+++ This bug was initially created as a clone of Bug #2219388 +++ Hello, In RHEL 9.3 and 8.9, we're planning to fix the long-standing CVE-2007-4559: Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change. (If you don't think this is the case, let's bring it up with the security team.) Upstream, Python will emit deprecation warnings for 2 releases, but in RHEL we change the behavior now, emit warnings, and provide ways for customers to restore earlier behavior. To avoid the warning, software shipped by Red Hat will need a change. For more details see upstream PEP 706: https://peps.python.org/pep-0706 and the Red Hat knowledge base draft: https://access.redhat.com/articles/7004769 --- As reported on rhel devel (thanks!), pcs uses extractall in: https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L491 https://github.com/ClusterLabs/pcs/blob/main/pcs/config.py#L498 The call will emit a warning by default. To prevent that, add something like this before the call: tarball.extraction_filter = getattr(tarfile, 'data_filter', (lambda member, path: member)) This is compatible with unpatched versions of Python. If you only build for RHEL8.9+, instead add an argument to the call: `tarball.extractall(..., filter='data')`. I don't know about the tarball you're extracting here. If it's pure data (configuration files), use 'data_filter' (or filter='data') as above. If it's a trusted system archive, use 'fully_trusted_filter' (or filter='fully_trusted'). There's also 'tar_filter', somewhere in between. See the docs for details: https://docs.python.org/3/library/tarfile.html?default-named-filters --- Let me know if you have any questions!
Created attachment 1975184 [details] proposed fix Test: Make sure to install patched python packages - they make unpatched pcs print a warning. [root@rh92-node1:~]# rpm -q python3 python3-3.9.17-1.el9.x86_64 Before fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2232: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@rh92-node1:~]# echo $? 0 After fix: [root@rh92-node1:~]# pcs config restore /root/backup.tar.bz2 --local [root@rh92-node1:~]# echo $? 0 Verify, that 'pcs config restore' and 'pcs config restore --local' works - if in doubt, see bz1024492 for original tests.
DevTestResults: [root@r09-03-a ~]# rpm -q python3 pcs python3-3.9.17-1.el9.x86_64 pcs-0.11.6-2.el9.x86_64 [root@r09-03-a ~]# pcs config backup test.tar.bz2 [root@r09-03-a ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y Warning: Unable to load CIB to get guest and remote nodes from it, those nodes will not be deconfigured. r09-03-a.vm: Stopping Cluster (pacemaker)... r09-03-a.vm: Successfully destroyed cluster [root@r09-03-a ~]# pcs config restore test.tar.bz2 --local [root@r09-03-a ~]# echo $? 0
BEFORE: ======= [root@virt-537 ~]# rpm -q pcs python3 pcs-0.11.6-1.el9.x86_64 python3-3.9.17-2.el9.x86_64 [root@virt-537 ~]# pcs config backup /tmp/backup [root@virt-537 ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y virt-537: Stopping Cluster (pacemaker)... virt-538: Stopping Cluster (pacemaker)... virt-538: Successfully destroyed cluster virt-537: Successfully destroyed cluster [root@virt-537 ~]# pcs config restore /tmp/backup.tar.bz2 --local /usr/lib64/python3.9/tarfile.py:2239: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details. warnings.warn( [root@virt-537 ~]# echo $? 0 AFTER: ====== [root@virt-537 ~]# rpm -q pcs python3 pcs-0.11.6-3.el9.x86_64 python3-3.9.17-2.el9.x86_64 # node 1 [root@virt-537 ~]# pcs config backup /tmp/backup # node 2 [root@virt-538 ~]# pcs config backup /tmp/backup [root@virt-537 ~]# pcs cluster destroy --all Warning: It is recommended to run 'pcs cluster stop' before destroying the cluster. WARNING: This would kill all cluster processes and then PERMANENTLY remove cluster state and configuration Type 'yes' or 'y' to proceed, anything else to cancel: y virt-537: Stopping Cluster (pacemaker)... virt-538: Stopping Cluster (pacemaker)... virt-538: Successfully destroyed cluster virt-537: Successfully destroyed cluster [root@virt-537 ~]# pcs config restore /tmp/backup.tar.bz2 --local [root@virt-537 ~]# echo $? 0 > OK [root@virt-537 ~]# pcs cluster start Starting Cluster... [root@virt-537 ~]# pcs status nodes Pacemaker Nodes: Online: virt-537 Standby: Standby with resource(s) running: Maintenance: Offline: virt-538 Pacemaker Remote Nodes: Online: Standby: Standby with resource(s) running: Maintenance: Offline: > OK: The config was restored just on the local node # on the other node [root@virt-538 ~]# pcs config restore /tmp/backup.tar.bz2 --local [root@virt-538 ~]# echo $? 0 [root@virt-538 ~]# pcs cluster start Starting Cluster... [root@virt-538 ~]# pcs status nodes Pacemaker Nodes: Online: virt-537 virt-538 Standby: Standby with resource(s) running: Maintenance: Offline: Pacemaker Remote Nodes: Online: Standby: Standby with resource(s) running: Maintenance: Offline: > OK ## Snippet from automated test to ensure that 'pcs config restore' feature still works {...} 2023-08-21 15:33:46 INFO: PCS_CONFIG_BACKUP 2023-08-21 15:33:46 INFO: running: pcs config backup /tmp/test-backup.tar.bz2 2023-08-21 15:33:47 INFO: Backup created as /tmp/test-backup.tar.bz2 on virt-537. 2023-08-21 15:33:47 INFO: PCS_CLUSTER_DESTROY 2023-08-21 15:33:53 INFO: cluster destroyed. 2023-08-21 15:33:53 INFO: PCS_CONFIG_RESTORE 2023-08-21 15:33:53 INFO: running: pcs config restore /tmp/test-backup.tar.bz2 2023-08-21 15:34:07 INFO: Backup restored from /tmp/test-backup.tar.bz2 on virt-537. 2023-08-21 15:34:07 INFO: PCS_CLUSTER_START 2023-08-21 15:34:07 INFO: starting cluster from virt-537 with --all 2023-08-21 15:34:34 INFO: cluster started 2023-08-21 15:34:34 INFO: CHECK_CLUSTER_HEALTH 2023-08-21 15:34:35 INFO: cluster looks healthy on virt-537 virt-538 2023-08-21 15:34:35 INFO: CHECK_LOGS {...} Marking as VERIFIED for pcs-0.11.6-3.el9.