Hi, On Sat, Dec 11, 2021 at 12:53:19PM +0100, Sakirnth Nagarasa wrote: > Hi, > > I am maintaining ansible-runner. There is this bug (CVE-2021-4041) in > the security tracker and I think the bug does not affect the version > which I have uploaded. > > This is the link to the bug: > https://security-tracker.debian.org/tracker/CVE-2021-4041 > > This is the affected code: > https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257 > > Recent version from Debian: > https://github.com/ansible/ansible-runner/blob/83b5d4e688d2563b0fe89e0a184e06879ca73eec/ansible_runner/runner.py#L260 > > I assume the " ".join(command) can lead to improper shell escaping. > Therefore this method was removed from this line in the recent version. > Correct me if I am wrong, then I will open a bug report for upstream.
Right, the original reference is at Red Hat https://bugzilla.redhat.com/show_bug.cgi?id=2028074 . There is the follwoing upstream commit: https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd which resolves the issue. Regards, Salvatore
