From f3489c389113eaa094fceb4009c6cb7eda2deef2 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Thu, 3 Aug 2023 11:31:51 +0200 Subject: [PATCH] - bundled dateutil: fix tarfile CVE-2007-4559 Resolves: rhbz#2218234 --- ...aws-fix-bundled-dateutil-CVE-2007-4559.patch | 0 ...irt-fix-bundled-dateutil-CVE-2007-4559.patch | 17 +++++++++++++++++ fence-agents.spec | 13 +++++++++---- 3 files changed, 26 insertions(+), 4 deletions(-) rename bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch => bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch (100%) create mode 100644 bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch diff --git a/bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch similarity index 100% rename from bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch rename to bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch diff --git a/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch new file mode 100644 index 0000000..97707a5 --- /dev/null +++ b/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch @@ -0,0 +1,17 @@ +--- a/kubevirt/dateutil/zoneinfo/rebuild.py 2023-01-26 16:29:30.000000000 +0100 ++++ b/kubevirt/dateutil/zoneinfo/rebuild.py 2023-07-19 10:12:42.277559948 +0200 +@@ -21,7 +21,12 @@ + try: + with TarFile.open(filename) as tf: + for name in zonegroups: +- tf.extract(name, tmpdir) ++ if hasattr(tarfile, 'data_filter'): ++ # Python with CVE-2007-4559 mitigation (PEP 706) ++ tf.extract(name, tmpdir, filter='data') ++ else: ++ # Fallback to a possibly dangerous extraction (before PEP 706) ++ tf.extract(name, tmpdir) + filepaths = [os.path.join(tmpdir, n) for n in zonegroups] + + _run_zic(zonedir, filepaths) + diff --git a/fence-agents.spec b/fence-agents.spec index 8ea34aa..c526489 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -87,7 +87,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 120%{?alphatag:.%{alphatag}}%{?dist} +Release: 121%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -276,7 +276,8 @@ Patch133: bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch ### HA support libs/utils ### -Patch1000: bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch +Patch1000: bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch +Patch1001: bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch %if 0%{?fedora} || 0%{?rhel} > 7 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti @@ -597,13 +598,17 @@ popd # regular patch doesnt work in install-section # Patch1000 pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir} -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-fix-bundled-dateutil-CVE-2007-4559.patch +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch popd %endif # kubevirt %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt --no-index --find-links %{_sourcedir} openshift rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa* +# Patch1001 +pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +popd ## tree fix up # fix libfence permissions @@ -1492,7 +1497,7 @@ Fence agent for IBM z/VM over IP. %endif %changelog -* Thu Jul 20 2023 Oyvind Albrigtsen - 4.2.1-120 +* Thu Aug 3 2023 Oyvind Albrigtsen - 4.2.1-121 - bundled dateutil: fix tarfile CVE-2007-4559 Resolves: rhbz#2218234