From cfb350758b3d5ef3065be5250a4901ffb8cc465e Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 17 Jun 2025 11:32:30 +0800
Subject: [PATCH] Fix CVE-2021-3583

---
 CVE-2021-3583.patch | 90 +++++++++++++++++++++++++++++++++++++++++++++
 ansible.spec        | 26 +++----------
 2 files changed, 96 insertions(+), 20 deletions(-)
 create mode 100644 CVE-2021-3583.patch

diff --git a/CVE-2021-3583.patch b/CVE-2021-3583.patch
new file mode 100644
index 0000000..d50b7b2
--- /dev/null
+++ b/CVE-2021-3583.patch
@@ -0,0 +1,90 @@
+From 8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1 Mon Sep 17 00:00:00 2001
+From: Brian Coca <bcoca@users.noreply.github.com>
+Date: Fri, 11 Jun 2021 17:43:30 -0400
+Subject: [PATCH] fix unsafe preservation across newlines (#74960) (#74976)
+
+  CVE-2021-3583
+  ensure we always have unsafe
+
+Co-authored-by: Rick Elrod <rick@elrod.me>
+(cherry picked from commit 4c8c40fd3d4a58defdc80e7d22aa8d26b731353e)
+---
+ changelogs/fragments/fix_unsafe_newline.yml  |  2 ++
+ lib/ansible/template/__init__.py             |  5 ++++-
+ test/integration/targets/template/runme.sh   |  4 ++++
+ test/integration/targets/template/unsafe.yml | 19 +++++++++++++++++++
+ 4 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 changelogs/fragments/fix_unsafe_newline.yml
+ create mode 100644 test/integration/targets/template/unsafe.yml
+
+diff --git a/changelogs/fragments/fix_unsafe_newline.yml b/changelogs/fragments/fix_unsafe_newline.yml
+new file mode 100644
+index 0000000..44180c6
+--- /dev/null
++++ b/changelogs/fragments/fix_unsafe_newline.yml
+@@ -0,0 +1,2 @@
++security_fixes:
++  - templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583
+diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py
+index 140891c..2d7ee27 100644
+--- a/lib/ansible/template/__init__.py
++++ b/lib/ansible/template/__init__.py
+@@ -715,7 +715,8 @@ class Templar:
+ 
+             try:
+                 res = j2_concat(rf)
+-                if new_context.unsafe:
++                unsafe = new_context.unsafe
++                if unsafe:
+                     res = wrap_var(res)
+             except TypeError as te:
+                 if 'StrictUndefined' in to_native(te):
+@@ -742,6 +743,8 @@ class Templar:
+                 res_newlines = _count_newlines_from_end(res)
+                 if data_newlines > res_newlines:
+                     res += self.environment.newline_sequence * (data_newlines - res_newlines)
++                    if unsafe:
++                        res = wrap_var(res)
+             return res
+         except (UndefinedError, AnsibleUndefinedVariable) as e:
+             if fail_on_undefined:
+diff --git a/test/integration/targets/template/runme.sh b/test/integration/targets/template/runme.sh
+index 5961895..8d8caf4 100755
+--- a/test/integration/targets/template/runme.sh
++++ b/test/integration/targets/template/runme.sh
+@@ -12,3 +12,7 @@ ansible-playbook ansible_managed.yml -c  ansible_managed.cfg -i ../../inventory
+ 
+ # Test for #42585
+ NSIBLE_ROLES_PATH=../ ansible-playbook custom_template.yml -i ../../inventory -e @../../integration_config.yml -v "$@"
++
++# ensure unsafe is preserved, even with extra newlines
++ansible-playbook unsafe.yml -v "$@"
++
+diff --git a/test/integration/targets/template/unsafe.yml b/test/integration/targets/template/unsafe.yml
+new file mode 100644
+index 0000000..6746e1e
+--- /dev/null
++++ b/test/integration/targets/template/unsafe.yml
+@@ -0,0 +1,19 @@
++- hosts: localhost
++  gather_facts: false
++  vars:
++    nottemplated: this should not be seen
++    imunsafe: !unsafe '{{ nottemplated }}'
++  tasks:
++
++    - set_fact:
++        this_was_unsafe: >
++          {{ imunsafe }}
++
++    - set_fact:
++          this_always_safe: '{{ imunsafe }}'
++
++    - name: ensure nothing was templated
++      assert:
++        that:
++        - this_always_safe == imunsafe
++        - imunsafe == this_was_unsafe.strip()
+-- 
+2.49.0
+
diff --git a/ansible.spec b/ansible.spec
index e793b9b..40c25bd 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -3,7 +3,7 @@
 Name:                ansible
 Summary:             SSH-based configuration management, deployment, and task execution system
 Version:             2.5.5
-Release:             8
+Release:             9
 License:             Python-2.0 and MIT and GPL+
 Url:                 http://ansible.com
 Source0:             https://releases.ansible.com/ansible/%{name}-%{version}.tar.gz
@@ -25,6 +25,7 @@ Patch116:            ansible-2.5.5-openEuler-hostname.patch
 Patch117:            CVE-2024-0690.patch
 Patch118:            CVE-2022-3697.patch
 Patch119:            CVE-2023-5115.patch
+Patch120:            CVE-2021-3583.patch
 BuildArch:           noarch
 Provides:            ansible-fireball = %{version}-%{release}
 Obsoletes:           ansible-fireball < 1.2.4
@@ -76,25 +77,7 @@ are transferred to managed machines automatically.
 This package installs extensive documentation for ansible
 
 %prep
-%setup -q
-%patch0 -p1
-%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch106 -p1
-%patch108 -p1
-%patch109 -p1
-%patch110 -p1
-%patch111 -p1
-%patch112 -p1
-%patch113 -p1
-%patch114 -p1
-%patch115 -p1
-%patch116 -p1
-%patch117 -p1
-%patch118 -p1
-%patch119 -p1
+%autosetup -p1
 %if 0%{?with_python3}
 rm -rf %{py3dir}
 cp -a . %{py3dir}
@@ -155,6 +138,9 @@ cp -pr docs/docsite/rst .
 %endif
 
 %changelog
+* Tue Jun 17 2025 yaoxin <1024769339@qq.com> - 2.5.5-9
+- Fix CVE-2021-3583
+
 * Sat Feb 08 2025 wangkai <13474090681@163.com> - 2.5.5-8
 - Fix CVE-2022-3697 CVE-2023-5115
 
-- 
Gitee