Bug 2218873

Summary: sos: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product: Red Hat Enterprise Linux 8 Reporter: Petr Viktorin (pviktori) <pviktori>
Component: sosAssignee: Pavel Moravec <pmoravec>
Status: CLOSED ERRATA QA Contact: Miroslav HradĂ­lek <mhradile>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.9CC: agk, cstratak, jcastillo, jjansky, mhradile, plambri, sbradley, theute
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sos-4.6.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-26 09:18:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 263261    

Description Petr Viktorin (pviktori) 2023-06-30 11:18:00 UTC 
Hello,
In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way.
Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.)
Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior.
To avoid the warning, software shipped by Red Hat will need a change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769

---

In /usr/lib/python3.6/site-packages/sos/cleaner/archives/__init__.py, sos calls `archive.extractall(path)`. The call will emit a warning by default. To prevent that, add something like this before the call:

archive.extraction_filter = getattr(tarfile, 'data_filter',
                                       (lambda member, path: member))

This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call:
`archive.extractall(path, filter='data')`.

The 'data' filter above attempts a "safe" extraction, intended for pure data archives. For example:
- prevents extracting outside the target directory, and to absolute paths (by raising an exception)
- prevents symlinks pointing outside the target directory, and to absolute paths
- adjusts permissions (for the owner, only the executable bit is honored)
See PEP 706 for details: https://peps.python.org/pep-0706/#filters

If you trust the tarball, use `'fully_trusted_filter'` (or `filter='fully_trusted'`) instead. That will preserve the existing behavior.

---

Let me know if you have any questions!
Comment 1 Pavel Moravec 2023-07-26 14:00:26 UTC 
*** Bug 2218238 has been marked as a duplicate of this bug. ***
Comment 8 errata-xmlrpc 2023-09-26 09:18:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sos bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:5354