REDHAT-BUG-998227
First published: Sun Aug 18 2013(Updated: )
Since version 1.2 of ansible, failed run ( due to connexion errors, or config error ) are listed into /var/tmp/ansible/$script_name.yml , with $script_name being the script name used ( or rather the playbook, in ansible linguo ) There is no verification on the file or directory here, and /var/tmp is world writable. Worst, due to it using a subdirectory under /var/tmp, some symlink protection may not apply ( not tested ). For example, if i create a directory /var/tmp/ansible with owner misc:users and a symlink to a file of joe, the kernel would permit to follow since the symlink and owner of the directory match. This permit to erase file content among others. I am not sure what kind of specific attack could be made by injecting ip and hostname in a specific file, but I am sure this exist. Code is on <a href="https://github.com/ansible/ansible/blob/devel/lib/ansible/playbook/__init__.py#L480">https://github.com/ansible/ansible/blob/devel/lib/ansible/playbook/__init__.py#L480</a> Upstream was not notified yet AFAIK. I do have a patch almost ready that do : - verify the permission/owner of directory - create a unique directory derived from username ( so predictable ) with proper permission if doesn't exist I just need to review and test. The current code do cope with lack of permission on the directory so even if someone create a directory in advance, this will be handled "gracefully" ( I think a message would be better )
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ansible | >=1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ansible/ansible/blob/devel/lib/ansible/playbook/__init__.py#L480
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=787776&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=787776&action=edit
- http://docs.python.org/2/library/tempfile.html#tempfile.mkdtemp
- https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=999621
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=999626
- https://bugzilla.redhat.com/show_bug.cgi?id=998227
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4260
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ansible
- canonical/ansible