CVE-2020-1738

CVE-2020-1738.patch

@@ -0,0 +1,48 @@
+From 52d70d28eac2655a610b57291ca73e6ad33367ea Mon Sep 17 00:00:00 2001
+From: Abbijeet Kasurde <akasurde@redhat.com>
+Date: Thu, 16 Sep 2021 17:32:34 +0800
+Subject: [PATCH] [WIP] Add whitelisting for package and service module
+
+---
+ lib/ansible/plugins/action/package.py | 8 ++++++++
+ lib/ansible/plugins/action/service.py | 5 +++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
+index 932acccb..18acc856 100644
+--- a/lib/ansible/plugins/action/package.py
++++ b/lib/ansible/plugins/action/package.py
+@@ -56,6 +56,14 @@ class ActionModule(ActionBase):
+                 module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
+ 
+             if module != 'auto':
++                if module not in ['apk','apt_rpm','apt','dnf','homebrew_cask',
++                                 'homebrew_tap','homebrew','installp','macports','mas',
++                                 'openbsd_pkg','opkg','pacman','pkg5','pkgin',
++                                 'pkgng','pkgutil','portage','portinstall','slackpkg',
++                                 'snap','sorcery','svr4pkg','swdepot','swupd',
++                                 'urpmi','xbps','yum','zypper']:
++                    raise AnsibleActionFail('Coudld not find a module for package manager %s.'
++                                            'Try setting the "use" option.'% module)
+ 
+                 if module not in self._shared_loader_obj.module_loader:
+                     raise AnsibleActionFail('Could not find a module for %s.' % module)
+diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py
+index 3ebd0ae1..d9b0344b 100644
+--- a/lib/ansible/plugins/action/service.py
++++ b/lib/ansible/plugins/action/service.py
+@@ -61,6 +61,11 @@ class ActionModule(ActionBase):
+                 module = 'service'
+ 
+             if module != 'auto':
++                # Check if auto detected module is valid module name or not
++                if module not in ['nosh','openwrt_init','runit',
++                                  'svc','systemd','sysvinit']:
++                    raise AnsibleActionFail('Could not find module for service manager %s.'
++                                             'Try setting the "use" option.')
+                 # run the 'service' module
+                 new_module_args = self._task.args.copy()
+                 if 'use' in new_module_args:
+-- 
+2.27.0
+

ansible.spec

@@ -2,7 +2,7 @@
 Name: ansible
 Summary: SSH-based configuration management, deployment, and task execution system
 Version: 2.9.24
-Release: 2
+Release: 3
 
 License: GPLv3+
 Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@@ -17,6 +17,7 @@ Patch2: ansible-2.9.6-disable-test_build_requirement_from_path_no_version.patch
 Patch3: fix-python-3.9-compatibility.patch
 Patch4: ansible-2.9.23-sphinx4.patch
 Patch5: CVE-2020-1736.patch
+Patch6: CVE-2020-1738.patch
 
 Provides:      ansible-python3 = %{version}-%{release}
 Obsoletes:     ansible-python3 < %{version}-%{release}
@@ -214,6 +215,9 @@ make PYTHON=/usr/bin/python3 tests-py3
 %{python3_sitelib}/ansible_test
 
 %changelog
+* Fri Sep 17 2021 liwu <liwu13@huawei.com> - 2.9.24-3
+- fix CVE-2020-1738
+
 * Thu Sep 16 2021 liwu <liwu13@huawei.com> - 2.9.24-2
 - fix CVE-2020-1736