Bug 2217906

Summary: sos: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product: Red Hat Enterprise Linux 9 Reporter: Petr Viktorin (pviktori) <pviktori>
Component: sosAssignee: Pavel Moravec <pmoravec>
Status: CLOSED ERRATA QA Contact: Miroslav HradĂ­lek <mhradile>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3CC: agk, jcastillo, jjansky, mhradile, plambri, sbradley, theute
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sos-4.6.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2218238 (view as bug list) Environment:
Last Closed: 2023-09-26 09:18:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2218238    

Description Petr Viktorin (pviktori) 2023-06-27 12:41:35 UTC 
Hello,
In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way.
Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.)
Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior.
To avoid the warning, software shipped by Red Hat will need a change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769

---

In /usr/lib/python3.9/site-packages/sos/cleaner/archives/__init__.py, sos calls `archive.extractall(path). The call will emit a warning by default, and should be changed to something like:

if hasattr(tarfile, 'data_filter'):
    # Python with CVE-2007-4559 mitigation (PEP 706)
    archive.extractall(path, filter='data')
else:
    # Fallback to a possibly dangerous extraction (before PEP 706)
    archive.extractall(path)

The 'data' filter above attempts a "safe" extraction, intended for pure data archives. For example:
- prevents extracting outside the target directory, and to absolute paths (by raising an exception)
- prevents symlinks pointing outside the target directory, and to absolute paths
- adjusts permissions (for the owner, only the executable bit is honored)
See PEP 706 for details: https://peps.python.org/pep-0706/#filters

If you trust that the archive is not malicious, use `filter='fully_trusted'` instead. That will preserve the existing behavior.

---

Let me know if you have any questions!
Comment 8 errata-xmlrpc 2023-09-26 09:18:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sos bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:5354