Bug 1835566 (CVE-2020-10744) - CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733
Summary: CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733
Keywords:
Status: NEW
Alias: CVE-2020-10744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806420 1835568 1835569 1835570 1835571 1835572 1835573 1835694 1835854 1835855 1835856 1840919 1840920
Blocks: 1835448
TreeView+ depends on / blocked
 
Reported: 2020-05-14 05:13 UTC by Borja Tarraso
Modified: 2020-07-10 21:43 UTC (History)
32 users (show)

Fixed In Version: ansible-engine 2.7.19, ansible-engine 2.8.13, ansible-engine 2.9.10
Doc Type: If docs needed, set a value
Doc Text:
An incomplete fix was found for the fix of the flaw CVE-2020-1733, Ansible: insecure temporary directory when running become_user from the become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Borja Tarraso 2020-05-14 05:13:14 UTC
This flaw refers to the incomplete fix for CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. This vulnerability seems not mitigated fully as there race condition from the original flaw could still happen on systems using ACLs and FUSE filesystems. The 'mkdir -p' is insecure by design.

Comment 1 Borja Tarraso 2020-05-14 05:13:18 UTC
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 3 Borja Tarraso 2020-05-14 05:13:23 UTC
Mitigation:

Currently, there is no mitigation for this issue.

Comment 8 Borja Tarraso 2020-05-14 15:47:49 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1835854]
Affects: fedora-all [bug 1835855]
Affects: openstack-rdo [bug 1835856]

Comment 9 Salvatore Bonaccorso 2020-05-15 11:13:16 UTC
Borja, has tis incomplete fix already been reported upstream?

Comment 10 Borja Tarraso 2020-05-15 12:00:44 UTC
In reply to comment #9:
> Borja, has tis incomplete fix already been reported upstream?

Hi Salvatore, it was found internally that it was insufficient fix. I expect someone to open an issue in github for upstream soon.

Comment 12 RaTasha Tillery-Smith 2020-06-01 19:36:55 UTC
Statement:

Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own versions of Ansible. The fix will be provided from core Ansible. However, we still ship Ansible separately for Ceph Ubuntu.


Note You need to log in before you can comment on or make changes to this bug.