Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 866223 (CVE-2021-3701, CVE-2021-3702, CVE-2021-4041) - <dev-python/ansible-runner-2.1.0: multiple vulnerabilities
Summary: <dev-python/ansible-runner-2.1.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-3701, CVE-2021-3702, CVE-2021-4041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-23 19:54 UTC by John Helmert III
Modified: 2022-08-24 18:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-23 19:54:36 UTC
CVE-2021-3701:

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.

RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977959
CVE-2021-3702:

A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.

RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977965

Issue: https://github.com/ansible/ansible-runner/issues/738

Patches for both are: https://github.com/ansible/ansible-runner/pull/742
Which was merged as: https://github.com/ansible/ansible-runner/commit/dcdb62daf668a31754fc6fbf73374e7d14d5f52c

Please bump to 2.1.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-23 23:55:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9771b16e2bbfbf8ed9b05f47b60fd495179dfcf

commit e9771b16e2bbfbf8ed9b05f47b60fd495179dfcf
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-08-23 23:53:12 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-08-23 23:54:45 +0000

    dev-python/ansible-runner: add 2.1.0
    
    Bug: https://bugs.gentoo.org/866223
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-python/ansible-runner/Manifest                 |  1 +
 .../ansible-runner/ansible-runner-2.1.0.ebuild     | 40 ++++++++++++++++++++++
 2 files changed, 41 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 00:15:05 UTC
Thanks! Please cleanup when ready.
Comment 3 Larry the Git Cow gentoo-dev 2022-08-24 15:20:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c891fb6ca1b1993e2c2306f7620038b4dba3809

commit 0c891fb6ca1b1993e2c2306f7620038b4dba3809
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-08-24 15:20:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-08-24 15:20:15 +0000

    dev-python/ansible-runner: drop 1.4.9
    
    Bug: https://bugs.gentoo.org/866223
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-python/ansible-runner/Manifest                 |  1 -
 .../ansible-runner/ansible-runner-1.4.9.ebuild     | 38 ----------------------
 2 files changed, 39 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 17:38:09 UTC
Thanks, all done!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 18:59:04 UTC
CVE-2021-4041 (https://bugzilla.redhat.com/show_bug.cgi?id=2028074):
https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.