High severity7.8NVD Advisory· Published Jun 7, 2017· Updated May 13, 2026
CVE-2015-6240
CVE-2015-6240
Description
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | < 1.9.2 | 1.9.2 |
Patches
2952166f48eb0Fix problem with chroot connection plugins and symlinks from within the chroot.
1 file changed · +56 −36
lib/ansible/plugins/connections/chroot.py+56 −36 modified@@ -1,5 +1,6 @@ # Based on local.py (c) 2012, Michael DeHaan <michael.dehaan@gmail.com> # (c) 2013, Maykel Moya <mmoya@speedyrails.com> +# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com> # # This file is part of Ansible # @@ -21,13 +22,14 @@ import distutils.spawn import traceback import os -import shutil import subprocess from ansible import errors from ansible import utils from ansible.callbacks import vvv import ansible.constants as C +BUFSIZE = 65536 + class Connection(object): ''' Local chroot based connections ''' @@ -64,8 +66,21 @@ def connect(self, port=None): return self - def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None): - ''' run a command on the chroot ''' + def _generate_cmd(self, executable, cmd): + if executable: + local_cmd = [self.chroot_cmd, self.chroot, executable, '-c', cmd] + else: + local_cmd = '%s "%s" %s' % (self.chroot_cmd, self.chroot, cmd) + return local_cmd + + def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE): + ''' run a command on the chroot. This is only needed for implementing + put_file() get_file() so that we don't have to read the whole file + into memory. + + compared to exec_command() it looses some niceties like being able to + return the process's exit code immediately. + ''' if sudoable and self.runner.become and self.runner.become_method not in self.become_methods_supported: raise errors.AnsibleError("Internal Error: this module does not support running commands via %s" % self.runner.become_method) @@ -74,60 +89,65 @@ def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executab raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining") # We enter chroot as root so we ignore privlege escalation? - - if executable: - local_cmd = [self.chroot_cmd, self.chroot, executable, '-c', cmd] - else: - local_cmd = '%s "%s" %s' % (self.chroot_cmd, self.chroot, cmd) + local_cmd = self._generate_cmd(executable, cmd) vvv("EXEC %s" % (local_cmd), host=self.chroot) p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), cwd=self.runner.basedir, - stdin=subprocess.PIPE, + stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + return p + + def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None): + ''' run a command on the chroot ''' + + p = self._buffered_exec_command(cmd, tmp_path, become_user, sudoable, executable, in_data) + stdout, stderr = p.communicate() return (p.returncode, '', stdout, stderr) def put_file(self, in_path, out_path): ''' transfer a file from local to chroot ''' - if not out_path.startswith(os.path.sep): - out_path = os.path.join(os.path.sep, out_path) - normpath = os.path.normpath(out_path) - out_path = os.path.join(self.chroot, normpath[1:]) - vvv("PUT %s TO %s" % (in_path, out_path), host=self.chroot) - if not os.path.exists(in_path): - raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) + try: - shutil.copyfile(in_path, out_path) - except shutil.Error: - traceback.print_exc() - raise errors.AnsibleError("failed to copy: %s and %s are the same" % (in_path, out_path)) + with open(in_path, 'rb') as in_file: + try: + p = self._buffered_exec_command('dd of=%s' % out_path, None, stdin=in_file) + except OSError: + raise errors.AnsibleError("chroot connection requires dd command in the chroot") + try: + stdout, stderr = p.communicate() + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file %s to %s" % (in_path, out_path)) + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file %s to %s:\n%s\n%s" % (in_path, out_path, stdout, stderr)) except IOError: - traceback.print_exc() - raise errors.AnsibleError("failed to transfer file to %s" % out_path) + raise errors.AnsibleError("file or module does not exist at: %s" % in_path) def fetch_file(self, in_path, out_path): ''' fetch a file from chroot to local ''' - if not in_path.startswith(os.path.sep): - in_path = os.path.join(os.path.sep, in_path) - normpath = os.path.normpath(in_path) - in_path = os.path.join(self.chroot, normpath[1:]) - vvv("FETCH %s TO %s" % (in_path, out_path), host=self.chroot) - if not os.path.exists(in_path): - raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) + try: - shutil.copyfile(in_path, out_path) - except shutil.Error: - traceback.print_exc() - raise errors.AnsibleError("failed to copy: %s and %s are the same" % (in_path, out_path)) - except IOError: - traceback.print_exc() - raise errors.AnsibleError("failed to transfer file to %s" % out_path) + p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), None) + except OSError: + raise errors.AnsibleError("chroot connection requires dd command in the jail") + + with open(out_path, 'wb+') as out_file: + try: + for chunk in p.stdout.read(BUFSIZE): + out_file.write(chunk) + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file %s to %s" % (in_path, out_path)) + stdout, stderr = p.communicate() + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file %s to %s:\n%s\n%s" % (in_path, out_path, stdout, stderr)) def close(self): ''' terminate the connection; nothing to do here '''
ca2f2c4ebd7bFix problem with jail and zone connection plugins and symlinks from within the jail/zone.
