Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-10156

Source

Debian Bug report logs - #930065
ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node

Package: src:ansible; Maintainer for src:ansible is Harlan Lieberman-Berg <hlieberman@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 6 Jun 2019 12:21:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions ansible/2.7.8+dfsg-1, ansible/2.7.7+dfsg-1

Forwarded to https://github.com/ansible/ansible/pull/57188

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#930065; Package src:ansible. (Thu, 06 Jun 2019 12:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>. (Thu, 06 Jun 2019 12:21:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: ansible
Severity: important
Tags: security upstream
Forwarded: https://github.com/ansible/ansible/pull/57188

Hi,

The following vulnerability was published for ansible, can you check
for which Debian versions this is relevant and adjust the found
versions?

CVE-2019-10156[0]:
templating causing an unexpected key file to be set on remote node

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10156
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
[1] https://github.com/ansible/ansible/pull/57188

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 10 Jun 2019 19:54:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#930065; Package src:ansible. (Fri, 14 Jun 2019 14:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Lee Garrett <debian@rocketjump.eu>:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>. (Fri, 14 Jun 2019 14:03:03 GMT) (full text, mbox, link).

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

Hi,

the updated pull request now also contains tests, which made it easier
for me to reproduce the issue. I will prepare an update for sid on
Sunday/Monday, and evaluate if this also applies for stable. AFAICS this
has a low impact, as it requires an attacker to provide the template
files (or a user to write faulty templates and not verify the output),
which already has grave security implications by itself.

Then again the RH bug tracker hints that it might be used to leak
passwords [0] (through the authorized_key module?), though the pull
request does not contain any changes there. Information on this CVE is
unfortunately rather vague.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1717311

Regards,
Lee

On 06/06/2019 14:16, Salvatore Bonaccorso wrote:
> Source: ansible
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/ansible/ansible/pull/57188
> 
> Hi,
> 
> The following vulnerability was published for ansible, can you check
> for which Debian versions this is relevant and adjust the found
> versions?
> 
> CVE-2019-10156[0]:
> templating causing an unexpected key file to be set on remote node
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10156
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
> [1] https://github.com/ansible/ansible/pull/57188
> 
> Regards,
> Salvatore
>

Information forwarded to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#930065; Package src:ansible. (Fri, 14 Jun 2019 14:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Lee Garrett <debian@rocketjump.eu>:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>. (Fri, 14 Jun 2019 14:03:09 GMT) (full text, mbox, link).

Marked as found in versions ansible/2.7.8+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 14 Jun 2019 15:00:03 GMT) (full text, mbox, link).

Marked as found in versions ansible/2.7.7+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 14 Jun 2019 15:00:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#930065; Package src:ansible. (Fri, 14 Jun 2019 19:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>. (Fri, 14 Jun 2019 19:09:02 GMT) (full text, mbox, link).

Message #26 received at 930065@bugs.debian.org (full text, mbox, reply):

Hi Lee,

On Fri, Jun 14, 2019 at 03:52:45PM +0200, Lee Garrett wrote:
> Hi,
> 
> the updated pull request now also contains tests, which made it easier
> for me to reproduce the issue. I will prepare an update for sid on
> Sunday/Monday, and evaluate if this also applies for stable. AFAICS this
> has a low impact, as it requires an attacker to provide the template
> files (or a user to write faulty templates and not verify the output),
> which already has grave security implications by itself.
> 
> Then again the RH bug tracker hints that it might be used to leak
> passwords [0] (through the authorized_key module?), though the pull
> request does not contain any changes there. Information on this CVE is
> unfortunately rather vague.

Thanks for looking into and your assessment. So in case it affects
stable as well I guess we can safely mark it no-dsa and schedule a fix
via an upcoming point release.

For sid/buster, please keep in mind that the last date for requesting
unblocks is approaching quickly, so if you can fix it for buster that
would be great.

OTOH, I see there is 2.7.7+dfsg-1 and a newer upstream version
2.7.8+dfsg-1 in sid, so a targeted fix via testing-proposed-updates
would be needed for buster.

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:17:54 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node

Debian Bug report logs - #930065
ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node

Vulmon Search

About

Products

Connect

ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node

Debian Bug report logs - #930065 ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node

Vulmon Search

About

Products

Connect

Debian Bug report logs - #930065
ansible: CVE-2019-10156: templating causing an unexpected key file to be set on a remote node