CVE Request / Ansible: insecure permission on a directory when using spacewalk inventory

[Michael Scherer <misc () zarb org>]

Hi,

Could a CVE be assigned for this problem :

Ansible inventory script for spacewalk create a file in the current
directory with incorrect permission due to a error in a chmod specification.

https://github.com/ansible/ansible/blob/devel/plugins/inventory/spacewalk.py#L63

In python, os.chmod need to be in octal, and 2755 is not octal. 
So in the end, we manage to have permission like this :

d-ws-w-rwt.

And o+rw and u+s kinda sound bad. The directory is created in $PWD if 
I read the code right, so that's likely the homedir of 1 admin.
However, that's executed locally, or from a bastion, so there
isn't much venue to attack ( even if shared shell server still exist nowadays ),
and this requires to use spacewalk.

I pushed a commit there :
https://github.com/mscherer/ansible/commit/251197f11de7c7a3c5d81141970dd8f2ef16c0ee

I will wait for a CVE to be assigned before fixing the commit message, and push a 
PR ( cause i am quite bothered when I cannot find the CVE in the commit message)

-- 
Michael Scherer