2203905 – python-dateutil: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Bug 2203905 - python-dateutil: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Summary: python-dateutil: Python tarfile extraction needs change to avoid a warning (C...

Keywords:
Status:	VERIFIED
Alias:	None
Deadline:	2023-08-21
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	python-dateutil
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Charalampos Stratakis
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2007-4559
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-15 14:51 UTC by Petr Viktorin
Modified:	2023-08-16 08:18 UTC (History)
CC List:	1 user (show)
Fixed In Version:	python-dateutil-2.8.1-7.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2218240 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	dateutil dateutil pull 1295	None	open	zoneinfo.rebuild: Extract using tarfile data filter (PEP 706) if available	2023-06-27 14:16:00 UTC
Gitlab	redhat/centos-stream/rpms python-dateutil merge_requests 3	None	opened	Mitigate CVE-2007-4559 (tarfile directory traversal).	2023-07-13 17:41:00 UTC
Red Hat Issue Tracker	RHELPLAN-157252	None	None	None	2023-05-15 14:51:55 UTC

Description Petr Viktorin 2023-05-15 14:51:12 UTC

Hello,
In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way.
Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.)
Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior.
To avoid the warning, software shipped by Red Hat will need a change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769

---

/usr/lib/python3.9/site-packages/dateutil/zoneinfo/rebuild.py has a tarfile extraction call that'll need changing from:

                tf.extract(name, tmpdir)

to something like:

if hasattr(tarfile, 'data_filter'):
    # Python with CVE-2007-4559 mitigation (PEP 706)
    tf.extract(name, tmpdir, filter='data')
else:
    # Fallback to a possibly dangerous extraction (before PEP 706)
    tf.extract(name, tmpdir)


Or just add the filter='data' if we can coordinate updates.

Comment 1 Petr Viktorin 2023-06-27 15:32:36 UTC

Upstream is removing tarfile handling, so they rejected the patch. But we should backport it to existing releases.

Comment 2 Petr Viktorin 2023-07-13 17:41:00 UTC

Χάρης, if you get to it, could you push this over the finish line?

Comment 4 Charalampos Stratakis 2023-08-06 23:56:30 UTC

Everything looks good. Sanity checked the code and this is coming from the author of the upstream PEP.

Note You need to log in before you can comment on or make changes to this bug.