Bug 26125 - ansible new security issues CVE-2019-14904 and CVE-2019-14905
Summary: ansible new security issues CVE-2019-14904 and CVE-2019-14905
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-01-23 23:02 CET by David Walser
Modified: 2020-01-28 08:54 CET (History)
4 users (show)

See Also:
Source RPM: ansible-2.7.15-1.mga7.src.rpm
Status comment:


Description David Walser 2020-01-23 23:02:30 CET
RedHat has issued an advisory today (January 23):

The issues are fixed upstream in 2.7.16:
Comment 1 Bruno Cornec 2020-01-24 00:59:31 CET
ansible 2.7.16 is now in mga7 updates_testing.

Assignee: bruno => qa-bugs

Comment 2 David Walser 2020-01-24 01:50:08 CET

Updated ansible package fixes security vulnerabilities:

A flaw was found in the solaris_zone module from the Ansible Community modules.
When setting the name for the zone on the Solaris host, the zone name is
checked by listing the process with the 'ps' bare command on the remote
machine. An attacker could take advantage of this flaw by crafting the name of
the zone and executing arbitrary commands in the remote host (CVE-2019-14904).

A vulnerability in Ansible's nxos_file_copy module can be used to copy files to
a flash or bootflash on NXOS devices. Malicious code could craft the filename
parameter to perform OS command injections. This could result in a loss of
confidentiality of the system among other issues (CVE-2019-14905).


Updated packages in core/updates_testing:

from ansible-2.7.16-1.mga7.src.rpm

CC: (none) => bruno

Comment 3 Len Lawrence 2020-01-25 00:16:46 CET
Mageia7 x86_64

Updated ansible and installed sshpass.

Set up a temporary hosts file containing three LAN addresses including localhost.  The following test fails for the local machine if its IP address is used.
$ ansible -k -i /tmp/hosts all -m ping
SSH password: 
192.168.1.aaa | SUCCESS => {
    "changed": false,
    "ping": "pong"
192.168.1.bbb | SUCCESS => {
    "changed": false,
    "ping": "pong"
} | SUCCESS => {
    "changed": false,
    "ping": "pong"

$ ansible -k -i /tmp/hosts all -a "/home/lcl/bin/chex"
SSH password: 
192.168.1.bbb | CHANGED | rc=0 >>

192.168.1.aaa | CHANGED | rc=0 >> | CHANGED | rc=0 >>

That showed a widget centre screen on all three machines.  The CHANGED message comes up as each widget is closed.

However, the following command does not work very well, because it seems to want to act as a reverse terminal.  It shows the Mate terminal with the inxi output for one of the remote hosts on the local monitor and then crashes.  This has something to do with ssh and known_hosts AFAICS so does not reflect on ansible.
$ ansible -k -i ~/tmp/hosts all -a "mate-terminal -e 'inxi -b'"
SSH password: 
192.168.1.aaa | FAILED | rc=255 >>
non-zero return code

As far as these tests go ansible seems to be working as designed.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-01-27 18:32:24 CET
Taking your word for it, Len. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Lewis Smith 2020-01-27 20:28:38 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-28 08:54:39 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.