Bug 1817161 (CVE-2020-10691)

Summary: CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy collection install
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, bcoca, cmeyers, dbecker, gblomqui, gmainwar, hvyas, jcammara, jjoyce, jschluet, jtanner, kbasil, kevin, lhh, lpeer, mabashia, maxim, mburns, notting, puebele, rhos-maint, rpetrell, sclewis, sdoran, security-response-team, slinaber, smcdonal, tkuratom, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.9.7 Doc Type: ---
Doc Text:
An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-22 16:32:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1817162, 1817163, 1817164, 1817165, 1817166, 1817167, 1817979, 1817980, 1818683    
Bug Blocks: 1816822    

Description Borja Tarraso 2020-03-25 17:39:45 UTC 
ansible-galaxy collection install has a archive traversal vulnerability when extracing a collection .tar.gz file, neither install() nor the called _extract_tar_file() does any sanitizing on the filename. This should allow a specially crafted collection .tar.gz file to place a file wherever it wants in the file system.
Comment 3 Borja Tarraso 2020-03-25 17:40:02 UTC 
Mitigation:

A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.
Comment 8 Borja Tarraso 2020-03-27 07:34:07 UTC 
Acknowledgments:

Name: Felix Fountein
Comment 11 Borja Tarraso 2020-03-27 11:19:52 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1817979]
Affects: fedora-all [bug 1817980]
Comment 13 Summer Long 2020-03-30 05:42:39 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1818683]
Comment 14 Borja Tarraso 2020-04-01 05:25:36 UTC 
Upstream fix: https://github.com/ansible/ansible/pull/68596
Comment 16 Hardik Vyas 2020-04-16 05:28:05 UTC 
Statement:

Ansible Engine 2.9.6 as well as previous 2.9.x versions are affected. Ansible versions less than or equal to 2.8 are not affected by this vulnerability as this functionality was introduced on 2.9.

Ansible Tower 3.6.3 as well as previous 3.6.x versions are affected as they use ansible-galaxy collections.
Comment 17 errata-xmlrpc 2020-04-22 14:09:30 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 18 errata-xmlrpc 2020-04-22 14:09:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 19 Product Security DevOps Team 2020-04-22 16:32:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10691