000

    app-admin/ansible: Fix CVE
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/ansible-2.10.0-r2.ebuild         | 82 ++++++++++++++++++++++
 .../files/ansible-2.10.0-CVE-2020-25635-6.patch    | 54 ++++++++++++++
 2 files changed, 136 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:03:11 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> patch doesn't apply cleanly,  I think ansible-2.10.0-r1 is hit by this. 
> Modified paths in patch.

Only 2.10?
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:07:58 UTC
probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with older releases.  Ansible recently split their package to ansible and ansible-base which has been... annoying to deal with.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:10:57 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #4)
> probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with
> older releases.  Ansible recently split their package to ansible and
> ansible-base which has been... annoying to deal with.

That does make it easier :)

Please continue with stabilization when ready.
Comment 6 Larry the Git Cow gentoo-dev 2020-10-16 03:26:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d4eb2055684936f71e5b2f2317ca43ca509ed8

commit 28d4eb2055684936f71e5b2f2317ca43ca509ed8
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 03:25:56 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 03:25:56 +0000

    app-admin/ansible: clean up for sec bug
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/Manifest                 |  2 -
 app-admin/ansible/ansible-2.10.0-r1.ebuild | 80 ------------------------------
 app-admin/ansible/ansible-2.9.13.ebuild    | 69 --------------------------
 app-admin/ansible/ansible-2.9.14.ebuild    | 69 --------------------------
 4 files changed, 220 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=251de145bd1920939f0f64e33f269b156eea510d

commit 251de145bd1920939f0f64e33f269b156eea510d
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-10-16 03:25:00 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-10-16 03:25:00 +0000

    app-admin/ansible: 2.10.0-r2 stable amd64/arm64/x86
    
    Bug: https://bugs.gentoo.org/749369
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/ansible/ansible-2.10.0-r2.ebuild | 2 +-
 app-admin/ansible/ansible-2.9.14.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 03:28:30 UTC
Thanks! C4 -> noglsa. Closing.