Patch acme.sh/4659 for arbitrary command execution

Temporarily cherry-pick the commits which fix "acme.sh runs arbitrary commands from a remote server" https://github.com/acmesh-official/acme.sh/issues/4659 as trivial backports on top of their 3.0.5 release until such time as we can upgrade. This addresses a remote code execution vulnerability (no CVE assigned yet) which could be exploited by the ACME protocol operator, in our case the admins of the Let's Encrypt certificate authority. Change-Id: Ib052901a7aa08a9fdbd01d623f4b5d3eee938401
2023-06-11 18:56:54 +00:00 · 2023-06-11 18:56:54 +00:00 · 8500dcf394
commit 8500dcf394
parent 55c6650179
1 changed files with 8 additions and 0 deletions
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@ -2,12 +2,20 @@
  git:
    repo: https://github.com/acmesh-official/acme.sh
    dest: /opt/acme.sh
+    # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
    version: 3.0.5
  register: clone_acmesh_result
  until: clone_acmesh_result is not failed
  retries: 3
  delay: 2

+# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
+# until we can upgrade to 3.0.6 or later
+- name: Patch for issue 4659
+  shell: |
+    git -C /opt/acme.sh cherry-pick 4c30250
+    git -C /opt/acme.sh cherry-pick 327e2fb
+
 - name: Install letsencrypt group
  group:
    name: letsencrypt