From 859acb663da810c39b50ff58c098028c0d6bb6a3 Mon Sep 17 00:00:00 2001
From: Bernhard M. Wiedemann <bwiedemann+opensusegit@suse.de>
Date: May 29 2020 19:48:39 +0000
Subject: Update ansible to rev 65 via SR 810048


https://build.opensuse.org/request/show/810048
by user lrupp + maxlin_factory

---

diff --git a/.files b/.files
index bcd4c72..672467f 100644
Binary files a/.files and b/.files differ
diff --git a/.rev b/.rev
index db7639d..99f0ecc 100644
--- a/.rev
+++ b/.rev
@@ -747,4 +747,12 @@ numbers for further reference.
     <comment></comment>
     <requestid>809115</requestid>
   </revision>
+  <revision rev="65" vrev="3">
+    <srcmd5>497f2beea2cf965f1d12710dba81ae8d</srcmd5>
+    <version>2.9.9</version>
+    <time>1590780262</time>
+    <user>maxlin_factory</user>
+    <comment></comment>
+    <requestid>810048</requestid>
+  </revision>
 </revisionlist>
diff --git a/CVE-2020-1733_avoid_mkdir_p.patch b/CVE-2020-1733_avoid_mkdir_p.patch
deleted file mode 100644
index 3bd138d..0000000
--- a/CVE-2020-1733_avoid_mkdir_p.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 0a85e91329d4c048e7e4b2cd478f2c17a3dac988 Mon Sep 17 00:00:00 2001
-From: Brian Coca <bcoca@users.noreply.github.com>
-Date: Mon, 13 Apr 2020 17:16:29 -0400
-Subject: [PATCH 1/4] avoid mkdir -p (#68921)
-
-* also consolidated temp dir name generation, added pid for more 'uniqness'
-* generalize error message
-* added notes about remote expansion
-
-CVE-2020-1733
-fixes #67791
-
-(cherry picked from commit 8077d8e40148fe77e2393caa5f2b2ea855149d63)
----
- changelogs/fragments/remote_mkdir_fix.yml |  2 ++
- lib/ansible/plugins/action/__init__.py    | 11 ++++++++---
- lib/ansible/plugins/shell/__init__.py     | 14 ++++++++++----
- lib/ansible/plugins/shell/powershell.py   |  2 ++
- 4 files changed, 22 insertions(+), 7 deletions(-)
- create mode 100644 changelogs/fragments/remote_mkdir_fix.yml
-
---- /dev/null
-+++ b/changelogs/fragments/remote_mkdir_fix.yml
-@@ -0,0 +1,2 @@
-+bugfixes:
-+    - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
---- a/lib/ansible/plugins/action/__init__.py
-+++ b/lib/ansible/plugins/action/__init__.py
-@@ -340,7 +340,11 @@ class ActionBase(with_metaclass(ABCMeta,
-         else:
-             # NOTE: shell plugins should populate this setting anyways, but they dont do remote expansion, which
-             # we need for 'non posix' systems like cloud-init and solaris
--            tmpdir = self._remote_expand_user(self.get_shell_option('remote_tmp', default='~/.ansible/tmp'), sudoable=False)
-+            try:
-+                tmpdir = self._connection._shell.get_option('remote_tmp')
-+            except AnsibleError:
-+                tmpdir = '~/.ansible/tmp'
-+            tmpdir = self._remote_expand_user(tmpdir, sudoable=False)
- 
-         become_unprivileged = self._is_become_unprivileged()
-         basefile = self._connection._shell._generate_temp_dir_name()
---- a/lib/ansible/plugins/shell/__init__.py
-+++ b/lib/ansible/plugins/shell/__init__.py
-@@ -79,6 +79,10 @@ class ShellBase(AnsiblePlugin):
-     def _generate_temp_dir_name():
-         return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
- 
-+    @staticmethod
-+    def _generate_temp_dir_name():
-+        return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
-+
-     def env_prefix(self, **kwargs):
-         return ' '.join(['%s=%s' % (k, shlex_quote(text_type(v))) for k, v in kwargs.items()])
- 
diff --git a/CVE-2020-1744_avoid_mkdir_p.patch b/CVE-2020-1744_avoid_mkdir_p.patch
new file mode 100644
index 0000000..3bd138d
--- /dev/null
+++ b/CVE-2020-1744_avoid_mkdir_p.patch
@@ -0,0 +1,54 @@
+From 0a85e91329d4c048e7e4b2cd478f2c17a3dac988 Mon Sep 17 00:00:00 2001
+From: Brian Coca <bcoca@users.noreply.github.com>
+Date: Mon, 13 Apr 2020 17:16:29 -0400
+Subject: [PATCH 1/4] avoid mkdir -p (#68921)
+
+* also consolidated temp dir name generation, added pid for more 'uniqness'
+* generalize error message
+* added notes about remote expansion
+
+CVE-2020-1733
+fixes #67791
+
+(cherry picked from commit 8077d8e40148fe77e2393caa5f2b2ea855149d63)
+---
+ changelogs/fragments/remote_mkdir_fix.yml |  2 ++
+ lib/ansible/plugins/action/__init__.py    | 11 ++++++++---
+ lib/ansible/plugins/shell/__init__.py     | 14 ++++++++++----
+ lib/ansible/plugins/shell/powershell.py   |  2 ++
+ 4 files changed, 22 insertions(+), 7 deletions(-)
+ create mode 100644 changelogs/fragments/remote_mkdir_fix.yml
+
+--- /dev/null
++++ b/changelogs/fragments/remote_mkdir_fix.yml
+@@ -0,0 +1,2 @@
++bugfixes:
++    - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
+--- a/lib/ansible/plugins/action/__init__.py
++++ b/lib/ansible/plugins/action/__init__.py
+@@ -340,7 +340,11 @@ class ActionBase(with_metaclass(ABCMeta,
+         else:
+             # NOTE: shell plugins should populate this setting anyways, but they dont do remote expansion, which
+             # we need for 'non posix' systems like cloud-init and solaris
+-            tmpdir = self._remote_expand_user(self.get_shell_option('remote_tmp', default='~/.ansible/tmp'), sudoable=False)
++            try:
++                tmpdir = self._connection._shell.get_option('remote_tmp')
++            except AnsibleError:
++                tmpdir = '~/.ansible/tmp'
++            tmpdir = self._remote_expand_user(tmpdir, sudoable=False)
+ 
+         become_unprivileged = self._is_become_unprivileged()
+         basefile = self._connection._shell._generate_temp_dir_name()
+--- a/lib/ansible/plugins/shell/__init__.py
++++ b/lib/ansible/plugins/shell/__init__.py
+@@ -79,6 +79,10 @@ class ShellBase(AnsiblePlugin):
+     def _generate_temp_dir_name():
+         return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
+ 
++    @staticmethod
++    def _generate_temp_dir_name():
++        return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
++
+     def env_prefix(self, **kwargs):
+         return ' '.join(['%s=%s' % (k, shlex_quote(text_type(v))) for k, v in kwargs.items()])
+ 
diff --git a/ansible.changes b/ansible.changes
index e697cb6..609f13c 100644
--- a/ansible.changes
+++ b/ansible.changes
@@ -1,4 +1,10 @@
 -------------------------------------------------------------------
+Thu May 28 13:57:38 UTC 2020 - Matej Cepl <mcepl@suse.com>
+
+- Correct ID of CVE and rename the patch to
+  CVE-2020-1744_avoid_mkdir_p.patch
+
+-------------------------------------------------------------------
 Tue May 26 13:02:10 UTC 2020 - Matej Cepl <mcepl@suse.com>
 
 - Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733
@@ -43,7 +49,8 @@ Fri Apr 17 06:49:56 UTC 2020 - Michael Ströder <michael@stroeder.com>
     ldap_attr and ldap_entry modules
   - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
     sensitive information
-  - CVE-2020-10684 - code injection when using ansible_facts as a subkey
+  - bsc#1167532 CVE-2020-10684 - code injection when using
+    ansible_facts as a subkey
   - bsc#1167440 CVE-2020-10685 - modules which use files
     encrypted with vault are not properly cleaned up
   - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
@@ -518,7 +525,7 @@ Sun Feb 24 10:06:31 UTC 2019 - Michael Ströder <michael@stroeder.com>
   * openstack inventory plugin * send logs from sdk to stderr so they do not combine with output
   * psrp * do not display bootstrap wrapper for each module exec run
   * redfish_utils * get standard properties for firmware entries (https://github.com/ansible/ansible/issues/49832)
-  * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828) (https://github.com/ansible/ansible/pull/52133)
+  * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133)
   * ufw * when using ``state: reset`` in check mode, ``ufw --dry-run reset`` was executed, which causes a loss of firewall rules. The ``ufw`` module was adjusted to no longer run ``ufw --dry-run reset`` to prevent this from happening.
   * ufw: make sure that only valid values for ``direction`` are passed on.
   * update GetBiosBootOrder to use standard Redfish resources (https://github.com/ansible/ansible/issues/47571)
@@ -895,6 +902,8 @@ Mon Jul 30 15:05:07 UTC 2018 - lars@linux-schulserver.de
   + Restore module_utils.basic.BOOLEANS variable for backwards compatibility
     with the module API in older ansible releases.
   Bugfixes:
+  + Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
+    from current working directory allowing possible code execution
   + Add text output along with structured output in nxos_facts 
   + Allow more than one page of results by using the right pagination 
     indicator ('NextMarker' instead of 'NextToken').
diff --git a/ansible.spec b/ansible.spec
index c3c13ac..90475a3 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -229,9 +229,9 @@ URL:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source1:        https://releases.ansible.com/ansible/ansible-%{version}.tar.gz.sha
 Source99:       ansible-rpmlintrc
-# PATCH-FIX-UPSTREAM CVE-2020-1733_avoid_mkdir_p.patch bsc#1171823 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2020-1744_avoid_mkdir_p.patch bsc#1171823 mcepl@suse.com
 # gh#ansible/ansible#67791 avoid race condition and insecure directory creation
-Patch0:         CVE-2020-1733_avoid_mkdir_p.patch
+Patch0:         CVE-2020-1744_avoid_mkdir_p.patch
 BuildArch:      noarch
 # extented documentation
 %if 0%{?with_docs}