Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201406261818.s5QII2KW003843@linus.mitre.org>
Date: Thu, 26 Jun 2014 14:18:02 -0400 (EDT)
From: cve-assign@...re.org
To: misc@...b.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Ansible CVE requests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://lwn.net/Articles/603205/

> https://bugs.mageia.org/show_bug.cgi?id=13278#c2

> just in case, seems that it is this patch for "Security fix for safe_eval" :
> https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c

> and for Security fix for vault :
> https://github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69

> and for apt :
> https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08

(Note that 603205 isn't a complete list of the upstream Ansible
vulnerabilities because Mageia is shipping a 1.4.x version and
therefore wasn't interested in
a0e027fe362fbc209dbeff2f72d6e95f39885c69.)

We think 998793fd0ab55705d57527a38cee5e83f535974c is about fixing one
type of issue, but feel free to identify any additional types of
issues that are also fixed. Use CVE-2014-4657 for the general topic of
"the product intentionally allows code execution of code with limited
capabilities, but the code restrictions are insufficient."
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
suggests that this was fixed in 1.5.4.


a0e027fe362fbc209dbeff2f72d6e95f39885c69 seems to be a
straightforward case of "the product creates files that normally
contain secret values, but does not ensure appropriate permissions."
Use CVE-2014-4658.
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
suggests that this was fixed in 1.5.5.


c4b5e46054c74176b2446c82d4df1a2610eddc08 is about multiple types of
issues.
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
suggests that these were fixed in 1.5.5. One issue is doing an
unconditional "chmod 0644" on a file that may have required stronger
permissions for a site-specific reason. Use CVE-2014-4659.


Also, the changes related to _strip_username_password apparently mean
that the product might encounter an /etc/apt/sources.list line
starting with:

  deb http://user:pass@...ver:port/

and would then construct a filename containing the user and pass
fields, leaking credentials in a way that potentially crosses
privilege boundaries. Use CVE-2014-4660.


Does anyone want a CVE ID for this third potential
c4b5e46054c74176b2446c82d4df1a2610eddc08 issue?

The changes related to check_mode apparently mean that
http://docs.ansible.com/developing_modules.html#check-mode wasn't
properly implemented, and an administrator might unintentionally
perform dangerous actions. CVE assignments for this type of problem
seem uncommon, although that might be because the class of issues is
underreported. (The bug here seems to be a case of "doesn't even
notice whether check_mode is active" rather than "notices that
check_mode is active but proceeds unsafely." See also the
http://blog.afistfulofservers.net/post/2012/12/21/promises-lies-and-dryrun-mode/
blog post.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTrGNaAAoJEKllVAevmvmsVEoIAIXaQOpESycBDcQCewvsFxEr
/YTSassxW+SyyWtlL7TqVTBC6K+1B6ry+dQRA/pRbbECV1iUUOLwrsuD23kLTZG4
idP6YM3AXJw8Qm69nAmiMsGBYubl/97V92DY5AwQMnXXASDEfrT2A+Ei6w8zrCCC
VdJ50jus0Ttq0mch9QasGhzPm7w4Np4m2WF9Wpau1N0ZZTWvgf9srNmjHVQW1SS3
5Ait3ALjn15AfLPmZZ9Z059xqjnaVZwBcOHrDpApmctngF3Axej5JXIGNQEfkGtU
Z0Z8sTKbPEJ4GUo0KykJTuJcGMBpgZ+ad2gv5+vCy8ufdpHoLHyKf1aEo39gekc=
=evpQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.