- bundled dateutil: fix tarfile CVE-2007-4559

Resolves: rhbz#2217902
- fence_ipmilan: fix typos in metadata
  Resolves: rhbz#2224267

bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch

@@ -0,0 +1,50 @@
+--- a/aws/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/aws/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)
+
+--- a/awscli/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/awscli/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)
+
+--- a/azure/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/azure/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)

bz2224267-fence_ipmilan-fix-typos-in-metadata.patch

@@ -0,0 +1,123 @@
+From ddfaa29150d0d6fd8841b3e39fa5e806812542b5 Mon Sep 17 00:00:00 2001
+From: razo7 <oraz@redhat.com>
+Date: Wed, 19 Jul 2023 16:33:01 +0300
+Subject: [PATCH] Fix typo in fence_ipmilan description
+
+Add spaces in the long description
+---
+ agents/ipmilan/fence_ipmilan.py           | 4 ++--
+ tests/data/metadata/fence_idrac.xml       | 2 +-
+ tests/data/metadata/fence_ilo3.xml        | 2 +-
+ tests/data/metadata/fence_ilo4.xml        | 2 +-
+ tests/data/metadata/fence_ilo5.xml        | 2 +-
+ tests/data/metadata/fence_imm.xml         | 2 +-
+ tests/data/metadata/fence_ipmilan.xml     | 2 +-
+ tests/data/metadata/fence_ipmilanplus.xml | 2 +-
+ 8 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/agents/ipmilan/fence_ipmilan.py b/agents/ipmilan/fence_ipmilan.py
+index 0acf977da..91e09ac7d 100644
+--- a/agents/ipmilan/fence_ipmilan.py
++++ b/agents/ipmilan/fence_ipmilan.py
+@@ -203,8 +203,8 @@ def main():
+ 
+ 	docs = {}
+ 	docs["shortdesc"] = "Fence agent for IPMI"
+-	docs["longdesc"] = "fence_ipmilan is an I/O Fencing agent\
+-which can be used with machines controlled by IPMI.\
++	docs["longdesc"] = "fence_ipmilan is an I/O Fencing agent \
++which can be used with machines controlled by IPMI. \
+ This agent calls support software ipmitool (http://ipmitool.sf.net/). \
+ WARNING! This fence agent might report success before the node is powered off. \
+ You should use -m/method onoff if your fence device works correctly with that option."
+diff --git a/tests/data/metadata/fence_idrac.xml b/tests/data/metadata/fence_idrac.xml
+index 2d4876493..d1f283e4a 100644
+--- a/tests/data/metadata/fence_idrac.xml
++++ b/tests/data/metadata/fence_idrac.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_ilo3.xml b/tests/data/metadata/fence_ilo3.xml
+index 0567b539c..5aca0211b 100644
+--- a/tests/data/metadata/fence_ilo3.xml
++++ b/tests/data/metadata/fence_ilo3.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_ilo4.xml b/tests/data/metadata/fence_ilo4.xml
+index 647bb1021..3aa001ad2 100644
+--- a/tests/data/metadata/fence_ilo4.xml
++++ b/tests/data/metadata/fence_ilo4.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_ilo5.xml b/tests/data/metadata/fence_ilo5.xml
+index 6c99db22a..262787905 100644
+--- a/tests/data/metadata/fence_ilo5.xml
++++ b/tests/data/metadata/fence_ilo5.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_imm.xml b/tests/data/metadata/fence_imm.xml
+index 5c5bf910f..26f9a76d3 100644
+--- a/tests/data/metadata/fence_imm.xml
++++ b/tests/data/metadata/fence_imm.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_ipmilan.xml b/tests/data/metadata/fence_ipmilan.xml
+index a31afcfd4..daad65a70 100644
+--- a/tests/data/metadata/fence_ipmilan.xml
++++ b/tests/data/metadata/fence_ipmilan.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
+diff --git a/tests/data/metadata/fence_ipmilanplus.xml b/tests/data/metadata/fence_ipmilanplus.xml
+index 19c252933..7b678b245 100644
+--- a/tests/data/metadata/fence_ipmilanplus.xml
++++ b/tests/data/metadata/fence_ipmilanplus.xml
+@@ -6,7 +6,7 @@
+ <symlink name="fence_ipmilanplus" shortdesc="Fence agent for IPMIv2 lanplus"/>
+ <symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
+ <symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
+-<longdesc>fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
++<longdesc>fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option.</longdesc>
+ <vendor-url></vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">

fence-agents.spec

@@ -60,7 +60,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 48%{?alphatag:.%{alphatag}}%{?dist}
+Release: 49%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -237,6 +237,10 @@ Patch42: bz2187327-fence_scsi-1-detect-devices-in-shared-vgs.patch
 Patch43: bz2187327-fence_scsi-2-support-space-separated-devices.patch
 Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch
 Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch
+Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
+
+### HA support libs/utils ###
+Patch1000: bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -393,6 +397,7 @@ BuildRequires: %{systemd_units}
 %patch43 -p1
 %patch44 -p1
 %patch45 -p1
+%patch46 -p1
 
 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@@ -423,6 +428,12 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/
 sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws
 %endif
 
+# regular patch doesnt work in build-section
+# Patch1000
+pushd support
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch
+popd
+
 ./autogen.sh
 %{configure} --disable-libvirt-qmf-plugin PYTHONPATH="support/aliyun:support/aws:support/azure:support/google:support/common" \
 %if %{defined _tmpfilesdir}
@@ -1459,6 +1470,12 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-49
+- bundled dateutil: fix tarfile CVE-2007-4559
+  Resolves: rhbz#2217902
+- fence_ipmilan: fix typos in metadata
+  Resolves: rhbz#2224267
+
 * Tue Jul 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-48
 - fence_ibm_powervs: performance improvements
   Resolves: rhbz#2221643

tests/run_tests.sh

@@ -10,10 +10,23 @@ echo "INFO: pcs: agents available..."
 
 # test bundled libraries
 declare -A libs=(
-		["aliyunsdkcore"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/aliyun');"
-		["azure"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/azure');"
-		["msrestazure"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/azure');"
+		# aliyun
+		["aliyunsdkcore"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');"
+		["aliyun-python-sdk-ecs"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');"
+		["aliyuncli"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');"
+		# aws
+		["boto3"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aws');"
+		# azure
+		["azure"]="sys.path.insert(0, '/usr/lib/fence-agents/support/azure');"
+		["msrestazure"]="sys.path.insert(0, '/usr/lib/fence-agents/support/azure');"
+		# common
+		["pexpect"]="sys.path.insert(0, '/usr/lib/fence-agents/support/common');"
+		["suds"]="sys.path.insert(0, '/usr/lib/fence-agents/support/common');"
+		# google
+		["google-api-python-client"]="sys.path.insert(0, '/usr/lib/fence-agents/support/google');"
+		["pyroute2"]="sys.path.insert(0, '/usr/lib/fence-agents/support/google');"
 		)
+
 for lib in "${!libs[@]}"; do
 	output=$(python3 -c "import sys; sys.path.append('/usr/share/fence'); \
 		${libs[$lib]} \