Bug 1322925 (CVE-2016-3096)
Summary: | CVE-2016-3096 ansible: Code execution vulnerability in lxc_container | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | a.badger, carnil, egolov, karlthered, kevin, sagarun, thomas.moschny |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-12 07:05:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1322926, 1322927 | ||
Bug Blocks: |
Description
Adam Mariš
2016-03-31 17:00:20 UTC
Acknowledgments: Name: Evgeni Golov (Red Hat) Created lxc tracking bugs for this issue: Affects: fedora-all [bug 1322926] Affects: epel-all [bug 1322927] Wrong component? The problem seems to affect /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/lxc_container.py which is part of the ansible package. Could you please check and re-assign. (In reply to Thomas Moschny from comment #4) > Wrong component? The problem seems to affect > > /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/ > lxc_container.py > > which is part of the ansible package. > > Could you please check and re-assign. You're right, my bad. Thanks for notifying, moving to ansible. Partial fix: https://github.com/ansible/ansible-modules-extras/commit/da84e2e9b83be6ebebbfd3be6776f391622c02fe More fixes: https://github.com/ansible/ansible-modules-extras/pull/1941 So, currently epel6/7 and fedora 22/23 stable updates has ansible 1.9.4 and ansible1.9-1.9.4. In updates-testing we have 2.0.1.0 for ansible. We don't want to push 2.0.x stable yet, we are waiting for 2.1 upstream to fix some issues many people will hit. 1.9.4 is vulnerable to this issue, but it requires a local user with write to /opt to exploit it, and thats root only on fedora/epel by default. So, while we are vulnerable it's pretty difficult to exploit. 2.0.x is also vulnerable and more so, since permissions were not setup correctly there. Currently I think we will look at fixing this in a local 2.0.x patch and pushing that to testing in all the stable branches or in a 2.0.2 if the fix turns out difficult and waiting for 2.1 (due this month) to hopefully push to stable with the fix everywhere. Evgeni's fixes merged upstream. Will be in upstream releases 1.9.6, 2.0.2, and 2.1.0. @Adam -- there's also an ansible1.9 package in fedora and epel for now (to ease transition to ansible-2.0). I'm guessing you want to open bugs against that in fedora and epel as well. FWIW, if you are already shipping updates to lxc_container.py, you might consider also including https://github.com/ansible/ansible-modules-extras/commit/6bfd2846f853b9beaeb01da6206d8ffa4abe7a4c ansible1.9-1.9.6-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. ansible1.9-1.9.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. ansible-2.0.2.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. ansible-2.0.2.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. ansible-2.0.2.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. ansible-2.0.2.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. ansible-2.0.2.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. ansible1.9-1.9.6-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. ansible1.9-1.9.6-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |