Bug 1653720 - ansible: Data leak in synchronize module via `rsync_opts` empty string
Summary: ansible: Data leak in synchronize module via `rsync_opts` empty string
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1657589 1657590 1657591 1657592 1657595 1657596 1657598 1657599 1657600 1657601 1657602 1657603 1660420 1660421
Blocks: 1653721
TreeView+ depends on / blocked
 
Reported: 2018-11-27 13:42 UTC by Pedro Sampaio
Modified: 2021-02-16 22:44 UTC (History)
63 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 09:35:23 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2018-11-27 13:42:26 UTC
A flaw was found in the synchronize module of Ansible. Improper input check on `rsync_opts` may lead to malformed/unexpected rsync command sequence when passing empty string, leading to information leak.

Comment 5 Borja Tarraso 2018-12-18 09:22:50 UTC
External References:

https://github.com/ansible/ansible/pull/49273

Comment 6 Borja Tarraso 2018-12-18 09:35:23 UTC
The empty string tells rsync to transfer files from the current working directory. This could be the intention and part of the purpose of rsync: in fact: rsync of an empty string does use the current working directory. But as this may be unexpected from the end user which uses the Ansible module, it will warn about it. Closing as NOTABUG (not a security vulnerability). See external references.


Note You need to log in before you can comment on or make changes to this bug.