Bug 2219388

Summary: [RHEL8] pcs: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product: Red Hat Enterprise Linux 8 Reporter: Petr Viktorin <pviktori>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: ON_QA --- QA Contact: cluster-qe <cluster-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.9CC: cluster-maint, cstratak, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, tojeline
Target Milestone: rcKeywords: Triaged
Target Release: 8.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.10.17-2.el8 Doc Type: Bug Fix
Doc Text:
I suppose this is going to be documented together with bz263261
 Story Points: ---
Clone Of:
: 2219407 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 263261    
Bug Blocks: 2219407    

Description Petr Viktorin 2023-07-03 12:29:05 UTC 
Hello,
In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way.
Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.)
Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior.
To avoid the warning, software shipped by Red Hat will need a change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769

---

As reported on rhel devel (thanks!), pcs uses extractall in:

https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L491
https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L498


The call will emit a warning by default. To prevent that, add something like this before the call:

tarball.extraction_filter = getattr(tarfile, 'data_filter',
                                    (lambda member, path: member))

This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call:
`tarball.extractall(..., filter='data')`.

I don't know about the tarball you're extracting here.
If it's pure data (configuration files), use 'data_filter' (or filter='data') as above.
If it's a trusted system archive, use 'fully_trusted_filter' (or filter='fully_trusted').
There's also 'tar_filter', somewhere in between.

See the docs for details: https://docs.python.org/3/library/tarfile.html?default-named-filters

---

Let me know if you have any questions!
Comment 2 Tomas Jelinek 2023-07-12 14:16:24 UTC 
Upstream patch: https://github.com/ClusterLabs/pcs/commit/44301c7ba83c5efa9db1113bd9491de796ebded4

Test:

Make sure to install patched python packages - they make unpatched pcs print a warning.

[root@rh88-node1:~]# rpm -q platform-python
platform-python-3.6.8-52.el8.x86_64

Before fix:
[root@rh88-node1:~]# pcs config restore /root/backup.tar.bz2 --local
/usr/lib64/python3.6/tarfile.py:2214: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details.
  RuntimeWarning)
[root@rh88-node1:~]# echo $?
0

After fix:
[root@rh88-node1:~]# pcs/pcs config restore /root/backup.tar.bz2 --local
[root@rh88-node1:~]# echo $?
0

Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests.
Comment 3 Michal Pospisil 2023-07-14 08:41:28 UTC 
DevTestResults:

[root@r08-09-a ~]# pcs config backup /root/backup.tar.bz2

[root@r08-09-a ~]# pcs cluster destroy
Shutting down pacemaker/corosync services...
Killing any remaining services...
Removing all cluster configuration files...

[root@r08-09-a ~]# pcs config restore /root/backup.tar.bz2 --local

[root@r08-09-a ~]# echo $?
0