VYPR
Get started
← All advisories
High severity7.8NVD Advisory· Published Jun 3, 2016· Updated May 6, 2026

CVE-2016-3096

CVE-2016-3096

Description

The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansiblePyPI
>= 2.0.0.0, < 2.0.2.02.0.2.0
ansiblePyPI
< 1.9.6.11.9.6.1

Affected products

6
  • Fedoraproject/Fedora3 versions
    cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
    • cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
    • cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
  • Red Hat/Ansible3 versions
    cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*range: <=1.9.6
    • cpe:2.3:a:redhat:ansible:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:ansible:2.0.1:*:*:*:*:*:*:*

Patches

1
7c3999a92a1c

do not use a predictable filenames in the LXC plugin

https://github.com/ansible/ansible-modules-extrasEvgeni GolovApr 2, 2016via ghsa
commit
1 file changed · +8 14
  • cloud/lxc/lxc_container.py+8 14 modified
    @@ -144,7 +144,7 @@
         description:
           - Path the save the archived container. If the path does not exist
             the archive method will attempt to create it.
-        default: /tmp
+        default: null
     archive_compression:
         choices:
           - gzip
@@ -557,13 +557,8 @@ def create_script(command):
     import subprocess
     import tempfile
 
-    # Ensure that the directory /opt exists.
-    if not path.isdir('/opt'):
-        os.mkdir('/opt')
-
-    # Create the script.
-    script_file = path.join('/opt', '.lxc-attach-script')
-    f = open(script_file, 'wb')
+    (fd, script_file) = tempfile.mkstemp(prefix='lxc-attach-script')
+    f = os.fdopen(fd, 'wb')
     try:
         f.write(ATTACH_TEMPLATE % {'container_command': command})
         f.flush()
@@ -573,14 +568,11 @@ def create_script(command):
     # Ensure the script is executable.
     os.chmod(script_file, 0700)
 
-    # Get temporary directory.
-    tempdir = tempfile.gettempdir()
-
     # Output log file.
-    stdout_file = open(path.join(tempdir, 'lxc-attach-script.log'), 'ab')
+    stdout_file = os.fdopen(tempfile.mkstemp(prefix='lxc-attach-script-log')[0], 'ab')
 
     # Error log file.
-    stderr_file = open(path.join(tempdir, 'lxc-attach-script.err'), 'ab')
+    stderr_file = os.fdopen(tempfile.mkstemp(prefix='lxc-attach-script-err')[0], 'ab')
 
     # Execute the script command.
     try:
@@ -1747,14 +1739,16 @@ def main():
             ),
             archive_path=dict(
                 type='str',
-                default='/tmp'
             ),
             archive_compression=dict(
                 choices=LXC_COMPRESSION_MAP.keys(),
                 default='gzip'
             )
         ),
         supports_check_mode=False,
+        required_if = ([
+            ('archive', True, ['archive_path'])
+        ]),
     )
 
     if not HAS_LXC:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

19

News mentions

0

No linked articles in our index yet.