Bug 25285 - ansible new security issue CVE-2019-10156
Summary: ansible new security issue CVE-2019-10156
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2019-08-12 01:26 CEST by David Walser
Modified: 2019-08-22 20:27 CEST (History)
2 users (show)

See Also:
Source RPM: ansible-2.7.10-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 2.6.18, 2.7.12 and 2.8.2


Attachments

Description David Walser 2019-08-12 01:26:47 CEST
Ubuntu has issued an advisory on July 24:
https://usn.ubuntu.com/4072-1/

The issue is fixed upstream in 2.6.18, 2.7.12 and 2.8.2.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 01:27:03 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO
Status comment: (none) => Fixed upstream in 2.6.18, 2.7.12 and 2.8.2

Comment 1 Bruno Cornec 2019-08-12 02:04:52 CEST
2.8.2 pushed to cauldron.

CC: (none) => bruno
Status: NEW => ASSIGNED

David Walser 2019-08-12 02:07:27 CEST

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 2 Bruno Cornec 2019-08-12 02:17:40 CEST
2.7.12 pushed to update_testing of mga7

mga6 has 2.4 so I suggest we update to 2.7.12 as well (I was using 2.7.10 myself before that update without issue on mga6).
Comment 3 David Walser 2019-08-12 02:25:13 CEST
Sounds good.  We've updated in the past without issues.
Comment 4 Bruno Cornec 2019-08-13 01:22:37 CEST
2.7.12 pushed to update_testing of mga6 as well. Moved to QA.

Whiteboard: MGA6TOO => (none)
Assignee: bruno.cornec => qa-bugs

David Walser 2019-08-13 02:18:00 CEST

Whiteboard: (none) => MGA6TOO

Comment 5 David Walser 2019-08-13 02:25:35 CEST
Advisory:
========================

Updated ansible package fixes security vulnerability:

A flaw was discovered in the way Ansible templating was implemented before
version 2.7.12, causing the possibility of information disclosure through
unexpected variable substitution. By taking advantage of unintended variable
substitution the content of any variable may be disclosed (CVE-2019-10156).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst
https://usn.ubuntu.com/4072-1/
========================

Updated packages in core/updates_testing:
========================
ansible-2.7.12-1.mga6
ansible-2.7.12-1.mga7

from SRPMS:
ansible-2.7.12-1.mga6.src.rpm
ansible-2.7.12-1.mga7.src.rpm
Comment 6 Len Lawrence 2019-08-16 18:52:31 CEST
mga6, x86_64

Update failed because of missing package.

# urpmi ansible
A requested package cannot be installed:
ansible-2.7.12-1.mga6.noarch (due to unsatisfied python3-jmespath)

# urpmi python3-jmespath
No package named python3-jmespath

CC: (none) => tarazed25

Comment 7 Len Lawrence 2019-08-16 20:26:12 CEST
mga7, x86_64

The update installed cleanly.
~/tmp/hosts contains:
192.168.1.aaa
192.168.1.bbb

where aaa is a remote PC and bbb is the current machine.

$ ansible -i ~/tmp/hosts all -m ping
192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.62: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
192.168.1.aaa | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Yet on bbb;
$ ssh lcl@canopus
Password: 
Last login: Fri Aug 16 19:19:24 2019 from 192.168.1.aaa

$ ansible all -a "/bin/echo hello"
 [WARNING]: provided hosts list is empty, only localhost is available. Note
that the implicit localhost does not match 'all'

I am assuming that this is a PEBCAK problem.  No idea how to proceed.
These tests used to succeed.
Comment 8 Len Lawrence 2019-08-16 20:55:44 CEST
Of course, /etc/ansible/hosts needs to be set up first.

$ ansible all -a "/bin/echo hello"
192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
192.168.1.aaa | CHANGED | rc=0 >>
hello

$ ansible all -u lcl -a "/home/lcl/bin/calco"
192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
192.168.1.aaa | FAILED | rc=-6 >>
/usr/share/ruby/tk.rb:31:in `initialize': tcltklib: fail to Tk_Init(). no display name and no $DISPLAY environment variable (RuntimeError)
	from /usr/share/ruby/tk.rb:31:in `initialize'
	from /usr/share/ruby/tk.rb:1245:in `new'
	from /usr/share/ruby/tk.rb:1245:in `block in <module:TkCore>'
Tcl_AsyncDelete: async handler deleted by the wrong threadnon-zero return code

I thought the '-u lcl' would have taken care of setting up the shell environment, but apparently not.

Something more straightforward works:
$ ansible all -u lcl -a "/home/lcl/bin/dayofweek 2019-08-16"
192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
192.168.1.aaa | CHANGED | rc=0 >>
2019-08-16 is a Friday

At this simple level I would say this works.  Any problems seem to be associated with the way access keys have been defined by the user.  known_hosts always needs fixing after every new installation.
Len Lawrence 2019-08-17 03:52:44 CEST

Keywords: (none) => feedback

Comment 9 David Walser 2019-08-17 03:55:17 CEST
Bruno, please fix Comment 6.
Len Lawrence 2019-08-22 20:27:21 CEST

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK


Note You need to log in before you can comment on or make changes to this bug.