packages/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-0690

Browse Source
This commit is contained in:
wk333 2024-02-05 19:54:38 +08:00
parent 3be839b699
commit d0eba647ac
2 changed files with 96 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
CVE-2024-0690.patch Normal file
View File

@ -0,0 +1,91 @@
From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Thu, 18 Jan 2024 17:17:23 -0600
Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected
(CVE-2024-0690) (#82565) (#82568)
Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1
(cherry picked from commit 6935c8e)
---
changelogs/fragments/cve-2024-0690.yml | 2 ++
lib/ansible/playbook/base.py | 2 +-
lib/ansible/playbook/play_context.py | 4 ----
test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
test/integration/targets/no_log/runme.sh | 5 +++++
5 files changed, 21 insertions(+), 5 deletions(-)
create mode 100644 changelogs/fragments/cve-2024-0690.yml
create mode 100644 test/integration/targets/no_log/no_log_config.yml
diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
new file mode 100644
index 00000000..0e030d88
--- /dev/null
+++ b/changelogs/fragments/cve-2024-0690.yml
@@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
index 0f4dc4e4..172963a2 100644
--- a/lib/ansible/playbook/base.py
+++ b/lib/ansible/playbook/base.py
@@ -613,7 +613,7 @@ class Base(FieldAttributeBase):
# flags and misc. settings
_environment = FieldAttribute(isa='list', extend=True, prepend=True)
- _no_log = FieldAttribute(isa='bool')
+ _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
_run_once = FieldAttribute(isa='bool')
_ignore_errors = FieldAttribute(isa='bool')
_ignore_unreachable = FieldAttribute(isa='bool')
diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
index 10dd57aa..5b8b2852 100644
--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
@@ -318,10 +318,6 @@ class PlayContext(Base):
if not new_info.connection_user:
new_info.connection_user = new_info.remote_user
- # set no_log to default if it was not previously set
- if new_info.no_log is None:
- new_info.no_log = C.DEFAULT_NO_LOG
-
if task.check_mode is not None:
new_info.check_mode = task.check_mode
diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
new file mode 100644
index 00000000..8a508805
--- /dev/null
+++ b/test/integration/targets/no_log/no_log_config.yml
@@ -0,0 +1,13 @@
+- hosts: testhost
+ gather_facts: false
+ tasks:
+ - debug:
+ no_log: true
+
+ - debug:
+ no_log: false
+
+ - debug:
+
+ - debug:
+ loop: '{{ range(3) }}'
diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
index bb5c048f..8bfe019b 100755
--- a/test/integration/targets/no_log/runme.sh
+++ b/test/integration/targets/no_log/runme.sh
@@ -19,3 +19,8 @@ set -eux
# test invalid data passed to a suboption
[ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
--
2.33.0

6
ansible.spec
View File

@ -2,7 +2,7 @@
Name: ansible Name: ansible
Summary: SSH-based configuration management, deployment, and task execution system Summary: SSH-based configuration management, deployment, and task execution system
Version: 2.9.27 Version: 2.9.27
Release: 4 Release: 5
License: GPLv3+ License: GPLv3+
Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@ -18,6 +18,7 @@ Patch3: fix-python-3.9-compatibility.patch
Patch4: ansible-2.9.23-sphinx4.patch Patch4: ansible-2.9.23-sphinx4.patch
Patch5: hostname-module-support-openEuler.patch Patch5: hostname-module-support-openEuler.patch
Patch6: Fix-build-error-for-sphinx-7.0.patch Patch6: Fix-build-error-for-sphinx-7.0.patch
Patch7: CVE-2024-0690.patch
Provides: ansible-python3 = %{version}-%{release} Provides: ansible-python3 = %{version}-%{release}
Obsoletes: ansible-python3 < %{version}-%{release} Obsoletes: ansible-python3 < %{version}-%{release}
@ -215,6 +216,9 @@ make PYTHON=/usr/bin/python3 tests-py3
%{python3_sitelib}/ansible_test %{python3_sitelib}/ansible_test
%changelog %changelog
* Mon Feb 05 2024 wangkai <13474090681@163.com> - 2.9.27-5
- Fix CVE-2024-0690
* Wed Aug 9 2023 liyanan <thistleslyn@163.com> - 2.9.27-4 * Wed Aug 9 2023 liyanan <thistleslyn@163.com> - 2.9.27-4
- Remove obsolete buildrequire python3-crypto - Remove obsolete buildrequire python3-crypto