Bug 1835566 (CVE-2020-10744) - CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733
Summary: CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-10744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806420 1835568 1835569 1835570 1835571 1835572 1835573 1835694 1835854 1835855 1835856 1840919 1840920
Blocks: 1835448
TreeView+ depends on / blocked
 
Reported: 2020-05-14 05:13 UTC by Borja Tarraso
Modified: 2024-02-14 15:17 UTC (History)
33 users (show)

Fixed In Version: ansible-engine 2.7.19, ansible-engine 2.8.13, ansible-engine 2.9.10
Doc Type: If docs needed, set a value
Doc Text:
An incomplete fix was found for the fix of the flaw CVE-2020-1733, Ansible: insecure temporary directory when running become_user from the become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems.
Clone Of:
Environment:
Last Closed: 2021-10-12 23:31:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Borja Tarraso 2020-05-14 05:13:14 UTC 
This flaw refers to the incomplete fix for CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. This vulnerability seems not mitigated fully as there race condition from the original flaw could still happen on systems using ACLs and FUSE filesystems. The 'mkdir -p' is insecure by design.
Comment 1 Borja Tarraso 2020-05-14 05:13:18 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 3 Borja Tarraso 2020-05-14 05:13:23 UTC 
Mitigation:

Currently, there is no mitigation for this issue.
Comment 8 Borja Tarraso 2020-05-14 15:47:49 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1835854]
Affects: fedora-all [bug 1835855]
Affects: openstack-rdo [bug 1835856]
Comment 9 Salvatore Bonaccorso 2020-05-15 11:13:16 UTC 
Borja, has tis incomplete fix already been reported upstream?
Comment 10 Borja Tarraso 2020-05-15 12:00:44 UTC 
In reply to comment #9:
> Borja, has tis incomplete fix already been reported upstream?

Hi Salvatore, it was found internally that it was insufficient fix. I expect someone to open an issue in github for upstream soon.
Comment 13 msiddiqu 2020-08-03 05:01:22 UTC 
References:
 
https://github.com/ansible/ansible/issues/69782
Comment 14 Salvatore Bonaccorso 2020-12-20 16:33:53 UTC 
Hi

(In reply to msiddiqu from comment #13)
> References:
>  
> https://github.com/ansible/ansible/issues/69782

Can you share information what the upstream fix was to complete the fix? Can you share what is the commit in 2.9.10 which adresses the incomplete fix?

Regards,
Salvatore
Comment 15 Borja Tarraso 2020-12-22 11:20:00 UTC 
Hi Salvatore,

for solving the incomplete fix upstream we have this commit: 77d0effcc5b2da1ef23e4ba32986a9759c27c10d

Regards,

Borja Tarraso
Red Hat Product Security
Comment 16 Summer Long 2021-01-14 05:05:21 UTC 
Statement:

Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own versions of Ansible. The fix will be provided from core Ansible. However, we still ship Ansible separately for Ceph Ubuntu.

In Red Hat OpenStack Platform, because the flaw has a lower impact,  ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Comment 26 Matt Davis 2021-10-12 23:31:01 UTC 
Closing as WONTFIX for older versions per Matt Martz.
Note You need to log in before you can comment on or make changes to this bug.