Red Hat Bugzilla – Bug 1322925
CVE-2016-3096 ansible: Code execution vulnerability in lxc_container
Last modified: 2017-05-12 03:05:34 EDT
A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root.
Acknowledgments: Name: Evgeni Golov (Red Hat)
Created lxc tracking bugs for this issue: Affects: fedora-all [bug 1322926] Affects: epel-all [bug 1322927]
Wrong component? The problem seems to affect /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/lxc_container.py which is part of the ansible package. Could you please check and re-assign.
(In reply to Thomas Moschny from comment #4) > Wrong component? The problem seems to affect > > /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/ > lxc_container.py > > which is part of the ansible package. > > Could you please check and re-assign. You're right, my bad. Thanks for notifying, moving to ansible.
Partial fix: https://github.com/ansible/ansible-modules-extras/commit/da84e2e9b83be6ebebbfd3be6776f391622c02fe More fixes: https://github.com/ansible/ansible-modules-extras/pull/1941
So, currently epel6/7 and fedora 22/23 stable updates has ansible 1.9.4 and ansible1.9-1.9.4. In updates-testing we have 2.0.1.0 for ansible. We don't want to push 2.0.x stable yet, we are waiting for 2.1 upstream to fix some issues many people will hit. 1.9.4 is vulnerable to this issue, but it requires a local user with write to /opt to exploit it, and thats root only on fedora/epel by default. So, while we are vulnerable it's pretty difficult to exploit. 2.0.x is also vulnerable and more so, since permissions were not setup correctly there. Currently I think we will look at fixing this in a local 2.0.x patch and pushing that to testing in all the stable branches or in a 2.0.2 if the fix turns out difficult and waiting for 2.1 (due this month) to hopefully push to stable with the fix everywhere.
Evgeni's fixes merged upstream. Will be in upstream releases 1.9.6, 2.0.2, and 2.1.0.
@Adam -- there's also an ansible1.9 package in fedora and epel for now (to ease transition to ansible-2.0). I'm guessing you want to open bugs against that in fedora and epel as well.
FWIW, if you are already shipping updates to lxc_container.py, you might consider also including https://github.com/ansible/ansible-modules-extras/commit/6bfd2846f853b9beaeb01da6206d8ffa4abe7a4c
ansible1.9-1.9.6-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
ansible1.9-1.9.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
ansible-2.0.2.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
ansible-2.0.2.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
ansible-2.0.2.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
ansible-2.0.2.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
ansible-2.0.2.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
ansible1.9-1.9.6-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
ansible1.9-1.9.6-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.