Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 12:53:58 +0200
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: ansible zone/chroot/jail escape

Hi,

I recently found a symlink attack that enables a malicious
zone/chroot/jail managed by ansible to escape into the managing host.
This was fixed in ansible 1.9.2 (commit list below, see
https://github.com/ansible/ansible).

I am not an ansible committer but Toshio requested I follow up. I
understand that a request was made by Toshio to CVE-assign on 1st July
but no response was received. The commits are already public and it has
been announced on ansible's security page:
http://www.ansible.com/security.

Could a CVE please be assigned to this issue?


Thanks,

Martin.


commit 548a7288a90c49e9b50ccf197da307eae525b899
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Wed Jun 24 01:00:22 2015 -0700

    Use BUFSIZE when putting file as well as fetching file.

commit 270be6a6f5852c5563976f060c80eff64decc89c
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Tue Jun 23 22:27:45 2015 -0700

    Fix exec_command to not use a shell

commit 952166f48eb0f5797b75b160fd156bbe1e8fc647
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Mon Jun 22 20:07:29 2015 -0700

    Fix problem with chroot connection plugins and symlinks from within
the chroot.

commit 0777d025051bf5cf3092aa79a9e6b67cec7064dd
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Fri Jun 19 11:09:48 2015 -0700

    Fix problem with jail and zone connection plugins and symlinks from
within the jail/zone.

commit ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b
Author: Toshio Kuratomi <toshio@...oraproject.org>
Date:   Fri Jun 19 09:41:48 2015 -0700

    Fix problem with jail and zone connection plugins and symlinks from
within the jail/zone.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.