Mitigate CVE-2007-4559 (tarfile directory traversal).

.python-dateutil.metadata

@@ -0,0 +1 @@
+bd26127e57f83a10f656b62c46524c15aeb844dd python-dateutil-2.8.1.tar.gz

1295.patch

@@ -0,0 +1,57 @@
+From a97d0ff4b7559a431f42102b6208fb876f511194 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 27 Jun 2023 15:28:36 +0200
+Subject: [PATCH 1/2] zoneinfo.rebuild: Extract using tarfile data filter (PEP
+ 706) if available
+
+---
+ src/dateutil/zoneinfo/rebuild.py | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/dateutil/zoneinfo/rebuild.py b/src/dateutil/zoneinfo/rebuild.py
+index 684c6586f..1b6e34b15 100644
+--- a/dateutil/zoneinfo/rebuild.py
++++ b/dateutil/zoneinfo/rebuild.py
+@@ -4,6 +4,7 @@
+ import shutil
+ import json
+ from subprocess import check_call
++import tarfile
+ from tarfile import TarFile
+ 
+ from dateutil.zoneinfo import METADATA_FN, ZONEFILENAME
+@@ -20,6 +21,13 @@ def rebuild(filename, tag=None, format="gz", zonegroups=[], metadata=None):
+     moduledir = os.path.dirname(__file__)
+     try:
+         with TarFile.open(filename) as tf:
++
++            # Limit extraction to safe, plain data files, if this Python
++            # allows it easily. If not, just trust the input.
++            # See: https://docs.python.org/3/library/tarfile.html#supporting-older-python-versions
++            tf.extraction_filter = getattr(tarfile, 'data_filter',
++                                           (lambda member, path: member))
++
+             for name in zonegroups:
+                 tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+
+From 4790f9d64451002fd3c31c2fbe0d70322019a92a Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 27 Jun 2023 16:12:14 +0200
+Subject: [PATCH 2/2] Add changelog entry
+
+---
+ changelog.d/1295.misc.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 changelog.d/1295.misc.rst
+
+diff --git a/changelog.d/1295.misc.rst b/changelog.d/1295.misc.rst
+new file mode 100644
+index 000000000..c2876dd65
+--- /dev/null
++++ b/changelog.d/1295.misc.rst
+@@ -0,0 +1,4 @@
++On Python versions that support it, ``zoneinfo.rebuild`` now uses the
++tarfile ``data`` filter to limit damage in case it's used with a
++malicious tarball, and to avoid a deprecation warning on Python 3.12.
++Reported and fixed by @encukou (gh pr #1295)

python-dateutil.spec

@@ -2,7 +2,7 @@
 
 Name:           python-%{modname}
 Version:        2.8.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Epoch:          1
 Summary:        Powerful extensions to the standard datetime module
 
@@ -10,6 +10,14 @@ License:        BSD
 URL:            https://github.com/dateutil/dateutil
 Source:         %{pypi_source}
 
+# Mitigate CVE-2007-4559 (tarfile directory traversal).
+# `dateutil.zoneinfo.rebuild` handles "pure data" tarballs,
+# here we disable tar features that are potentially unsafe.
+# Submitted upstream, but rejected because they're removing this
+# code entirely.
+# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2203905
+Patch1:         https://github.com/dateutil/dateutil/pull/1295.patch
+
 # Disable tests to avoid pulling in test dependencies on RHEL9
 # Specify --with tests to run the tests e.g. on EPEL
 %bcond_with tests
@@ -47,7 +55,7 @@ Summary: API documentation for python-dateutil
 This package contains %{summary}.
 
 %prep
-%autosetup
+%autosetup -p1
 iconv --from=ISO-8859-1 --to=UTF-8 NEWS > NEWS.new
 mv NEWS.new NEWS
 
@@ -74,6 +82,10 @@ make -C docs html
 %doc docs/_build/html
 
 %changelog
+* Wed Jul 12 2023 Petr Viktorin <pviktori@redhat.com> - 1:2.8.1-7
+- Mitigate CVE-2007-4559 (tarfile directory traversal).
+  Resolves: rhbz#2203905
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.8.1-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688