!25 The upstream community rolls back the patch

From: @programmer12 Reviewed-by: @myeuler Signed-off-by: @myeuler
2021-11-01 06:52:41 +00:00 · 2021-11-01 06:52:41 +00:00 · dd7d6cbd6d
commit dd7d6cbd6d
parent 9a85675d4f 58155cc894
3 changed files with 4 additions and 167 deletions
--- a/CVE-2020-1736.patch
+++ b/CVE-2020-1736.patch
@ -1,116 +0,0 @@
 From 0ac1d5e4a73f5de7d43422c3d4ff905326c43bda Mon Sep 17 00:00:00 2001
 From: Brian Coca <bcoca@users.noreply.github.com> 
 Date: Thu, 16 Sep 2021 10:03:48 +0800
 Subject: [PATCH] stricter permissions atomic_move when creating new file
  (#68970)
 ---
 lib/ansible/module_utils/common/file.py       |  3 +--
 .../targets/apt_repository/tasks/mode.yaml    |  3 ++-
 .../module_utils/basic/test_atomic_move.py    | 20 ++++++++-----------
 3 files changed, 11 insertions(+), 15 deletions(-)
 diff --git a/lib/ansible/module_utils/common/file.py b/lib/ansible/module_utils/common/file.py
 index 9703ea78..b74fb796 100644
 --- a/lib/ansible/module_utils/common/file.py
 +++ b/lib/ansible/module_utils/common/file.py
@@ -59,8 +59,7 @@ PERMS_RE = re.compile(r'[^rwxXstugo]')
 _PERM_BITS = 0o7777          # file mode permission bits
 _EXEC_PERM_BITS = 0o0111     # execute permission bits
 -_DEFAULT_PERM = 0o0666       # default file permission bits
 -
 +_DEFAULT_PERM = 0o0660       # default file permission bits
 def is_executable(path):
     # This function's signature needs to be repeated
 diff --git a/test/integration/targets/apt_repository/tasks/mode.yaml b/test/integration/targets/apt_repository/tasks/mode.yaml
 index d9895368..2a971514 100644
 --- a/test/integration/targets/apt_repository/tasks/mode.yaml
 +++ b/test/integration/targets/apt_repository/tasks/mode.yaml
@@ -41,6 +41,7 @@
   apt_repository:
     repo: "{{ test_repo_spec }}"
     state: present
 +    mode:0644
   register: no_mode_results
 - name: Gather no mode stat
@@ -127,4 +128,4 @@
 # See https://github.com/ansible/ansible/issues/16370
 - name: Assert mode_given_yaml_literal_600 is correct
   assert:
 -    that: "mode_given_yaml_literal_600.stat.mode == '1130'"
 \ No newline at end of file
 +    that: "mode_given_yaml_literal_600.stat.mode == '1130'"
 diff --git a/test/units/module_utils/basic/test_atomic_move.py b/test/units/module_utils/basic/test_atomic_move.py
 index 7bd9496e..1d74b5f9 100644
 --- a/test/units/module_utils/basic/test_atomic_move.py
 +++ b/test/units/module_utils/basic/test_atomic_move.py
@@ -63,7 +63,7 @@ def atomic_mocks(mocker, monkeypatch):
 @pytest.fixture
 def fake_stat(mocker):
     stat1 = mocker.MagicMock()
 -    stat1.st_mode = 0o0644
 +    stat1.st_mode = 0o0640
     stat1.st_uid = 0
     stat1.st_gid = 0
     stat1.st_flags = 0
@@ -80,8 +80,8 @@ def test_new_file(atomic_am, atomic_mocks, mocker, selinux):
     atomic_am.atomic_move('/path/to/src', '/path/to/dest')
     atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
 -    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)]
 -
 +    # 416 is what we expect with default perms set to 0640
 +    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest',416)]
     if selinux:
         assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')]
         assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
@@ -101,8 +101,7 @@ def test_existing_file(atomic_am, atomic_mocks, fake_stat, mocker, selinux):
     atomic_am.atomic_move('/path/to/src', '/path/to/dest')
     atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
 -    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
 -
 +    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src',416)]
     if selinux:
         assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
         assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')]
@@ -124,11 +123,9 @@ def test_no_tty_fallback(atomic_am, atomic_mocks, fake_stat, mocker):
     atomic_am.atomic_move('/path/to/src', '/path/to/dest')
     atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
 -    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
 -
     assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
     assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')]
 -
 +    atomic_am.atomic_move('/path/to/src','/path/to/dest')
 @pytest.mark.parametrize('stdin', [{}], indirect=['stdin'])
 def test_existing_file_stat_failure(atomic_am, atomic_mocks, mocker):
@@ -152,9 +149,8 @@ def test_existing_file_stat_perms_failure(atomic_am, atomic_mocks, mocker):
     atomic_am.atomic_move('/path/to/src', '/path/to/dest')
     atomic_mocks['rename'].assert_called_with(b'/path/to/src', b'/path/to/dest')
 -    # FIXME: Should atomic_move() set a default permission value when it cannot retrieve the
 -    # existing file's permissions?  (Right now it's up to the calling code.
 -    # assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/src', basic.DEFAULT_PERM & ~18)]
 +    # atomic_move() will set a default permission value when it cannot retire the
 +    # existing file's permissions.
     assert atomic_am.set_context_if_different.call_args_list == [mocker.call('/path/to/dest', mock_context, False)]
     assert atomic_am.selinux_context.call_args_list == [mocker.call('/path/to/dest')]
@@ -211,7 +207,7 @@ def test_rename_perms_fail_temp_succeeds(atomic_am, atomic_mocks, fake_stat, moc
     atomic_am.atomic_move('/path/to/src', '/path/to/dest')
     assert atomic_mocks['rename'].call_args_list == [mocker.call(b'/path/to/src', b'/path/to/dest'),
                                                      mocker.call(b'/path/to/tempfile', b'/path/to/dest')]
 -    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', basic.DEFAULT_PERM & ~18)]
 +    assert atomic_mocks['chmod'].call_args_list == [mocker.call(b'/path/to/dest', 416]
     if selinux:
         assert atomic_am.selinux_default_context.call_args_list == [mocker.call('/path/to/dest')]
 -- 
 2.27.0
--- a/CVE-2020-1738.patch
+++ b/CVE-2020-1738.patch
@ -1,48 +0,0 @@
 From 52d70d28eac2655a610b57291ca73e6ad33367ea Mon Sep 17 00:00:00 2001
 From: Abbijeet Kasurde <akasurde@redhat.com>
 Date: Thu, 16 Sep 2021 17:32:34 +0800
 Subject: [PATCH] [WIP] Add whitelisting for package and service module
 ---
 lib/ansible/plugins/action/package.py | 8 ++++++++
 lib/ansible/plugins/action/service.py | 5 +++++
 2 files changed, 13 insertions(+)
 diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
 index 932acccb..18acc856 100644
 --- a/lib/ansible/plugins/action/package.py
 +++ b/lib/ansible/plugins/action/package.py
@@ -56,6 +56,14 @@ class ActionModule(ActionBase):
                 module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
             if module != 'auto':
 +                if module not in ['apk','apt_rpm','apt','dnf','homebrew_cask',
 +                                 'homebrew_tap','homebrew','installp','macports','mas',
 +                                 'openbsd_pkg','opkg','pacman','pkg5','pkgin',
 +                                 'pkgng','pkgutil','portage','portinstall','slackpkg',
 +                                 'snap','sorcery','svr4pkg','swdepot','swupd',
 +                                 'urpmi','xbps','yum','zypper']:
 +                    raise AnsibleActionFail('Coudld not find a module for package manager %s.'
 +                                            'Try setting the "use" option.'% module)
                 if module not in self._shared_loader_obj.module_loader:
                     raise AnsibleActionFail('Could not find a module for %s.' % module)
 diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py
 index 3ebd0ae1..d9b0344b 100644
 --- a/lib/ansible/plugins/action/service.py
 +++ b/lib/ansible/plugins/action/service.py
@@ -61,6 +61,11 @@ class ActionModule(ActionBase):
                 module = 'service'
             if module != 'auto':
 +                # Check if auto detected module is valid module name or not
 +                if module not in ['nosh','openwrt_init','runit',
 +                                  'svc','systemd','sysvinit']:
 +                    raise AnsibleActionFail('Could not find module for service manager %s.'
 +                                             'Try setting the "use" option.')
                 # run the 'service' module
                 new_module_args = self._task.args.copy()
                 if 'use' in new_module_args:
 -- 
 2.27.0
--- a/ansible.spec
+++ b/ansible.spec
@ -2,7 +2,7 @@
 Name: ansible
 Summary: SSH-based configuration management, deployment, and task execution system
 Version: 2.9.24
-Release: 3
+Release: 4
 License: GPLv3+
 Source0: https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@ -16,8 +16,6 @@ Patch1: ansible-2.9.22-rocky.patch
 Patch2: ansible-2.9.6-disable-test_build_requirement_from_path_no_version.patch
 Patch3: fix-python-3.9-compatibility.patch
 Patch4: ansible-2.9.23-sphinx4.patch
 Patch5: CVE-2020-1736.patch
 Patch6: CVE-2020-1738.patch
 Provides:      ansible-python3 = %{version}-%{release}
 Obsoletes:     ansible-python3 < %{version}-%{release}
@ -215,6 +213,9 @@ make PYTHON=/usr/bin/python3 tests-py3
 %{python3_sitelib}/ansible_test
 %changelog
 * Thu Oct 28 2021 liwu <liwu13@huawei.com> - 2.9.24-4
 - The upstream community rolls back the patch
 * Fri Sep 17 2021 liwu <liwu13@huawei.com> - 2.9.24-3
 - fix CVE-2020-1738