Bug 2219407
| Summary: | [RHEL9] pcs: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Charalampos Stratakis <cstratak> | ||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||
| Status: | ON_QA --- | QA Contact: | cluster-qe <cluster-qe> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 9.3 | CC: | cluster-maint, cstratak, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, pviktori, tojeline | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | 9.3 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcs-0.11.6-2.el9 | Doc Type: | Bug Fix | ||||
| Doc Text: |
I suppose this is going to be documented together with bz263261
|
Story Points: | --- | ||||
| Clone Of: | 2219388 | Environment: | |||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 263261, 2219388 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Charalampos Stratakis
2023-07-03 13:56:37 UTC
Created attachment 1975184 [details] proposed fix Test: Make sure to install patched python packages - they make unpatched pcs print a warning. [root@rh92-node1:~]# rpm -q python3 python3-3.9.17-1.el9.x86_64 Before fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2232: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@rh92-node1:~]# echo $? 0 After fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local [root@rh92-node1:~]# echo $? 0 Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests. DevTestResults: [root@r09-03-a ~]# rpm -q python3 pcs python3-3.9.17-1.el9.x86_64 pcs-0.11.6-2.el9.x86_64 [root@r09-03-a ~]# pcs config backup test.tar.bz2 [root@r09-03-a ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y Warning: Unable to load CIB to get guest and remote nodes from it, those nodes will not be deconfigured. r09-03-a.vm: Stopping Cluster (pacemaker)... r09-03-a.vm: Successfully destroyed cluster [root@r09-03-a ~]# pcs config restore test.tar.bz2 --local [root@r09-03-a ~]# echo $? 0 |