Bug 2219407

Summary: [RHEL9] pcs: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product: Red Hat Enterprise Linux 9 Reporter: Charalampos Stratakis <cstratak>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: ON_QA --- QA Contact: cluster-qe <cluster-qe>
Severity: high Docs Contact:
Priority: high    
Version: 9.3CC: cluster-maint, cstratak, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, pviktori, tojeline
Target Milestone: rcKeywords: Triaged
Target Release: 9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.11.6-2.el9 Doc Type: Bug Fix
Doc Text:
I suppose this is going to be documented together with bz263261
 Story Points: ---
Clone Of: 2219388 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 263261, 2219388    
Bug Blocks:    
Attachments:
Description Flags
proposed fix none

Description Charalampos Stratakis 2023-07-03 13:56:37 UTC 
+++ This bug was initially created as a clone of Bug #2219388 +++

Hello,
In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way.
Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.)
Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior.
To avoid the warning, software shipped by Red Hat will need a change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769

---

As reported on rhel devel (thanks!), pcs uses extractall in:

https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L491
https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L498


The call will emit a warning by default. To prevent that, add something like this before the call:

tarball.extraction_filter = getattr(tarfile, 'data_filter',
                                    (lambda member, path: member))

This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call:
`tarball.extractall(..., filter='data')`.

I don't know about the tarball you're extracting here.
If it's pure data (configuration files), use 'data_filter' (or filter='data') as above.
If it's a trusted system archive, use 'fully_trusted_filter' (or filter='fully_trusted').
There's also 'tar_filter', somewhere in between.

See the docs for details: https://docs.python.org/3/library/tarfile.html?default-named-filters

---

Let me know if you have any questions!
Comment 2 Tomas Jelinek 2023-07-11 15:46:12 UTC 
Created attachment 1975184 [details]
proposed fix

Test:

Make sure to install patched python packages - they make unpatched pcs print a warning.

[root@rh92-node1:~]# rpm -q python3
python3-3.9.17-1.el9.x86_64

Before fix:
[root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local
/usr/lib64/python3.9/tarfile.py:2232: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details.
  warnings.warn(
[root@rh92-node1:~]# echo $?
0

After fix:
[root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local
[root@rh92-node1:~]# echo $?
0

Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests.
Comment 3 Michal Pospisil 2023-07-14 09:57:50 UTC 
DevTestResults:

[root@r09-03-a ~]# rpm -q python3 pcs
python3-3.9.17-1.el9.x86_64
pcs-0.11.6-2.el9.x86_64

[root@r09-03-a ~]# pcs config backup test.tar.bz2

[root@r09-03-a ~]# pcs cluster destroy --all               
Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster.
WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration
Type 'yes' or 'y' to proceed, anything else to cancel: y
Warning: Unable to load CIB to get guest and remote nodes from it, those nodes will not be deconfigured.
r09-03-a.vm: Stopping Cluster (pacemaker)...
r09-03-a.vm: Successfully destroyed cluster

[root@r09-03-a ~]# pcs config restore test.tar.bz2 --local

[root@r09-03-a ~]# echo $?
0