Mitogen broken after ansible security patch for "unsafe variables" #1034
Comments
upekkha
added
affects-0.3
|
Here is workaround how to make mitogen work with ansible v2.16.2: Open file: mitogen/mitogen/core.py Open file: mitogen/ansible_mitogen/loaders.py |
|
Hey @AKrumov Thanks for looking into this. I can confirm that your patch is working for me as well. |
|
Many thanks @AKrumov! It's working for me too! I'm sad to see this project is abandoned. |
|
As part of my fixes for Mitogen 2.16 and Python 3.12, in #1033 (comment) I solved this in my patch, slightly differently: In +AnsibleUnsafeText = None
+
+def lazy_AnsibleUnsafeText():
+ global AnsibleUnsafeText
+ if AnsibleUnsafeText is not None:
+ return AnsibleUnsafeText
+ mod = __import__("ansible.utils.unsafe_proxy", fromlist=("AnsibleUnsafeText",))
+ AnsibleUnsafeText = getattr(mod, "AnsibleUnsafeText")
+ assert type(AnsibleUnsafeText) is type, f"AnsibleUnsafeText {AnsibleUnsafeText} is not a type"
+ assert callable(AnsibleUnsafeText), f"AnsibleUnsafeText {AnsibleUnsafeText} is not callable"
+ return AnsibleUnsafeText
+
+@@ -860,6 +893,8 @@ class Message(object):
return Secret
elif func == 'Kwargs':
return Kwargs
+ elif module == 'ansible.utils.unsafe_proxy' and func == 'AnsibleUnsafeText':
+ return lazy_AnsibleUnsafeText()
elif module == '_codecs' and func == 'encode':
return self._unpickle_bytes
elif module == '__builtin__' and func == 'bytes': |
|
Thank you for the workarounds. Could we get some comments on the relative merits of the two versions? Are we simply subverting the CVE fix or actually incorporating it into mitogen? |
|
I do not know what the Unsafe proxy actually protects against, but my random guess is that it somehow intercepts calls to logging and print, and does not allow them to be printed or logged to output of ansible (i.e. when running with -v), but conversion to str should work. It is not a serious security risk, unless you make your log files publicly visible, or something (i.e. when running from AWX / Tower, but people that should not have access to original secrets). |
|
@AKrumov, would mind if I use your patch for serverscom.mitogen? I already do autopatch for ANSIBLE_VERSION, seems like it's time to start adding more patches. |
|
I'm not helping here but I'm using the patch and it fixes the issue but my plays now have lots of lines of:- |
|
Drop the print() statement in the patch. It presumably was just for debugging purposes. |
Absolutely! Go ahead and use the patch for serverscom.mitogen. Sorry for getting back to you late. If you need anything else or have more questions, just let me know! |
|
I believe the changes in #1017 will fix this, based on branch https://github.com/moreati/mitogen/tree/2.14. Please try it and let me know how it goes. If all is well this will go into master, and then release 0.3.6. Sorry for the long wait, and thanks for helping with interim workarounds. |
|
It works, even with ansible 2.16.5 and this patch: Could you please add support for 2.16 too? |
|
@nerijus just put 99 and not bother: Mitogen has always worked with the most recent ansible :) Not even sure why this is checked. |
|
No, not always :) |
Not in the next release (0.3.6). I'm aiming for smaller, more frequent releases. 2.15 and 2.16 will be in subsequent release(s). |
|
Mitogen 0.3.6 is now out. |
Ansible has released a security patch for CVE-2023-5764 in all maintained versions, namely 2.16.1, 2.15.7 and 2.14.12. This patch breaks mitogen, as seen in the example of a simple package installation task:
For example in 2.16.1, the culprit is ansible/ansible@270b39f. The problem persists on the current stable-2.16 branch and is not fixed by unreleased commits like "Additional unsafe fixes" ansible/ansible#82376.
Considering that Ansible 2.13 is end-of-life since November and all maintained versions (2.14-2.16) are currently broken, we are left in the undesirable situation, where no supported Ansible version remains compatible with mitogen.
The text was updated successfully, but these errors were encountered: