Bug 23321 - ansible new security issues CVE-2018-1087[45]
Summary: ansible new security issues CVE-2018-1087[45]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-17 16:06 CEST by David Walser
Modified: 2018-11-11 22:10 CET (History)
5 users (show)

See Also:
Source RPM: ansible-2.5.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2018-07-17 16:06:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-10-10 18:51:38 CEST
ansible 2.7.0 pushed to cauldron

Status: NEW => ASSIGNED

David Walser 2018-10-10 20:50:38 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Bruno Cornec 2018-10-11 00:21:53 CEST
ansible 2.4.6.0 pushed to mga6 testing
Bruno Cornec 2018-10-11 00:22:31 CEST

Assignee: bruno => qa-bugs

Comment 3 David Walser 2018-10-11 00:40:33 CEST
Advisory:
========================

Updated ansible package fixes security vulnerabilities:

It was found that inventory variables are loaded from current working directory
when running ad-hoc command which are under attacker's control, allowing to run
arbitrary code as a result (CVE-2018-10874).

It was found that ansible.cfg is being read from the current working directory,
which can be made to point to plugin or module paths that are under control of
the attacker. This could allow an attacker to execute arbitrary code
(CVE-2018-10875).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10875
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXWC5D7CU2JQAN3QB3BCCLZMZLTI2N6W/
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.6.0-1.1.mga6

from ansible-2.4.6.0-1.1.mga6.src.rpm
Comment 4 Herman Viaene 2018-10-30 16:06:47 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 19740 Comment 8 and 10
Lots of problems with trying to get the key over to the remote PC.
After a lot of googling found.
$ ssh-keygen -t rsa -b 4096
generated a good key, but then I needed
$ ssh-add
and 
$ ssh-add -l
to add the key to the(?) agent, then
ssh-copy-id aaa@bbb
copied the public key over, so
$ ssh 'aaa@bbbb'
brought me correctly to the remote PC.
But
$ ansible -v -i /tmp/hosts all -m ping
Using /etc/ansible/ansible.cfg as config file
mach1 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password,keyboard-interactive).\r\n", 
    "unreachable": true

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-11-05 20:08:46 CET
Thanks Herman!  I had lots of problems also, even though this bug is not new to me.  I was trying to kill this agent guy when I noticed your "ssh-add" commands.  Now the ping test works.

Remote logins were working perfectly before with known_hosts - now they work with  authorized_keys.

Ran the update and performed the ping tests and remote logins.

Good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 6 Len Lawrence 2018-11-06 09:43:43 CET
Rider to comment #5:

A quick look at the RedHat documentation at https://docs.ansible.com/ansible/latest/index.html shows that this could be a useful tool for local networks.
The earlier test seemed a bit meagre so:

Added two ungrouped local addresses to /etc/ansible/hosts and ran simple commands from one host to run remotely on other nodes.

$ ansible all -a "/bin/echo hello"
192.168.1.aaa | SUCCESS | rc=0 >>
hello

192.168.1.bb | SUCCESS | rc=0 >>
hello

$ ansible all -a "/home/lcl/bin/calco"
192.168.1.bb | SUCCESS | rc=0 >>


192.168.1.aaa | SUCCESS | rc=0 >>

The latter raised an interactive gui on localhost for both remote nodes, a shortcut for logging in remotely to each node, doing work and exiting.
Comment 7 Thomas Andrews 2018-11-09 22:06:28 CET
Herman, does Comment 4 mean that there is a problem with 32-bits, or is it just that your procedure was flawed?

CC: (none) => andrewsfarm

Comment 8 Herman Viaene 2018-11-10 09:07:54 CET
@Thomas
The procedure was surely flawed, and for the moment I cann't do any further testing since I don't have access to my testing laptopfor the next days(4 I hope).
Comment 9 Thomas Andrews 2018-11-10 14:42:22 CET
Thank you, Herman.

OK then, I believe Len's 64-bit tests are sufficient. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Lewis Smith 2018-11-11 20:50:21 CET
Advisory done from comment 3.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 11 Mageia Robot 2018-11-11 22:10:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0439.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.