Hello, In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.) Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior. To avoid the warning, software shipped by Red Hat will need a change. For more details see upstream PEP 706: https://peps.python.org/pep-0706 and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769 --- In __init__.py and tools.py in /usr/lib/python3.9/site-packages/lib389/, lib389 calls `tar.extract()`. The calls will emit a warning by default, and tar features deemed too dangerous for general use will even be blocked by default. It seems that this is a backup recovery, and you trust the archive to not be malicious. In that case, add the following after the `tar = tarfile.open(backup_file)`: # The archive is fully trusted, override warnings and "safe" defaults # see https://docs.python.org/3.12/library/tarfile.html#supporting-older-python-versions tar.extraction_filter = (lambda member, path: member) This will restore previous behaviour, and it's a no-op on earlier Python versions. --- Let me know if you have any questions!
Builds tested: 389-ds-base-2.3.6-2.el9.x86_64 python3-lib389-2.3.6-2.el9.noarch A filter was added: $ grep -inr -A1 tarfile.open /usr/lib/python3.9/site-packages/lib389 /usr/lib/python3.9/site-packages/lib389/__init__.py:1380: tar = tarfile.open(backup_file, "w:gz") /usr/lib/python3.9/site-packages/lib389/__init__.py-1381- tar.extraction_filter = (lambda member, path: member) -- /usr/lib/python3.9/site-packages/lib389/__init__.py:1454: tar = tarfile.open(backup_file) /usr/lib/python3.9/site-packages/lib389/__init__.py-1455- tar.extraction_filter = (lambda member, path: member) -- /usr/lib/python3.9/site-packages/lib389/tools.py:303: tar = tarfile.open(backup_file, "w:gz") /usr/lib/python3.9/site-packages/lib389/tools.py-304- tar.extraction_filter = (lambda member, path: member) -- /usr/lib/python3.9/site-packages/lib389/tools.py:362: tar = tarfile.open(backup_file) /usr/lib/python3.9/site-packages/lib389/tools.py-363- tar.extraction_filter = (lambda member, path: member) Moreover, this code is in functions that are not used by any other code in lib389: lib389.backupFS lib389.restoreFS lib389.tools.instanceBackupFS lib389.tools.instanceRestoreFS These were implemented to speed up testing, but since then were replaced by pytest fixtures. They will be removed in https://github.com/389ds/389-ds-base/issues/5875
As per comment #c1 marking as VERIFIED.