Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1975184 Details for
Bug 2219407
[RHEL9] pcs: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh89 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
proposed fix
0001-use-a-filter-when-extracting-a-config-backup-tarball.patch (text/plain), 3.44 KB, created by
Tomas Jelinek
on 2023-07-11 15:46:12 UTC
(
hide
)
Description:
proposed fix
Filename:
MIME Type:
Creator:
Tomas Jelinek
Created:
2023-07-11 15:46:12 UTC
Size:
3.44 KB
patch
obsolete
>From 9d0bdcd42d29b1d7ca783d8b7585401ba59fffa9 Mon Sep 17 00:00:00 2001 >From: Tomas Jelinek <tojeline@redhat.com> >Date: Tue, 11 Jul 2023 14:09:17 +0200 >Subject: [PATCH] use a filter when extracting a config backup tarball > >--- > CHANGELOG.md | 5 +++++ > pcs/config.py | 26 ++++++++++++++++++++++++-- > 2 files changed, 29 insertions(+), 2 deletions(-) > >diff --git a/CHANGELOG.md b/CHANGELOG.md >index 5117b337c..bdc4ca33e 100644 >--- a/CHANGELOG.md >+++ b/CHANGELOG.md >@@ -2,6 +2,10 @@ > > ## [Unreleased] > >+### Security >+- Make use of filters when extracting tarballs to enhance security if provided >+ by Python (`pcs config restore` command) ([rhbz#2219407]) >+ > ### Fixed > - Exporting constraints with rules in form of pcs commands now escapes `#` and > fixes spaces in dates to make the commands valid ([rhbz#2163953]) >@@ -20,6 +24,7 @@ > > [rhbz#2163953]: https://bugzilla.redhat.com/show_bug.cgi?id=2163953 > [rhbz#2217850]: https://bugzilla.redhat.com/show_bug.cgi?id=2217850 >+[rhbz#2219407]: https://bugzilla.redhat.com/show_bug.cgi?id=2219407 > > > ## [0.11.6] - 2023-06-20 >diff --git a/pcs/config.py b/pcs/config.py >index 56c49aaeb..d750f52f7 100644 >--- a/pcs/config.py >+++ b/pcs/config.py >@@ -488,14 +488,36 @@ def config_restore_local(infile_name, infile_obj): > if "rename" in extract_info and extract_info["rename"]: > if tmp_dir is None: > tmp_dir = tempfile.mkdtemp() >- tarball.extractall(tmp_dir, [tar_member_info]) >+ if hasattr(tarfile, "data_filter"): >+ # Safe way of extraction is available since Python 3.12, >+ # hasattr above checks if it's available. >+ # It's also backported to 3.11.4, 3.10.12, 3.9.17. >+ # It may be backported to older versions in downstream. >+ tarball.extractall( >+ tmp_dir, [tar_member_info], filter="data" >+ ) >+ else: >+ # Unsafe way of extraction >+ # Remove once we don't support Python 3.8 and older >+ tarball.extractall(tmp_dir, [tar_member_info]) > path_full = extract_info["path"] > shutil.move( > os.path.join(tmp_dir, tar_member_info.name), path_full > ) > else: > dir_path = os.path.dirname(extract_info["path"]) >- tarball.extractall(dir_path, [tar_member_info]) >+ if hasattr(tarfile, "data_filter"): >+ # Safe way of extraction is available since Python 3.12, >+ # hasattr above checks if it's available. >+ # It's also backported to 3.11.4, 3.10.12, 3.9.17. >+ # It may be backported to older versions in downstream. >+ tarball.extractall( >+ dir_path, [tar_member_info], filter="data" >+ ) >+ else: >+ # Unsafe way of extracting >+ # Remove once we don't support Python 3.8 and older >+ tarball.extractall(dir_path, [tar_member_info]) > path_full = os.path.join(dir_path, tar_member_info.name) > file_attrs = extract_info["attrs"] > os.chmod(path_full, file_attrs["mode"]) >-- >2.30.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2219407
: 1975184