2 files changed · +93 −61
lib/ansible/plugins/connections/jail.py+46 −31 modified@@ -1,6 +1,7 @@ # Based on local.py (c) 2012, Michael DeHaan <michael.dehaan@gmail.com> # and chroot.py (c) 2013, Maykel Moya <mmoya@speedyrails.com> # (c) 2013, Michael Scherer <misc@zarb.org> +# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com> # # This file is part of Ansible # @@ -22,14 +23,15 @@ import distutils.spawn import traceback import os -import shutil import subprocess from ansible import errors from ansible.callbacks import vvv import ansible.constants as C +BUFSIZE = 4096 + class Connection(object): - ''' Local chroot based connections ''' + ''' Local BSD Jail based connections ''' def _search_executable(self, executable): cmd = distutils.spawn.find_executable(executable) @@ -81,9 +83,9 @@ def __init__(self, runner, host, port, *args, **kwargs): self.port = port def connect(self, port=None): - ''' connect to the chroot; nothing to do here ''' + ''' connect to the jail; nothing to do here ''' - vvv("THIS IS A LOCAL CHROOT DIR", host=self.jail) + vvv("THIS IS A LOCAL JAIL DIR", host=self.jail) return self @@ -95,8 +97,14 @@ def _generate_cmd(self, executable, cmd): local_cmd = '%s "%s" %s' % (self.jexec_cmd, self.jail, cmd) return local_cmd - def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None): - ''' run a command on the chroot ''' + def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE): + ''' run a command on the jail. This is only needed for implementing + put_file() get_file() so that we don't have to read the whole file + into memory. + + compared to exec_command() it looses some niceties like being able to + return the process's exit code immediately. + ''' if sudoable and self.runner.become and self.runner.become_method not in self.become_methods_supported: raise errors.AnsibleError("Internal Error: this module does not support running commands via %s" % self.runner.become_method) @@ -110,45 +118,52 @@ def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executab vvv("EXEC %s" % (local_cmd), host=self.jail) p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), cwd=self.runner.basedir, - stdin=subprocess.PIPE, + stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + return p + + def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None): + ''' run a command on the jail ''' + + p = self._buffered_exec_command(cmd, tmp_path, become_user, sudoable, executable, in_data) + stdout, stderr = p.communicate() return (p.returncode, '', stdout, stderr) - def _normalize_path(self, path, prefix): - if not path.startswith(os.path.sep): - path = os.path.join(os.path.sep, path) - normpath = os.path.normpath(path) - return os.path.join(prefix, normpath[1:]) - - def _copy_file(self, in_path, out_path): - if not os.path.exists(in_path): - raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) - try: - shutil.copyfile(in_path, out_path) - except shutil.Error: - traceback.print_exc() - raise errors.AnsibleError("failed to copy: %s and %s are the same" % (in_path, out_path)) - except IOError: - traceback.print_exc() - raise errors.AnsibleError("failed to transfer file to %s" % out_path) - def put_file(self, in_path, out_path): - ''' transfer a file from local to chroot ''' + ''' transfer a file from local to jail ''' - out_path = self._normalize_path(out_path, self.get_jail_path()) vvv("PUT %s TO %s" % (in_path, out_path), host=self.jail) - self._copy_file(in_path, out_path) + with open(in_path, 'rb') as in_file: + p = self._buffered_exec_command('dd of=%s' % out_path, None, stdin=in_file) + try: + stdout, stderr = p.communicate() + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file to %s" % out_path) + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr)) def fetch_file(self, in_path, out_path): - ''' fetch a file from chroot to local ''' + ''' fetch a file from jail to local ''' - in_path = self._normalize_path(in_path, self.get_jail_path()) vvv("FETCH %s TO %s" % (in_path, out_path), host=self.jail) - self._copy_file(in_path, out_path) + + p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), None) + + with open(out_path, 'wb+') as out_file: + try: + for chunk in p.stdout.read(BUFSIZE): + out_file.write(chunk) + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file to %s" % out_path) + stdout, stderr = p.communicate() + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr)) def close(self): ''' terminate the connection; nothing to do here '''
