Bug 2233810 (CVE-2023-5115)

Summary: CVE-2023-5115 Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, brking, bugzilla_throwaway, epacific, haoli, hkataria, jcammara, jhardy, jmitchel, jneedle, jobarker, kegrant, koliveir, kshier, mabashia, mattdavi, mclay, omaciel, pbraun, security-response-team, shvarugh, simaishi, sivel, smcdonal, stcannon, teagle, tfister, thavo, vinair, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---Flags: vinair: needinfo? (bugzilla_throwaway)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible 2.14.11 Doc Type: If docs needed, set a value
Doc Text:
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2233812    

Description Mauro Matteo Cascella 2023-08-23 14:20:25 UTC 
When installing a maliciously created Ansible role using `ansible-galaxy role install`, arbitrary files the user has access to can be overwritten. The malicious role must contain a symlink with an absolute path to the target file, followed by a file of the same name (as the symlink) with the contents to write to the target.
Comment 4 bugzilla_throwaway 2023-09-22 09:11:24 UTC 
Could you please provide the version number where this is fixed in ansible or a link to a fixing commit? Or is this still unfixed upstream?

Thanks a lot!
Comment 5 Mauro Matteo Cascella 2023-09-22 09:56:41 UTC 
This was reported internally, I'm not sure there are any upstream references. Tagging vinair to elaborate further.
Comment 6 Vipul Nair 2023-09-29 11:46:31 UTC 
heya,there you go https://github.com/ansible/ansible/pull/81780.
Comment 7 errata-xmlrpc 2023-10-16 01:02:17 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8
  Red Hat Ansible Automation Platform 2.3 for RHEL 9

Via RHSA-2023:5701 https://access.redhat.com/errata/RHSA-2023:5701
Comment 8 errata-xmlrpc 2023-10-16 15:36:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2023:5758 https://access.redhat.com/errata/RHSA-2023:5758