Bug 1802154 (CVE-2020-1737)

Summary: CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not check extracted path
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, amoralej, carnil, dbecker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mburns, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-22 16:31:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1804389, 1804390, 1804391, 1804392, 1805328, 1805329, 1805368, 1805369, 1805370, 1805371, 1805505, 1807877, 1808319, 1814772    
Bug Blocks: 1801714    

Description Borja Tarraso 2020-02-12 13:37:52 UTC 
Extract-Zip function in win_unzip module does not check if the extracted path belongs to the destination folder. This could lead to path traversal on a crafted archive.
Comment 2 Borja Tarraso 2020-02-17 12:56:53 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 4 Salvatore Bonaccorso 2020-02-19 07:21:43 UTC 
Borja, any information on related upstream issue on this one? If possible it would be nice to have this together with the respective bugzilla entry to ease other downstream's triage on the issues.
Comment 5 Borja Tarraso 2020-02-20 16:46:45 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805329]
Affects: fedora-all [bug 1805328]
Comment 6 Borja Tarraso 2020-02-20 17:02:08 UTC 
Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap.

In reply to comment #4:
> Borja, any information on related upstream issue on this one? If possible it
> would be nice to have this together with the respective bugzilla entry to
> ease other downstream's triage on the issues.
Comment 9 Yadnyawalk Tale 2020-02-20 22:44:18 UTC 
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.
Comment 12 Borja Tarraso 2020-02-26 11:38:25 UTC 
Mitigation:

Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.
Comment 13 Borja Tarraso 2020-02-27 10:23:01 UTC 
Upstream fix: https://github.com/ansible/ansible/issues/67795
Comment 14 Borja Tarraso 2020-02-27 12:19:31 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807877]
Comment 16 Hardik Vyas 2020-03-18 16:17:15 UTC 
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.
Comment 19 errata-xmlrpc 2020-04-22 14:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 20 errata-xmlrpc 2020-04-22 14:09:36 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 21 errata-xmlrpc 2020-04-22 14:09:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 22 errata-xmlrpc 2020-04-22 14:10:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 23 Product Security DevOps Team 2020-04-22 16:31:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1737
Comment 24 Yadnyawalk Tale 2020-05-11 09:42:08 UTC 
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.
Comment 25 Summer Long 2021-01-14 04:59:29 UTC 
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

In Red Hat OpenStack Platform, because the flaw has a lower impact,  ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.