+++ This bug was initially created as a clone of Bug #2219388 +++ Hello, In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.) Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior. To avoid the warning, software shipped by Red Hat will need a change. For more details see upstream PEP 706: https://peps.python.org/pep-0706 and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769 --- As reported on rhel devel (thanks!), pcs uses extractall in: https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L491 https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L498 The call will emit a warning by default. To prevent that, add something like this before the call: tarball.extraction_filter = getattr(tarfile, 'data_filter', (lambda member, path: member)) This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call: `tarball.extractall(..., filter='data')`. I don't know about the tarball you're extracting here. If it's pure data (configuration files), use 'data_filter' (or filter='data') as above. If it's a trusted system archive, use 'fully_trusted_filter' (or filter='fully_trusted'). There's also 'tar_filter', somewhere in between. See the docs for details: https://docs.python.org/3/library/tarfile.html?default-named-filters --- Let me know if you have any questions!
Created attachment 1975184 [details] proposed fix Test: Make sure to install patched python packages - they make unpatched pcs print a warning. [root@rh92-node1:~]# rpm -q python3 python3-3.9.17-1.el9.x86_64 Before fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2232: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@rh92-node1:~]# echo $? 0 After fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local [root@rh92-node1:~]# echo $? 0 Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests.
DevTestResults: [root@r09-03-a ~]# rpm -q python3 pcs python3-3.9.17-1.el9.x86_64 pcs-0.11.6-2.el9.x86_64 [root@r09-03-a ~]# pcs config backup test.tar.bz2 [root@r09-03-a ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y Warning: Unable to load CIB to get guest and remote nodes from it, those nodes will not be deconfigured. r09-03-a.vm: Stopping Cluster (pacemaker)... r09-03-a.vm: Successfully destroyed cluster [root@r09-03-a ~]# pcs config restore test.tar.bz2 --local [root@r09-03-a ~]# echo $? 0