ansbile-runner: CVE-2021-4041

To: debian-security-tracker@lists.debian.org
Subject: ansbile-runner: CVE-2021-4041
From: Sakirnth Nagarasa <sakirnth@gmail.com>
Date: Sat, 11 Dec 2021 12:53:19 +0100
Message-id: <[🔎] 9fe1d010-18f3-c798-bd3a-1c61fac9dff7@gmail.com>

Hi,

I am maintaining ansible-runner. There is this bug (CVE-2021-4041) in
the security tracker and I think the bug does not affect the version
which I have uploaded.

This is the link to the bug:
https://security-tracker.debian.org/tracker/CVE-2021-4041

This is the affected code:
https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257

Recent version from Debian:
https://github.com/ansible/ansible-runner/blob/83b5d4e688d2563b0fe89e0a184e06879ca73eec/ansible_runner/runner.py#L260

I assume the " ".join(command) can lead to improper shell escaping.
Therefore this method was removed from this line in the recent version.
Correct me if I am wrong, then I will open a bug report for upstream.

Thanks and Cheers,
Saki

Reply to:

Follow-Ups:
- Re: ansbile-runner: CVE-2021-4041
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#994897: security-tracker: turning text URL to link includes extraneous character
Next by Date: Question about stretch json
Previous by thread: Bug#994897: security-tracker: turning text URL to link includes extraneous character
Next by thread: Re: ansbile-runner: CVE-2021-4041
Index(es):
- Date
- Thread