commit: 7d23da514953be1ad0fd02a9aab9e5a24ca3449d Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> AuthorDate: Fri Oct 16 02:57:56 2020 +0000 Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> CommitDate: Fri Oct 16 02:58:10 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d23da51
app-admin/ansible: Fix CVE Bug: https://bugs.gentoo.org/749369 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org> app-admin/ansible/ansible-2.10.0-r2.ebuild | 82 ++++++++++++++++++++++ .../files/ansible-2.10.0-CVE-2020-25635-6.patch | 54 ++++++++++++++ 2 files changed, 136 insertions(+) diff --git a/app-admin/ansible/ansible-2.10.0-r2.ebuild b/app-admin/ansible/ansible-2.10.0-r2.ebuild new file mode 100644 index 00000000000..2086aad0672 --- /dev/null +++ b/app-admin/ansible/ansible-2.10.0-r2.ebuild @@ -0,0 +1,82 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{6..8} ) +DISTUTILS_USE_SETUPTOOLS=bdepend + +inherit distutils-r1 eutils + +DESCRIPTION="Model-driven deployment, config management, and command execution framework" +HOMEPAGE="https://ansible.com/"; + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/ansible/ansible.git"; + EGIT_BRANCH="devel" + KEYWORDS="" +else + SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86 ~x64-macos" +fi + +LICENSE="GPL-3" +SLOT="0" +IUSE="doc test" +RESTRICT="test" + +RDEPEND=" + dev-python/paramiko[${PYTHON_USEDEP}] + dev-python/jinja[${PYTHON_USEDEP}] + dev-python/pyyaml[${PYTHON_USEDEP}] + dev-python/cryptography[${PYTHON_USEDEP}] + dev-python/httplib2[${PYTHON_USEDEP}] + dev-python/six[${PYTHON_USEDEP}] + dev-python/netaddr[${PYTHON_USEDEP}] + dev-python/pexpect[${PYTHON_USEDEP}] + net-misc/sshpass + virtual/ssh + app-admin/ansible-base +" +DEPEND=" + >=dev-python/packaging-16.6[${PYTHON_USEDEP}] + app-admin/ansible-base + doc? ( + dev-python/sphinx[${PYTHON_USEDEP}] + dev-python/sphinx-notfound-page[${PYTHON_USEDEP}] + >=dev-python/pygments-2.4.0[${PYTHON_USEDEP}] + ) + test? ( + ${RDEPEND} + dev-python/nose[${PYTHON_USEDEP}] + >=dev-python/mock-1.0.1[${PYTHON_USEDEP}] + dev-python/passlib[${PYTHON_USEDEP}] + dev-python/coverage[${PYTHON_USEDEP}] + dev-python/unittest2[${PYTHON_USEDEP}] + dev-vcs/git + )" + +PATCHES=( "${FILESDIR}/ansible-2.10.0-CVE-2020-25635-6.patch" ) + +python_compile() { + export ANSIBLE_SKIP_CONFLICT_CHECK=1 + distutils-r1_python_compile +} + +python_compile_all() { + if use doc; then + cd docs/docsite || die + export CPUS=4 + emake -f Makefile.sphinx html + fi +} + +python_test() { + nosetests -d -w test/units -v --with-coverage --cover-package=ansible --cover-branches || die +} + +python_install_all() { + use doc && local HTML_DOCS=( docs/docsite/_build/html/. ) + distutils-r1_python_install_all +} diff --git a/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch b/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch new file mode 100644 index 00000000000..df88be4264f --- /dev/null +++ b/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch @@ -0,0 +1,54 @@ +From 921bd53103c2b543e95c9e6b863702db3ff54d0c Mon Sep 17 00:00:00 2001 +From: Jill R <[email protected]> +Date: Fri, 2 Oct 2020 11:37:37 -0700 +Subject: [PATCH] aws_ssm: Namespace S3 buckets and delete transferred files + (#237) + +Files transferred to instances via the SSM connection plugin should use +folders within the bucket that are namespaced per-host, to prevent collisions. +Files should also be deleted from buckets when they are no longer required. + +Fixes: #221 +Fixes: #222 + +Based on work by abeluck + +changelog +--- + ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml | 2 ++ + ansible_collections/community/aws/plugins/connection/aws_ssm.py | 6 +++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + create mode 100644 ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml + +diff --git a/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml b/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml +new file mode 100644 +index 00000000..247d5e36 +--- /dev/null ++++ b/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml +@@ -0,0 +1,2 @@ ++bugfixes: ++ - aws_ssm connection plugin - namespace file uploads to S3 into unique folders per host, to prevent name collisions. Also deletes files from S3 to ensure temp files are not left behind. (https://github.com/ansible-collections/community.aws/issues/221, https://github.com/ansible-collections/community.aws/issues/222) +diff --git a/ansible_collections/community/aws/plugins/connection/aws_ssm.py b/ansible_collections/community/aws/plugins/connection/aws_ssm.py +index 7f7d6926..94289eee 100644 +--- a/ansible_collections/community/aws/plugins/connection/aws_ssm.py ++++ b/ansible_collections/community/aws/plugins/connection/aws_ssm.py +@@ -522,7 +522,8 @@ def _get_boto_client(self, service, region_name=None): + def _file_transport_command(self, in_path, out_path, ssm_action): + ''' transfer a file from using an intermediate S3 bucket ''' + +- s3_path = out_path.replace('\\', '/') ++ path_unescaped = "{0}/{1}".format(self.instance_id, out_path) ++ s3_path = path_unescaped.replace('\\', '/') + bucket_url = 's3://%s/%s' % (self.get_option('bucket_name'), s3_path) + + if self.is_windows: +@@ -546,6 +547,9 @@ def _file_transport_command(self, in_path, out_path, ssm_action): + client.upload_fileobj(data, self.get_option('bucket_name'), s3_path) + (returncode, stdout, stderr) = self.exec_command(get_command, in_data=None, sudoable=False) + ++ # Remove the files from the bucket after they've been transferred ++ client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path) ++ + # Check the return code + if returncode == 0: + return (returncode, stdout, stderr)
