Bug 1835566 (CVE-2020-10744)
| Summary: | CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, amctagga, anharris, bcoca, bniver, carnil, cmeyers, flucifre, gblomqui, gmeno, hvyas, jcammara, jjoyce, jschluet, kevin, lhh, lpeer, mabashia, mattdavi, maxim, mbenjamin, mburns, mcepl, mhackett, notting, sclewis, sdoran, security-response-team, slinaber, smcdonal, tkuratom, tvignaud, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.7.19, ansible-engine 2.8.13, ansible-engine 2.9.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An incomplete fix was found for the fix of the flaw CVE-2020-1733, Ansible: insecure temporary directory when running become_user from the become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-12 23:31:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1806420, 1835568, 1835569, 1835570, 1835571, 1835572, 1835573, 1835694, 1835854, 1835855, 1835856, 1840919, 1840920 | ||
| Bug Blocks: | 1835448 | ||
|
Description
Borja Tarraso
2020-05-14 05:13:14 UTC
Acknowledgments: Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab) Mitigation: Currently, there is no mitigation for this issue. Created ansible tracking bugs for this issue: Affects: epel-all [bug 1835854] Affects: fedora-all [bug 1835855] Affects: openstack-rdo [bug 1835856] Borja, has tis incomplete fix already been reported upstream? In reply to comment #9: > Borja, has tis incomplete fix already been reported upstream? Hi Salvatore, it was found internally that it was insufficient fix. I expect someone to open an issue in github for upstream soon. References: https://github.com/ansible/ansible/issues/69782 Hi (In reply to msiddiqu from comment #13) > References: > > https://github.com/ansible/ansible/issues/69782 Can you share information what the upstream fix was to complete the fix? Can you share what is the commit in 2.9.10 which adresses the incomplete fix? Regards, Salvatore Hi Salvatore, for solving the incomplete fix upstream we have this commit: 77d0effcc5b2da1ef23e4ba32986a9759c27c10d Regards, Borja Tarraso Red Hat Product Security Statement: Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected. Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own versions of Ansible. The fix will be provided from core Ansible. However, we still ship Ansible separately for Ceph Ubuntu. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Closing as WONTFIX for older versions per Matt Martz. |