Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 12:53:58 +0200
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: ansible zone/chroot/jail escape

Hi,

I recently found a symlink attack that enables a malicious
zone/chroot/jail managed by ansible to escape into the managing host.
This was fixed in ansible 1.9.2 (commit list below, see
https://github.com/ansible/ansible).

I am not an ansible committer but Toshio requested I follow up. I
understand that a request was made by Toshio to CVE-assign on 1st July
but no response was received. The commits are already public and it has
been announced on ansible's security page:
http://www.ansible.com/security.

Could a CVE please be assigned to this issue?


Thanks,

Martin.


commit 548a7288a90c49e9b50ccf197da307eae525b899
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Wed Jun 24 01:00:22 2015 -0700

    Use BUFSIZE when putting file as well as fetching file.

commit 270be6a6f5852c5563976f060c80eff64decc89c
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Tue Jun 23 22:27:45 2015 -0700

    Fix exec_command to not use a shell

commit 952166f48eb0f5797b75b160fd156bbe1e8fc647
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Mon Jun 22 20:07:29 2015 -0700

    Fix problem with chroot connection plugins and symlinks from within
the chroot.

commit 0777d025051bf5cf3092aa79a9e6b67cec7064dd
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Fri Jun 19 11:09:48 2015 -0700

    Fix problem with jail and zone connection plugins and symlinks from
within the jail/zone.

commit ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Fri Jun 19 09:41:48 2015 -0700

    Fix problem with jail and zone connection plugins and symlinks from
within the jail/zone.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