Debian Bug report logs -
#819676
ansible: CVE-2016-3096: Code execution vulnerability in ansible lxc_container
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 31 Mar 2016 18:24:01 UTC
Severity: grave
Tags: security, upstream
Found in version ansible/2.0.1.0-1
Fixed in version ansible/2.0.1.0-2
Done: Harlan Lieberman-Berg <hlieberman@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Janos Guljas <janos@debian.org>:
Bug#819676; Package src:ansible.
(Thu, 31 Mar 2016 18:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Janos Guljas <janos@debian.org>.
(Thu, 31 Mar 2016 18:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ansible
Version: 2.0.1.0-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for ansible.
CVE-2016-3096[0]:
Code execution vulnerability in ansible lxc_container
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3096
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3096
I think there is no fix upstream at the point of writing.
Regards,
Salvatore
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 31 Mar 2016 18:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Guljas <janos@debian.org>:
Bug#819676; Package src:ansible.
(Fri, 01 Apr 2016 13:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Janos Guljas <janos@debian.org>.
(Fri, 01 Apr 2016 13:18:03 GMT) (full text, mbox, link).
Message #12 received at 819676@bugs.debian.org (full text, mbox, reply):
Control: severity -1 grave
Hi
Sorry for the back and forth in severity. Actually I noticed that
https://sources.debian.net/src/ansible/2.0.1.0-1/lib/ansible/modules/extras/cloud/lxc/lxc_container.py/#L532
makes the file then world-writable (see following commit which
addresses that). If a local user can write to it before the script is
executed we have the arbitrary code execution as root.
There are now a partial fix
https://github.com/ansible/ansible-modules-extras/commit/da84e2e9b83be6ebebbfd3be6776f391622c02fe
and more in pull request at
https://github.com/ansible/ansible-modules-extras/pull/1941
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 819676-submit@bugs.debian.org.
(Fri, 01 Apr 2016 13:18:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Guljas <janos@debian.org>:
Bug#819676; Package src:ansible.
(Tue, 05 Apr 2016 07:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Evgeni Golov <evgeni@redhat.com>:
Extra info received and forwarded to list. Copy sent to Janos Guljas <janos@debian.org>.
(Tue, 05 Apr 2016 07:45:08 GMT) (full text, mbox, link).
Message #19 received at 819676@bugs.debian.org (full text, mbox, reply):
Ohai,
On Fri, Apr 01, 2016 at 03:15:48PM +0200, Salvatore Bonaccorso wrote:
> There are now a partial fix
>
> https://github.com/ansible/ansible-modules-extras/commit/da84e2e9b83be6ebebbfd3be6776f391622c02fe
>
> and more in pull request at
>
> https://github.com/ansible/ansible-modules-extras/pull/1941
Both have been pushed to all relevant stable branches of Ansible now.
FWIW, if you are already shipping updates to lxc_container.py, you
might consider also including
https://github.com/ansible/ansible-modules-extras/commit/6bfd2846f853b9beaeb01da6206d8ffa4abe7a4c
Greets
Evgeni
Reply sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility.
(Sun, 10 Apr 2016 22:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Apr 2016 22:51:05 GMT) (full text, mbox, link).
Message #24 received at 819676-close@bugs.debian.org (full text, mbox, reply):
Source: ansible
Source-Version: 2.0.1.0-2
We believe that the bug you reported is fixed in the latest version of
ansible, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 819676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated ansible package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Apr 2016 18:37:37 -0400
Source: ansible
Binary: ansible ansible-fireball ansible-node-fireball
Architecture: source
Version: 2.0.1.0-2
Distribution: unstable
Urgency: medium
Maintainer: Janos Guljas <janos@debian.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Closes: 819676
Description:
ansible - Configuration management, deployment, and task execution system
ansible-fireball - Ansible fireball transport support
ansible-node-fireball - Ansible fireball transport support for nodes
Changes:
ansible (2.0.1.0-2) unstable; urgency=medium
.
* Backport patches to fix vulns in lxc plugin (Closes: #819676)
* Update my email address
Checksums-Sha1:
2bd5b01ec82c536da66e12a32693ec2a1a377180 2268 ansible_2.0.1.0-2.dsc
fe2470575c28b77c38df039774cdfcf2bf6d0401 15524 ansible_2.0.1.0-2.debian.tar.xz
Checksums-Sha256:
cce178c08ff8b7fdb6be4d7751402f9394faa84b8148af160d8fc46dbdbeaae9 2268 ansible_2.0.1.0-2.dsc
970c73c7f467b11214b14c918bf5841062c7740b0aa29083c249a0ea5105d4e1 15524 ansible_2.0.1.0-2.debian.tar.xz
Files:
96c5fca306d609673dbaebbdf658fcfe 2268 admin optional ansible_2.0.1.0-2.dsc
f231feff628841869d8d79105a695418 15524 admin optional ansible_2.0.1.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJXCtcIXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwQjhGRTA3NDJENTI3OURDNjU1MEUyODk4
NTQwOUVFNEI5OUY4OTYxAAoJEIVAnuS5n4lhhYsP/iR+kiUfbaTRnUhKyX3JJNjv
4hfrB6HCCKPh6x5cm92o1yZIcZ4aPf8CSHRrTOEnUqDRi+ysLhsN0qqlHHNVuhq/
0Ipo4ZnNd3tBkXvPxmrYB4jUIAL7KXgYrqbBpIr+82evV54Bye/iHBe5Rzw5Un1B
w35Ggu8joTaiRfpQu89HIVF6Ls3586JBiI39nSdJeu4yuhcB2yZhlltiQ3CkVKx6
ifAoqDZjglhUIlo5W5GLLwJuT1Bf9ZmZ8T1+UAJ4CR47Fo48bzabeHOSveDAwAT0
On5gntlnWitjsxXPSYsB+9wW1l/dB0AkjIRVd13b5+jZzJ4e4lQY3leogVgAYkNi
tyl7rYt8mf3bLQDsKfsmbor3W5emh+F3/cdfv8DzfjMqSBUnnu3eu2aEnYMYWGJj
aZbMBCsXIJ+PhahjXtH7wkqTK90gMRoP2E7vfWk548ahSdfdrtYYiny3qDA4ZACl
IOxdPCGXKWIU12GCtJxAJBhqQaryQ3/GsNsoJ5YEvY/IzOVuaNoX2io8yvhIAfxU
cHnvHUNPvTs32dNhE29rzZ1uDxU0KlE97rDLWv0xcirCiaBgREnl2IWNczFIc8ZI
3MJCClSvZ2ORLXbl6jBDFsrroouLkBog2aN8+CFGl0try9kNI/nCGwd4xAeWEbSY
vK5g2bXltsw9b+WHnyTy
=z0Lj
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Guljas <janos@debian.org>:
Bug#819676; Package src:ansible.
(Sun, 10 Apr 2016 22:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
Extra info received and forwarded to list. Copy sent to Janos Guljas <janos@debian.org>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Sun, 10 Apr 2016 22:57:04 GMT) (full text, mbox, link).
Message #29 received at 819676@bugs.debian.org (full text, mbox, reply):
Uploaded -2 to unstable with both the patches applied.
Thanks for the report, Salvatore, and awesome catch, Evgeni!
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2016 07:29:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon