Bug 18275

Summary:	ansible new security issue CVE-2016-3096
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	herman.viaene, makowski.mageia, marja11, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/685137/
Whiteboard:	has_procedure advisory MGA5-32-OK
Source RPM:	ansible-1.9.2-1.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2016-04-27 18:00:06 CEST

Fedora has issued an advisory on April 25:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html

The issue is fixed upstream in 1.9.6.  It is also fixed in 2.0.2 (already in Cauldron).

Comment 1 Philippe Makowski 2016-04-30 18:54:29 CEST

Fedora has issued an advisory on April 25:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html

Test procedure : https://bugs.mageia.org/show_bug.cgi?id=16309#c9


Updated packages uploaded for Mageia 5

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root (CVE-2016-3096) 


References:
- https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html
- http://lwn.net/Vulnerabilities/685137/
- https://github.com/ansible/ansible/blob/stable-1.9/CHANGELOG.md


Updated packages in core/updates_testing:
========================
ansible-1.9.6-1.mga5.noarch.rpm

from ansible-1.9.6-1.mga5.src.rpm

CC: (none) => makowski.mageia
Assignee: bruno => bugsquad
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-04-30 19:06:02 CEST

Thanks!

A few minor advisory fixes.

Advisory:
========================

Updated ansible package fixes security vulnerability:

A vulnerability in lxc_container, ansible module, was found allowing to get
root inside the container. The problem is in the create_script function, which
tries to write to /opt/.lxc-attach-script inside of the container. If the
attacker can write to /opt/.lxc-attach-script before that, he can overwrite
arbitrary files or execute commands as root (CVE-2016-3096).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3096
https://github.com/ansible/ansible/blob/stable-1.9/CHANGELOG.md
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html

Comment 3 Marja Van Waes 2016-05-01 09:40:03 CEST

There doesn't seem to be a real reason why this bug wasn't assigned to QA.... the updated package is waiting in updates_testing since last (CEST) evening
ftp://mageia.webconquest.com/distrib/5/i586/media/core/updates_testing/ansible-1.9.6-1.mga5.noarch.rpm and this bug contains an Advisory.

Assigning to QA

CC: (none) => marja11
Assignee: bugsquad => qa-bugs

Comment 4 Herman Viaene 2016-05-04 15:50:21 CEST

MGA-32 on AcerD620 Xfce
No installation issues.
Followed procedure as indicated in Comment 1 and got at the CLI:
$ ansible -i tmp/hosts all -m ping
xxx.xxx.xxx.xxx | success >> {
    "changed": false,
    "ping": "pong"
}

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 5 claire robinson 2016-05-05 17:31:55 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2016-05-05 18:05:27 CEST

Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK

Comment 7 Mageia Robot 2016-05-05 18:27:22 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED