Debian Bug report logs -
#930065
ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#930065
; Package src:ansible
.
(Thu, 06 Jun 2019 12:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Thu, 06 Jun 2019 12:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ansible
Severity: important
Tags: security upstream
Forwarded: https://github.com/ansible/ansible/pull/57188
Hi,
The following vulnerability was published for ansible, can you check
for which Debian versions this is relevant and adjust the found
versions?
CVE-2019-10156[0]:
templating causing an unexpected key file to be set on remote node
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
[1] https://github.com/ansible/ansible/pull/57188
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 10 Jun 2019 19:54:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#930065
; Package src:ansible
.
(Fri, 14 Jun 2019 14:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Lee Garrett <debian@rocketjump.eu>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Fri, 14 Jun 2019 14:03:03 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
Hi,
the updated pull request now also contains tests, which made it easier
for me to reproduce the issue. I will prepare an update for sid on
Sunday/Monday, and evaluate if this also applies for stable. AFAICS this
has a low impact, as it requires an attacker to provide the template
files (or a user to write faulty templates and not verify the output),
which already has grave security implications by itself.
Then again the RH bug tracker hints that it might be used to leak
passwords [0] (through the authorized_key module?), though the pull
request does not contain any changes there. Information on this CVE is
unfortunately rather vague.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1717311
Regards,
Lee
On 06/06/2019 14:16, Salvatore Bonaccorso wrote:
> Source: ansible
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/ansible/ansible/pull/57188
>
> Hi,
>
> The following vulnerability was published for ansible, can you check
> for which Debian versions this is relevant and adjust the found
> versions?
>
> CVE-2019-10156[0]:
> templating causing an unexpected key file to be set on remote node
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10156
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
> [1] https://github.com/ansible/ansible/pull/57188
>
> Regards,
> Salvatore
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#930065
; Package src:ansible
.
(Fri, 14 Jun 2019 14:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Lee Garrett <debian@rocketjump.eu>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Fri, 14 Jun 2019 14:03:09 GMT) (full text, mbox, link).
Marked as found in versions ansible/2.7.8+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 14 Jun 2019 15:00:03 GMT) (full text, mbox, link).
Marked as found in versions ansible/2.7.7+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 14 Jun 2019 15:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#930065
; Package src:ansible
.
(Fri, 14 Jun 2019 19:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Fri, 14 Jun 2019 19:09:02 GMT) (full text, mbox, link).
Message #26 received at 930065@bugs.debian.org (full text, mbox, reply):
Hi Lee,
On Fri, Jun 14, 2019 at 03:52:45PM +0200, Lee Garrett wrote:
> Hi,
>
> the updated pull request now also contains tests, which made it easier
> for me to reproduce the issue. I will prepare an update for sid on
> Sunday/Monday, and evaluate if this also applies for stable. AFAICS this
> has a low impact, as it requires an attacker to provide the template
> files (or a user to write faulty templates and not verify the output),
> which already has grave security implications by itself.
>
> Then again the RH bug tracker hints that it might be used to leak
> passwords [0] (through the authorized_key module?), though the pull
> request does not contain any changes there. Information on this CVE is
> unfortunately rather vague.
Thanks for looking into and your assessment. So in case it affects
stable as well I guess we can safely mark it no-dsa and schedule a fix
via an upcoming point release.
For sid/buster, please keep in mind that the last date for requesting
unblocks is approaching quickly, so if you can fix it for buster that
would be great.
OTOH, I see there is 2.7.7+dfsg-1 and a newer upstream version
2.7.8+dfsg-1 in sid, so a targeted fix via testing-proposed-updates
would be needed for buster.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:17:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.