[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Ansible CVE requests
From:       Florian Weimer <fweimer () redhat ! com>
Date:       2014-06-26 20:51:51
Message-ID: 53AC87E7.1080009 () redhat ! com
[Download RAW message or body]

On 06/26/2014 08:18 PM, cve-assign@mitre.org wrote:
> We think 998793fd0ab55705d57527a38cee5e83f535974c is about fixing one
> type of issue, but feel free to identify any additional types of
> issues that are also fixed. Use CVE-2014-4657 for the general topic of
> "the product intentionally allows code execution of code with limited
> capabilities, but the code restrictions are insufficient."
> https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
> suggests that this was fixed in 1.5.4.

It turns out that the fix was incomplete:

https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff0

Upstream announcement:

https://groups.google.com/forum/?_escaped_fragment_=msg/ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

I think this warrants a separate CVE ID.  There is some debate whether 
this actually crosses a security boundary, but upstream thinks it does, 
after some consideration.


Note that the subsequent commit looks extremely suspicious as far as the 
sandboxing is concerned:

https://github.com/ansible/ansible/commit/35368e531b36c800ff6e61fc79fcd9

I'll try to figure out what's going on.

-- 
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]