[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: Ansible CVE requests
From: Florian Weimer <fweimer () redhat ! com>
Date: 2014-06-26 20:51:51
Message-ID: 53AC87E7.1080009 () redhat ! com
[Download RAW message or body]
On 06/26/2014 08:18 PM, cve-assign@mitre.org wrote:
> We think 998793fd0ab55705d57527a38cee5e83f535974c is about fixing one
> type of issue, but feel free to identify any additional types of
> issues that are also fixed. Use CVE-2014-4657 for the general topic of
> "the product intentionally allows code execution of code with limited
> capabilities, but the code restrictions are insufficient."
> https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
> suggests that this was fixed in 1.5.4.
It turns out that the fix was incomplete:
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff0
Upstream announcement:
https://groups.google.com/forum/?_escaped_fragment_=msg/ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ
I think this warrants a separate CVE ID. There is some debate whether
this actually crosses a security boundary, but upstream thinks it does,
after some consideration.
Note that the subsequent commit looks extremely suspicious as far as the
sandboxing is concerned:
https://github.com/ansible/ansible/commit/35368e531b36c800ff6e61fc79fcd9
I'll try to figure out what's going on.
--
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic