From e1ed84e5171e9e96b7f11110ec86a7825f439d1c Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 13 Oct 2021 11:45:26 +0800
Subject: [PATCH] fix CVE-2019-10156

---
 CVE-2019-10156-1.patch | 138 +++++++++++++++++++++++++++++++++++++++++
 CVE-2019-10156-2.patch |  31 +++++++++
 ansible.spec           |   9 ++-
 3 files changed, 177 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-10156-1.patch
 create mode 100644 CVE-2019-10156-2.patch

diff --git a/CVE-2019-10156-1.patch b/CVE-2019-10156-1.patch
new file mode 100644
index 0000000..32a4948
--- /dev/null
+++ b/CVE-2019-10156-1.patch
@@ -0,0 +1,138 @@
+From 8254c266f962d5febe46396d5083bb9c1da74840 Mon Sep 17 00:00:00 2001
+From: Brian Coca <brian.coca+git@gmail.com>
+Date: Tue, 4 Jun 2019 08:43:15 -0400
+Subject: [PATCH] just dont pass locals
+
+ - also fix globals
+ - added tests
+---
+ changelogs/fragments/fix_safe_eval.yml        |  2 +
+ lib/ansible/template/__init__.py              |  2 +-
+ lib/ansible/template/safe_eval.py             |  8 ++-
+ .../targets/template/corner_cases.yml         | 51 +++++++++++++++++++
+ test/integration/targets/template/runme.sh    |  3 ++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+ create mode 100644 changelogs/fragments/fix_safe_eval.yml
+ create mode 100644 test/integration/targets/template/corner_cases.yml
+
+diff --git a/changelogs/fragments/fix_safe_eval.yml b/changelogs/fragments/fix_safe_eval.yml
+new file mode 100644
+index 0000000..19220b3
+--- /dev/null
++++ b/changelogs/fragments/fix_safe_eval.yml
+@@ -0,0 +1,2 @@
++bugfixes:
++    - Handle improper variable substitution that was happening in safe_eval, it was always meant to just do 'type enforcement' and have Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
+diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py
+index 8a0d569..140891c 100644
+--- a/lib/ansible/template/__init__.py
++++ b/lib/ansible/template/__init__.py
+@@ -486,7 +486,7 @@ class Templar:
+                             # if this looks like a dictionary or list, convert it to such using the safe_eval method
+                             if (result.startswith("{") and not result.startswith(self.environment.variable_start_string)) or \
+                                     result.startswith("[") or result in ("True", "False"):
+-                                eval_results = safe_eval(result, locals=self._available_variables, include_exceptions=True)
++                                eval_results = safe_eval(result, include_exceptions=True)
+                                 if eval_results[1] is None:
+                                     result = eval_results[0]
+                                     if unsafe:
+diff --git a/lib/ansible/template/safe_eval.py b/lib/ansible/template/safe_eval.py
+index a142d1d..c2d161d 100644
+--- a/lib/ansible/template/safe_eval.py
++++ b/lib/ansible/template/safe_eval.py
+@@ -42,10 +42,14 @@ def safe_eval(expr, locals=None, include_exceptions=False):
+ 
+     # define certain JSON types
+     # eg. JSON booleans are unknown to python eval()
+-    JSON_TYPES = {
++    OUR_GLOBALS = {
++        '__builtins__': {},  # avoid global builtins as per eval docs
+         'false': False,
+         'null': None,
+         'true': True,
++        # also add back some builtins we do need
++        'True': True,
++        'False': False,
+     }
+ 
+     # this is the whitelist of AST nodes we are going to
+@@ -130,7 +134,7 @@ def safe_eval(expr, locals=None, include_exceptions=False):
+         # Note: passing our own globals and locals here constrains what
+         # callables (and other identifiers) are recognized.  this is in
+         # addition to the filtering of builtins done in CleansingNodeVisitor
+-        result = eval(compiled, JSON_TYPES, dict(locals))
++        result = eval(compiled, OUR_GLOBALS, dict(locals))
+ 
+         if include_exceptions:
+             return (result, None)
+diff --git a/test/integration/targets/template/corner_cases.yml b/test/integration/targets/template/corner_cases.yml
+new file mode 100644
+index 0000000..48782f7
+--- /dev/null
++++ b/test/integration/targets/template/corner_cases.yml
+@@ -0,0 +1,51 @@
++- name: test tempating corner cases
++  hosts: localhost
++  gather_facts: false
++  vars:
++    empty_list: []
++    dont: I SHOULD NOT BE TEMPLATED
++    other: I WORK
++  tasks:
++    - name: 'ensure we are not interpolating data from outside of j2 delmiters'
++      assert:
++        that:
++            - '"I SHOULD NOT BE TEMPLATED" not in adjacent'
++            - globals1 == "[[], globals()]"
++            - globals2 == "[[], globals]"
++      vars:
++        adjacent: "{{ empty_list }} + [dont]"
++        globals1: "[{{ empty_list }}, globals()]"
++        globals2: "[{{ empty_list }}, globals]"
++
++    - name: 'ensure we can add lists'
++      assert:
++        that:
++            - (empty_list + [other]) == [other]
++            - (empty_list + [other, other]) == [other, other]
++            - (dont_exist|default([]) + [other]) == [other]
++            - ([other] + [empty_list, other]) == [other, [], other]
++
++    - name: 'ensure comments go away and we still dont interpolate in string'
++      assert:
++        that:
++            - 'comm1 == " + [dont]"'
++            - 'comm2 == " #} + [dont]"'
++      vars:
++        comm1: '{# {{nothing}} {# #} + [dont]'
++        comm2: "{# {{nothing}} {# #} #} + [dont]"
++
++    - name: test additions with facts, set them up
++      set_fact:
++        inames: []
++        iname: "{{ prefix ~ '-options' }}"
++        iname_1: "{{ prefix ~ '-options-1' }}"
++      vars:
++        prefix: 'bo'
++
++    - name: add the facts
++      set_fact:
++        inames: '{{ inames + [iname, iname_1] }}'
++
++    - assert:
++        that:
++            - inames == ['bo-options', 'bo-options-1']
+diff --git a/test/integration/targets/template/runme.sh b/test/integration/targets/template/runme.sh
+index 4df69c4..5961895 100755
+--- a/test/integration/targets/template/runme.sh
++++ b/test/integration/targets/template/runme.sh
+@@ -9,3 +9,6 @@ ansible testhost -i testhost, -m debug -a 'msg={{ hostvars["localhost"] }}' -e "
+ 
+ # Test for https://github.com/ansible/ansible/issues/27262
+ ansible-playbook ansible_managed.yml -c  ansible_managed.cfg -i ../../inventory -e @../../integration_config.yml -v "$@"
++
++# Test for #42585
++NSIBLE_ROLES_PATH=../ ansible-playbook custom_template.yml -i ../../inventory -e @../../integration_config.yml -v "$@"
+-- 
+2.27.0
+
diff --git a/CVE-2019-10156-2.patch b/CVE-2019-10156-2.patch
new file mode 100644
index 0000000..f2677e4
--- /dev/null
+++ b/CVE-2019-10156-2.patch
@@ -0,0 +1,31 @@
+From fbda0028750a17a032d83dad9d1fb284f9ea68a4 Mon Sep 17 00:00:00 2001
+From: Brian Coca <brian.coca+git@gmail.com>
+Date: Thu, 6 Jun 2019 13:26:14 -0400
+Subject: [PATCH] fixed tests
+
+---
+ .../targets/docker_image/tasks/tests/old-options.yml        | 2 +-
+ test/integration/targets/meraki_static_route/tasks/main.yml | 6 +++---
+ test/integration/targets/netapp_eseries_host/tasks/run.yml  | 4 ++--
+ test/integration/targets/postgresql/tasks/main.yml          | 2 +-
+ test/legacy/ovs.yaml                                        | 4 ++--
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+--- ansible-2.5.1+dfsg.orig/test/legacy/ovs.yaml
++++ ansible-2.5.1+dfsg/test/legacy/ovs.yaml
+@@ -22,7 +22,7 @@
+         when: "limit_to in ['*', 'openvswitch_db']"
+       rescue:
+         - set_fact:
+-            failed_modules: "{{ failed_modules }} + [ 'openvswitch_db' ]"
++            failed_modules: "{{ failed_modules + [ 'openvswitch_db' ]}}"
+             test_failed: true
+ 
+ 
+@@ -33,4 +33,4 @@
+     - name: Has any previous test failed?
+       fail:
+         msg: "One or more tests failed, check log for details"
+-      when: test_failed
+\ No newline at end of file
++      when: test_failed
diff --git a/ansible.spec b/ansible.spec
index f4c4cd2..301ac35 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -3,7 +3,7 @@
 Name:                ansible
 Summary:             SSH-based configuration management, deployment, and task execution system
 Version:             2.5.5
-Release:             2
+Release:             3
 License:             Python-2.0 and MIT and GPL+
 Url:                 http://ansible.com
 Source0:             https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@@ -20,6 +20,8 @@ Patch108:            CVE-2020-1739.patch
 Patch109:            CVE-2020-1740.patch
 Patch110:            CVE-2020-1753.patch
 Patch111:            CVE-2021-20191.patch
+Patch112:            CVE-2019-10156-1.patch
+Patch113:            CVE-2019-10156-2.patch
 BuildArch:           noarch
 Provides:            ansible-fireball = %{version}-%{release}
 Obsoletes:           ansible-fireball < 1.2.4
@@ -85,6 +87,8 @@ This package installs extensive documentation for ansible
 %patch109 -p1
 %patch110 -p1
 %patch111 -p1
+%patch112 -p1
+%patch113 -p1
 
 %if 0%{?with_python3}
 rm -rf %{py3dir}
@@ -146,6 +150,9 @@ cp -pr docs/docsite/rst .
 %endif
 
 %changelog
+* Wed Oct 13 2021 yaoxin <yaoxin30@huawei.com> - 2.5.5-3
+- Fix CVE-2019-10156
+
 * Fri Sep 17 2021 yaoxin <yaoxin30@huawei.com> - 2.5.5-2
 - Fix CVE-2019-14904 CVE-2020-10684 CVE-2020-10729 CVE-2020-1735-to-CVE-2020-1740 CVE-2020-1753 CVE-2021-20191
 
-- 
Gitee