Hello, In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.) Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior. To avoid the warning, software shipped by Red Hat will need a change. For more details see upstream PEP 706: https://peps.python.org/pep-0706 and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769 --- As reported on rhel devel (thanks!), pcs uses extractall in: https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L491 https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L498 The call will emit a warning by default. To prevent that, add something like this before the call: tarball.extraction_filter = getattr(tarfile, 'data_filter', (lambda member, path: member)) This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call: `tarball.extractall(..., filter='data')`. I don't know about the tarball you're extracting here. If it's pure data (configuration files), use 'data_filter' (or filter='data') as above. If it's a trusted system archive, use 'fully_trusted_filter' (or filter='fully_trusted'). There's also 'tar_filter', somewhere in between. See the docs for details: https://docs.python.org/3/library/tarfile.html?default-named-filters --- Let me know if you have any questions!
Upstream patch: https://github.com/ClusterLabs/pcs/commit/44301c7ba83c5efa9db1113bd9491de796ebded4 Test: Make sure to install patched python packages - they make unpatched pcs print a warning. [root@rh88-node1:~]# rpm -q platform-python platform-python-3.6.8-52.el8.x86_64 Before fix: [root@rh88-node1:~]# pcs config restore /root/backup.tar.bz2 --local /usr/lib64/python3.6/tarfile.py:2214: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. RuntimeWarning) [root@rh88-node1:~]# echo $? 0 After fix: [root@rh88-node1:~]# pcs/pcs config restore /root/backup.tar.bz2 --local [root@rh88-node1:~]# echo $? 0 Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests.
DevTestResults: [root@r08-09-a ~]# pcs config backup /root/backup.tar.bz2 [root@r08-09-a ~]# pcs cluster destroy Shutting down pacemaker/corosync services... Killing any remaining services... Removing all cluster configuration files... [root@r08-09-a ~]# pcs config restore /root/backup.tar.bz2 --local [root@r08-09-a ~]# echo $? 0