Bug 2219407
| Summary: | [RHEL9] pcs: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Charalampos Stratakis <cstratak> | ||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 9.3 | CC: | cluster-maint, cstratak, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, pviktori, tojeline | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | 9.3 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcs-0.11.6-2.el9 | Doc Type: | Bug Fix | ||||
| Doc Text: |
I suppose this is going to be documented together with bz263261
|
Story Points: | --- | ||||
| Clone Of: | 2219388 | Environment: | |||||
| Last Closed: | 2023-11-07 08:23:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 2219388 | ||||||
| Bug Blocks: | 263261 | ||||||
| Attachments: |
|
||||||
|
Description
Charalampos Stratakis
2023-07-03 13:56:37 UTC
Created attachment 1975184 [details] proposed fix Test: Make sure to install patched python packages - they make unpatched pcs print a warning. [root@rh92-node1:~]# rpm -q python3 python3-3.9.17-1.el9.x86_64 Before fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2232: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@rh92-node1:~]# echo $? 0 After fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local [root@rh92-node1:~]# echo $? 0 Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests. DevTestResults: [root@r09-03-a ~]# rpm -q python3 pcs python3-3.9.17-1.el9.x86_64 pcs-0.11.6-2.el9.x86_64 [root@r09-03-a ~]# pcs config backup test.tar.bz2 [root@r09-03-a ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y Warning: Unable to load CIB to get guest and remote nodes from it, those nodes will not be deconfigured. r09-03-a.vm: Stopping Cluster (pacemaker)... r09-03-a.vm: Successfully destroyed cluster [root@r09-03-a ~]# pcs config restore test.tar.bz2 --local [root@r09-03-a ~]# echo $? 0 BEFORE: ======= [root@virt-537 ~]# rpm -q pcs python3 pcs-0.11.6-1.el9.x86_64 python3-3.9.17-2.el9.x86_64 [root@virt-537 ~]# pcs config backup /tmp/backup [root@virt-537 ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y virt-537: Stopping Cluster (pacemaker)... virt-538: Stopping Cluster (pacemaker)... virt-538: Successfully destroyed cluster virt-537: Successfully destroyed cluster [root@virt-537 ~]# pcs config restore /tmp/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2239: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@virt-537 ~]# echo $? 0 AFTER: ====== [root@virt-537 ~]# rpm -q pcs python3 pcs-0.11.6-3.el9.x86_64 python3-3.9.17-2.el9.x86_64 # node 1 [root@virt-537 ~]# pcs config backup /tmp/backup # node 2 [root@virt-538 ~]# pcs config backup /tmp/backup [root@virt-537 ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y virt-537: Stopping Cluster (pacemaker)... virt-538: Stopping Cluster (pacemaker)... virt-538: Successfully destroyed cluster virt-537: Successfully destroyed cluster [root@virt-537 ~]# pcs config restore /tmp/backup.tar.bz2 --local [root@virt-537 ~]# echo $? 0 > OK [root@virt-537 ~]# pcs cluster start Starting Cluster... [root@virt-537 ~]# pcs status nodes Pacemaker Nodes: Online: virt-537 Standby: Standby with resource(s) running: Maintenance: Offline: virt-538 Pacemaker Remote Nodes: Online: Standby: Standby with resource(s) running: Maintenance: Offline: > OK: The config was restored just on the local node # on the other node [root@virt-538 ~]# pcs config restore /tmp/backup.tar.bz2 --local [root@virt-538 ~]# echo $? 0 [root@virt-538 ~]# pcs cluster start Starting Cluster... [root@virt-538 ~]# pcs status nodes Pacemaker Nodes: Online: virt-537 virt-538 Standby: Standby with resource(s) running: Maintenance: Offline: Pacemaker Remote Nodes: Online: Standby: Standby with resource(s) running: Maintenance: Offline: > OK ## Snippet from automated test to ensure that 'pcs config restore' feature still works {...} 2023-08-21 15:33:46 INFO: PCS_CONFIG_BACKUP 2023-08-21 15:33:46 INFO: running: pcs config backup /tmp/test-backup.tar.bz2 2023-08-21 15:33:47 INFO: Backup created as /tmp/test-backup.tar.bz2 on virt-537. 2023-08-21 15:33:47 INFO: PCS_CLUSTER_DESTROY 2023-08-21 15:33:53 INFO: cluster destroyed. 2023-08-21 15:33:53 INFO: PCS_CONFIG_RESTORE 2023-08-21 15:33:53 INFO: running: pcs config restore /tmp/test-backup.tar.bz2 2023-08-21 15:34:07 INFO: Backup restored from /tmp/test-backup.tar.bz2 on virt-537. 2023-08-21 15:34:07 INFO: PCS_CLUSTER_START 2023-08-21 15:34:07 INFO: starting cluster from virt-537 with --all 2023-08-21 15:34:34 INFO: cluster started 2023-08-21 15:34:34 INFO: CHECK_CLUSTER_HEALTH 2023-08-21 15:34:35 INFO: cluster looks healthy on virt-537 virt-538 2023-08-21 15:34:35 INFO: CHECK_LOGS {...} Marking as VERIFIED for pcs-0.11.6-3.el9. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: pcs security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6316 |