- bundled dateutil: fix tarfile CVE-2007-4559

Resolves: rhbz#2218234
2023-07-20 15:07:28 +02:00 · 2023-07-20 15:07:28 +02:00 · 6ce82bf34c
commit 6ce82bf34c
parent 8a918a13d7
2 changed files with 30 additions and 1 deletions
--- a/bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch
@ -0,0 +1,16 @@
+--- a/aws/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
+++ b/aws/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
+                if hasattr(tarfile, 'data_filter'):
+                    # Python with CVE-2007-4559 mitigation (PEP 706)
+                    tf.extract(name, tmpdir, filter='data')
+                else:
+                    # Fallback to a possibly dangerous extraction (before PEP 706)
+                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 119%{?alphatag:.%{alphatag}}%{?dist}
+Release: 120%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@ -275,6 +275,9 @@ Patch132: bz2211460-fence_azure-arm-1-stack-hub-support.patch
 Patch133: bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch
 Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch

+### HA support libs/utils ###
+Patch1000: bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch
+
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@ -590,6 +593,12 @@ popd
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} jmespath
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} botocore
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} requests
+
+# regular patch doesnt work in install-section
+# Patch1000
+pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch
+popd
 %endif

 # kubevirt
@ -1483,6 +1492,10 @@ Fence agent for IBM z/VM over IP.
 %endif

 %changelog
+* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-120
+- bundled dateutil: fix tarfile CVE-2007-4559
+  Resolves: rhbz#2218234
+
 * Tue Jul 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-119
 - fence_ibm_powervs: performance improvements
  Resolves: rhbz#2155453