Bug 1817161 (CVE-2020-10691) - CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy collection install
Summary: CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy col...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10691
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1817162 1817163 1817164 1817165 1817166 1817167 1817979 1817980 1818683
Blocks: 1816822
TreeView+ depends on / blocked
 
Reported: 2020-03-25 17:39 UTC by Borja Tarraso
Modified: 2020-05-19 15:38 UTC (History)
30 users (show)

Fixed In Version: ansible-engine 2.9.7
Doc Type: ---
Doc Text:
An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1541 None None None 2020-04-22 14:09:32 UTC
Red Hat Product Errata RHSA-2020:1542 None None None 2020-04-22 14:09:51 UTC

Description Borja Tarraso 2020-03-25 17:39:45 UTC
ansible-galaxy collection install has a archive traversal vulnerability when extracing a collection .tar.gz file, neither install() nor the called _extract_tar_file() does any sanitizing on the filename. This should allow a specially crafted collection .tar.gz file to place a file wherever it wants in the file system.

Comment 3 Borja Tarraso 2020-03-25 17:40:02 UTC
Mitigation:

A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.

Comment 8 Borja Tarraso 2020-03-27 07:34:07 UTC
Acknowledgments:

Name: Felix Fountein

Comment 11 Borja Tarraso 2020-03-27 11:19:52 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1817979]
Affects: fedora-all [bug 1817980]

Comment 13 Summer Long 2020-03-30 05:42:39 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1818683]

Comment 14 Borja Tarraso 2020-04-01 05:25:36 UTC
Upstream fix: https://github.com/ansible/ansible/pull/68596

Comment 16 Hardik Vyas 2020-04-16 05:28:05 UTC
Statement:

Ansible Engine 2.9.6 as well as previous 2.9.x versions are affected. Ansible versions less than or equal to 2.8 are not affected by this vulnerability as this functionality was introduced on 2.9.

Ansible Tower 3.6.3 as well as previous 3.6.x versions are affected as they use ansible-galaxy collections.

Comment 17 errata-xmlrpc 2020-04-22 14:09:30 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541

Comment 18 errata-xmlrpc 2020-04-22 14:09:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542

Comment 19 Product Security DevOps Team 2020-04-22 16:32:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10691


Note You need to log in before you can comment on or make changes to this bug.