CVE-2021-3701: A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity. RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977959 CVE-2021-3702: A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality. RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977965 Issue: https://github.com/ansible/ansible-runner/issues/738 Patches for both are: https://github.com/ansible/ansible-runner/pull/742 Which was merged as: https://github.com/ansible/ansible-runner/commit/dcdb62daf668a31754fc6fbf73374e7d14d5f52c Please bump to 2.1.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9771b16e2bbfbf8ed9b05f47b60fd495179dfcf commit e9771b16e2bbfbf8ed9b05f47b60fd495179dfcf Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-08-23 23:53:12 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-08-23 23:54:45 +0000 dev-python/ansible-runner: add 2.1.0 Bug: https://bugs.gentoo.org/866223 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-python/ansible-runner/Manifest | 1 + .../ansible-runner/ansible-runner-2.1.0.ebuild | 40 ++++++++++++++++++++++ 2 files changed, 41 insertions(+)
Thanks! Please cleanup when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c891fb6ca1b1993e2c2306f7620038b4dba3809 commit 0c891fb6ca1b1993e2c2306f7620038b4dba3809 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-08-24 15:20:10 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-08-24 15:20:15 +0000 dev-python/ansible-runner: drop 1.4.9 Bug: https://bugs.gentoo.org/866223 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-python/ansible-runner/Manifest | 1 - .../ansible-runner/ansible-runner-1.4.9.ebuild | 38 ---------------------- 2 files changed, 39 deletions(-)
Thanks, all done!
CVE-2021-4041 (https://bugzilla.redhat.com/show_bug.cgi?id=2028074): https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.
