oss-sec mailing list archives
Re: Re: Ansible CVE requests
From: Florian Weimer <fweimer () redhat com>
Date: Thu, 26 Jun 2014 22:51:51 +0200
On 06/26/2014 08:18 PM, cve-assign () mitre org wrote:
We think 998793fd0ab55705d57527a38cee5e83f535974c is about fixing one type of issue, but feel free to identify any additional types of issues that are also fixed. Use CVE-2014-4657 for the general topic of "the product intentionally allows code execution of code with limited capabilities, but the code restrictions are insufficient." https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md suggests that this was fixed in 1.5.4.
It turns out that the fix was incomplete: https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff0 Upstream announcement: https://groups.google.com/forum/?_escaped_fragment_=msg/ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJI think this warrants a separate CVE ID. There is some debate whether this actually crosses a security boundary, but upstream thinks it does, after some consideration.
Note that the subsequent commit looks extremely suspicious as far as the sandboxing is concerned:
https://github.com/ansible/ansible/commit/35368e531b36c800ff6e61fc79fcd9 I'll try to figure out what's going on. -- Florian Weimer / Red Hat Product Security
Current thread:
- Ansible CVE requests Michael Scherer (Jun 23)
- Re: Ansible CVE requests cve-assign (Jun 26)
- Re: Re: Ansible CVE requests Florian Weimer (Jun 26)
- Re: Ansible CVE requests cve-assign (Jun 26)