Fix CVE-2024-0690

(cherry picked from commit 3886a3aa963e299ee7e61f14df6ae9d62512bd04)
2024-02-05 19:59:00 +08:00 · 2024-02-05 19:59:00 +08:00 · e18a775b86
commit e18a775b86
parent f14d2414a6
2 changed files with 97 additions and 3 deletions
--- a/CVE-2024-0690.patch
+++ b/CVE-2024-0690.patch
@ -0,0 +1,91 @@
+From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001
+From: Matt Martz <matt@sivel.net>
+Date: Thu, 18 Jan 2024 17:17:23 -0600
+Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected
+ (CVE-2024-0690) (#82565) (#82568)
+
+Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1
+
+(cherry picked from commit 6935c8e)
+
+---
+ changelogs/fragments/cve-2024-0690.yml            |  2 ++
+ lib/ansible/playbook/base.py                      |  2 +-
+ lib/ansible/playbook/play_context.py              |  4 ----
+ test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++
+ test/integration/targets/no_log/runme.sh          |  5 +++++
+ 5 files changed, 21 insertions(+), 5 deletions(-)
+ create mode 100644 changelogs/fragments/cve-2024-0690.yml
+ create mode 100644 test/integration/targets/no_log/no_log_config.yml
+
+diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml
+new file mode 100644
+index 00000000..0e030d88
+--- /dev/null
+++ b/changelogs/fragments/cve-2024-0690.yml
+@@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
+diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py
+index 0f4dc4e4..172963a2 100644
+--- a/lib/ansible/playbook/base.py
+++ b/lib/ansible/playbook/base.py
+@@ -613,7 +613,7 @@ class Base(FieldAttributeBase):
+ 
+     # flags and misc. settings
+     _environment = FieldAttribute(isa='list', extend=True, prepend=True)
+-    _no_log = FieldAttribute(isa='bool')
+    _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
+     _run_once = FieldAttribute(isa='bool')
+     _ignore_errors = FieldAttribute(isa='bool')
+     _ignore_unreachable = FieldAttribute(isa='bool')
+diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
+index 10dd57aa..5b8b2852 100644
+--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
+@@ -318,10 +318,6 @@ class PlayContext(Base):
+             if not new_info.connection_user:
+                 new_info.connection_user = new_info.remote_user
+ 
+-        # set no_log to default if it was not previously set
+-        if new_info.no_log is None:
+-            new_info.no_log = C.DEFAULT_NO_LOG
+-
+         if task.check_mode is not None:
+             new_info.check_mode = task.check_mode
+ 
+diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml
+new file mode 100644
+index 00000000..8a508805
+--- /dev/null
+++ b/test/integration/targets/no_log/no_log_config.yml
+@@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
+diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
+index bb5c048f..8bfe019b 100755
+--- a/test/integration/targets/no_log/runme.sh
+++ b/test/integration/targets/no_log/runme.sh
+@@ -19,3 +19,8 @@ set -eux
+ 
+ # test invalid data passed to a suboption
+ [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
+-- 
+2.33.0
+
--- a/ansible.spec
+++ b/ansible.spec
@ -10,11 +10,12 @@
 Name:                ansible
 Summary:             SSH-based configuration management, deployment, and task execution system
 Version:             2.9.27
-Release:             3
+Release:             4
 License:             Python-2.0 and MIT and GPL+
 Url:                 http://ansible.com
 Source0: 	     https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
 Patch0:              hostname-module-support-openEuler.patch
+Patch1:              CVE-2024-0690.patch
 BuildArch:           noarch
 Provides:            ansible-fireball = %{version}-%{release}
 Obsoletes:           ansible-fireball < 1.2.4
@ -46,8 +47,7 @@ Obsoletes:           %{name}-doc < %{name}-%{release}
 %{common_desc}

 %prep
-%setup -q
-%patch0 -p1
+%autosetup -p1
 rm -rf %{py3dir}
 cp -a . %{py3dir}

@ -99,6 +99,9 @@ cp -pr docs/docsite/rst .
 %endif

 %changelog
+* Mon Feb 05 2024 wangkai <13474090681@163.com> - 2.9.27-4
+- Fix CVE-2024-0690
+
 * Wed Apr 19 2023 liyanan <thistleslyn@163.com> - 2.9.27-3
 - Remove with_python3 macros and python3-nose buildRequire