Re: ansbile-runner: CVE-2021-4041

To: Sakirnth Nagarasa <sakirnth@gmail.com>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: ansbile-runner: CVE-2021-4041
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 12 Dec 2021 11:13:34 +0100
Message-id: <[🔎] YbXLTugVOfzrgTDJ@eldamar.lan>
Mail-followup-to: Sakirnth Nagarasa <sakirnth@gmail.com>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 9fe1d010-18f3-c798-bd3a-1c61fac9dff7@gmail.com>
References: <[🔎] 9fe1d010-18f3-c798-bd3a-1c61fac9dff7@gmail.com>

Hi,

On Sat, Dec 11, 2021 at 12:53:19PM +0100, Sakirnth Nagarasa wrote:
> Hi,
> 
> I am maintaining ansible-runner. There is this bug (CVE-2021-4041) in
> the security tracker and I think the bug does not affect the version
> which I have uploaded.
> 
> This is the link to the bug:
> https://security-tracker.debian.org/tracker/CVE-2021-4041
> 
> This is the affected code:
> https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257
> 
> Recent version from Debian:
> https://github.com/ansible/ansible-runner/blob/83b5d4e688d2563b0fe89e0a184e06879ca73eec/ansible_runner/runner.py#L260
> 
> I assume the " ".join(command) can lead to improper shell escaping.
> Therefore this method was removed from this line in the recent version.
> Correct me if I am wrong, then I will open a bug report for upstream.

Right, the original reference is at Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=2028074 . There is the
follwoing upstream commit:
https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd
which resolves the issue.

Regards,
Salvatore

Reply to:

References:
- ansbile-runner: CVE-2021-4041
  - From: Sakirnth Nagarasa <sakirnth@gmail.com>

Prev by Date: Question about stretch json
Next by Date: Re: Question about stretch json
Previous by thread: ansbile-runner: CVE-2021-4041
Next by thread: Question about stretch json
Index(es):
- Date
- Thread