lib/ansible/plugins/connections/zone.py+47 −30 modified@@ -2,6 +2,7 @@ # and chroot.py (c) 2013, Maykel Moya <mmoya@speedyrails.com> # and jail.py (c) 2013, Michael Scherer <misc@zarb.org> # (c) 2015, Dagobert Michelsen <dam@baltic-online.de> +# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com> # # This file is part of Ansible # @@ -23,13 +24,13 @@ import distutils.spawn import traceback import os -import shutil import subprocess -from subprocess import Popen,PIPE from ansible import errors from ansible.callbacks import vvv import ansible.constants as C +BUFSIZE = 4096 + class Connection(object): ''' Local zone based connections ''' @@ -44,7 +45,7 @@ def list_zones(self): cwd=self.runner.basedir, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - #stdout, stderr = p.communicate() + zones = [] for l in pipe.stdout.readlines(): # 1:work:running:/zones/work:3126dc59-9a07-4829-cde9-a816e4c5040e:native:shared @@ -97,13 +98,20 @@ def connect(self, port=None): # a modifier def _generate_cmd(self, executable, cmd): if executable: + ### TODO: Why was "-c" removed from here? (vs jail.py) local_cmd = [self.zlogin_cmd, self.zone, executable, cmd] else: local_cmd = '%s "%s" %s' % (self.zlogin_cmd, self.zone, cmd) return local_cmd - def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable=None, in_data=None): - ''' run a command on the zone ''' + def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable=None, in_data=None, stdin=subprocess.PIPE): + ''' run a command on the zone. This is only needed for implementing + put_file() get_file() so that we don't have to read the whole file + into memory. + + compared to exec_command() it looses some niceties like being able to + return the process's exit code immediately. + ''' if sudoable and self.runner.become and self.runner.become_method not in self.become_methods_supported: raise errors.AnsibleError("Internal Error: this module does not support running commands via %s" % self.runner.become_method) @@ -112,52 +120,61 @@ def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executab raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining") # We happily ignore privilege escalation - if executable == '/bin/sh': - executable = None local_cmd = self._generate_cmd(executable, cmd) vvv("EXEC %s" % (local_cmd), host=self.zone) p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), cwd=self.runner.basedir, - stdin=subprocess.PIPE, + stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + return p + + def exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable=None, in_data=None): + ''' run a command on the zone ''' + + ### TODO: Why all the precautions not to specify /bin/sh? (vs jail.py) + if executable == '/bin/sh': + executable = None + + p = self._buffered_exec_command(cmd, tmp_path, become_user, sudoable, executable, in_data) + stdout, stderr = p.communicate() return (p.returncode, '', stdout, stderr) - def _normalize_path(self, path, prefix): - if not path.startswith(os.path.sep): - path = os.path.join(os.path.sep, path) - normpath = os.path.normpath(path) - return os.path.join(prefix, normpath[1:]) - - def _copy_file(self, in_path, out_path): - if not os.path.exists(in_path): - raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) - try: - shutil.copyfile(in_path, out_path) - except shutil.Error: - traceback.print_exc() - raise errors.AnsibleError("failed to copy: %s and %s are the same" % (in_path, out_path)) - except IOError: - traceback.print_exc() - raise errors.AnsibleError("failed to transfer file to %s" % out_path) - def put_file(self, in_path, out_path): ''' transfer a file from local to zone ''' - out_path = self._normalize_path(out_path, self.get_zone_path()) vvv("PUT %s TO %s" % (in_path, out_path), host=self.zone) - self._copy_file(in_path, out_path) + with open(in_path, 'rb') as in_file: + p = self._buffered_exec_command('dd of=%s' % out_path, None, stdin=in_file) + try: + stdout, stderr = p.communicate() + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file to %s" % out_path) + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr)) def fetch_file(self, in_path, out_path): ''' fetch a file from zone to local ''' - in_path = self._normalize_path(in_path, self.get_zone_path()) vvv("FETCH %s TO %s" % (in_path, out_path), host=self.zone) - self._copy_file(in_path, out_path) + + p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), None) + + with open(out_path, 'wb+') as out_file: + try: + for chunk in p.stdout.read(BUFSIZE): + out_file.write(chunk) + except: + traceback.print_exc() + raise errors.AnsibleError("failed to transfer file to %s" % out_path) + stdout, stderr = p.communicate() + if p.returncode != 0: + raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr)) def close(self): ''' terminate the connection; nothing to do here '''
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647nvdPatchWEB
- github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95bnvdPatchWEB
- www.openwall.com/lists/oss-security/2015/08/17/10nvdMailing ListThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-wwwh-47wp-m522ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6240ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-3.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2019/09/msg00016.htmlnvdWEB
News mentions
0No linked articles in our index yet.