app-admin/ansible: Fix CVE

Bug: https://bugs.gentoo.org/749369
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

2 files changed, 136 insertions, 0 deletions

diff --git a/app-admin/ansible/ansible-2.10.0-r2.ebuild b/app-admin/ansible/ansible-2.10.0-r2.ebuild
new file mode 100644
index 000000000000..2086aad0672e
--- /dev/null
+++ b/app-admin/ansible/ansible-2.10.0-r2.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6..8} )
+DISTUTILS_USE_SETUPTOOLS=bdepend
+
+inherit distutils-r1 eutils
+
+DESCRIPTION="Model-driven deployment, config management, and command execution framework"
+HOMEPAGE="https://ansible.com/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/ansible/ansible.git"
+	EGIT_BRANCH="devel"
+	KEYWORDS=""
+else
+	SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86 ~x64-macos"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="doc test"
+RESTRICT="test"
+
+RDEPEND="
+	dev-python/paramiko[${PYTHON_USEDEP}]
+	dev-python/jinja[${PYTHON_USEDEP}]
+	dev-python/pyyaml[${PYTHON_USEDEP}]
+	dev-python/cryptography[${PYTHON_USEDEP}]
+	dev-python/httplib2[${PYTHON_USEDEP}]
+	dev-python/six[${PYTHON_USEDEP}]
+	dev-python/netaddr[${PYTHON_USEDEP}]
+	dev-python/pexpect[${PYTHON_USEDEP}]
+	net-misc/sshpass
+	virtual/ssh
+	app-admin/ansible-base
+"
+DEPEND="
+	>=dev-python/packaging-16.6[${PYTHON_USEDEP}]
+	app-admin/ansible-base
+	doc? (
+		dev-python/sphinx[${PYTHON_USEDEP}]
+		dev-python/sphinx-notfound-page[${PYTHON_USEDEP}]
+		>=dev-python/pygments-2.4.0[${PYTHON_USEDEP}]
+	)
+	test? (
+		${RDEPEND}
+		dev-python/nose[${PYTHON_USEDEP}]
+		>=dev-python/mock-1.0.1[${PYTHON_USEDEP}]
+		dev-python/passlib[${PYTHON_USEDEP}]
+		dev-python/coverage[${PYTHON_USEDEP}]
+		dev-python/unittest2[${PYTHON_USEDEP}]
+		dev-vcs/git
+	)"
+
+PATCHES=( "${FILESDIR}/ansible-2.10.0-CVE-2020-25635-6.patch" )
+
+python_compile() {
+	export ANSIBLE_SKIP_CONFLICT_CHECK=1
+	distutils-r1_python_compile
+}
+
+python_compile_all() {
+	if use doc; then
+		cd docs/docsite || die
+		export CPUS=4
+		emake -f Makefile.sphinx html
+	fi
+}
+
+python_test() {
+	nosetests -d -w test/units -v --with-coverage --cover-package=ansible --cover-branches || die
+}
+
+python_install_all() {
+	use doc && local HTML_DOCS=( docs/docsite/_build/html/. )
+	distutils-r1_python_install_all
+}
diff --git a/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch b/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch
new file mode 100644
index 000000000000..df88be4264ff
--- /dev/null
+++ b/app-admin/ansible/files/ansible-2.10.0-CVE-2020-25635-6.patch
@@ -0,0 +1,54 @@
+From 921bd53103c2b543e95c9e6b863702db3ff54d0c Mon Sep 17 00:00:00 2001
+From: Jill R <4121322+jillr@users.noreply.github.com>
+Date: Fri, 2 Oct 2020 11:37:37 -0700
+Subject: [PATCH] aws_ssm: Namespace S3 buckets and delete transferred files
+ (#237)
+
+Files transferred to instances via the SSM connection plugin should use
+folders within the bucket that are namespaced per-host, to prevent collisions.
+Files should also be deleted from buckets when they are no longer required.
+
+Fixes: #221
+Fixes: #222
+
+Based on work by abeluck
+
+changelog
+---
+ ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml | 2 ++
+ ansible_collections/community/aws/plugins/connection/aws_ssm.py                           | 6 +++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+ create mode 100644 ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml
+
+diff --git a/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml b/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml
+new file mode 100644
+index 00000000..247d5e36
+--- /dev/null
++++ b/ansible_collections/community/aws/changelogs/fragments/221_222_ssm_bucket_operations.yaml
+@@ -0,0 +1,2 @@
++bugfixes:
++  - aws_ssm connection plugin - namespace file uploads to S3 into unique folders per host, to prevent name collisions. Also deletes files from S3 to ensure temp files are not left behind. (https://github.com/ansible-collections/community.aws/issues/221, https://github.com/ansible-collections/community.aws/issues/222)
+diff --git a/ansible_collections/community/aws/plugins/connection/aws_ssm.py b/ansible_collections/community/aws/plugins/connection/aws_ssm.py
+index 7f7d6926..94289eee 100644
+--- a/ansible_collections/community/aws/plugins/connection/aws_ssm.py
++++ b/ansible_collections/community/aws/plugins/connection/aws_ssm.py
+@@ -522,7 +522,8 @@ def _get_boto_client(self, service, region_name=None):
+     def _file_transport_command(self, in_path, out_path, ssm_action):
+         ''' transfer a file from using an intermediate S3 bucket '''
+ 
+-        s3_path = out_path.replace('\\', '/')
++        path_unescaped = "{0}/{1}".format(self.instance_id, out_path)
++        s3_path = path_unescaped.replace('\\', '/')
+         bucket_url = 's3://%s/%s' % (self.get_option('bucket_name'), s3_path)
+ 
+         if self.is_windows:
+@@ -546,6 +547,9 @@ def _file_transport_command(self, in_path, out_path, ssm_action):
+                 client.upload_fileobj(data, self.get_option('bucket_name'), s3_path)
+             (returncode, stdout, stderr) = self.exec_command(get_command, in_data=None, sudoable=False)
+ 
++        # Remove the files from the bucket after they've been transferred
++        client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path)
++
+         # Check the return code
+         if returncode == 0:
+             return (returncode, stdout, stderr)