From 8f4fa349cd64e4143fc3b417b01a2ab1f433b40d Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 12 Jul 2023 16:30:57 +0200 Subject: [PATCH] Mitigate CVE-2007-4559 (tarfile directory traversal). Resolves: rhbz#2203905 --- 1295.patch | 57 ++++++++++++++++++++++++++++++++++++++++++++ python-dateutil.spec | 16 +++++++++++-- 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 1295.patch diff --git a/1295.patch b/1295.patch new file mode 100644 index 0000000..4dc5093 --- /dev/null +++ b/1295.patch @@ -0,0 +1,57 @@ +From a97d0ff4b7559a431f42102b6208fb876f511194 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 27 Jun 2023 15:28:36 +0200 +Subject: [PATCH 1/2] zoneinfo.rebuild: Extract using tarfile data filter (PEP + 706) if available + +--- + src/dateutil/zoneinfo/rebuild.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/dateutil/zoneinfo/rebuild.py b/src/dateutil/zoneinfo/rebuild.py +index 684c6586f..1b6e34b15 100644 +--- a/dateutil/zoneinfo/rebuild.py ++++ b/dateutil/zoneinfo/rebuild.py +@@ -4,6 +4,7 @@ + import shutil + import json + from subprocess import check_call ++import tarfile + from tarfile import TarFile + + from dateutil.zoneinfo import METADATA_FN, ZONEFILENAME +@@ -20,6 +21,13 @@ def rebuild(filename, tag=None, format="gz", zonegroups=[], metadata=None): + moduledir = os.path.dirname(__file__) + try: + with TarFile.open(filename) as tf: ++ ++ # Limit extraction to safe, plain data files, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#supporting-older-python-versions ++ tf.extraction_filter = getattr(tarfile, 'data_filter', ++ (lambda member, path: member)) ++ + for name in zonegroups: + tf.extract(name, tmpdir) + filepaths = [os.path.join(tmpdir, n) for n in zonegroups] + +From 4790f9d64451002fd3c31c2fbe0d70322019a92a Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 27 Jun 2023 16:12:14 +0200 +Subject: [PATCH 2/2] Add changelog entry + +--- + changelog.d/1295.misc.rst | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 changelog.d/1295.misc.rst + +diff --git a/changelog.d/1295.misc.rst b/changelog.d/1295.misc.rst +new file mode 100644 +index 000000000..c2876dd65 +--- /dev/null ++++ b/changelog.d/1295.misc.rst +@@ -0,0 +1,4 @@ ++On Python versions that support it, ``zoneinfo.rebuild`` now uses the ++tarfile ``data`` filter to limit damage in case it's used with a ++malicious tarball, and to avoid a deprecation warning on Python 3.12. ++Reported and fixed by @encukou (gh pr #1295) diff --git a/python-dateutil.spec b/python-dateutil.spec index 039045f..2fb3260 100644 --- a/python-dateutil.spec +++ b/python-dateutil.spec @@ -2,7 +2,7 @@ Name: python-%{modname} Version: 2.8.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 Summary: Powerful extensions to the standard datetime module @@ -10,6 +10,14 @@ License: BSD URL: https://github.com/dateutil/dateutil Source: %{pypi_source} +# Mitigate CVE-2007-4559 (tarfile directory traversal). +# `dateutil.zoneinfo.rebuild` handles "pure data" tarballs, +# here we disable tar features that are potentially unsafe. +# Submitted upstream, but rejected because they're removing this +# code entirely. +# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2203905 +Patch1: https://github.com/dateutil/dateutil/pull/1295.patch + # Disable tests to avoid pulling in test dependencies on RHEL9 # Specify --with tests to run the tests e.g. on EPEL %bcond_with tests @@ -47,7 +55,7 @@ Summary: API documentation for python-dateutil This package contains %{summary}. %prep -%autosetup +%autosetup -p1 iconv --from=ISO-8859-1 --to=UTF-8 NEWS > NEWS.new mv NEWS.new NEWS @@ -74,6 +82,10 @@ make -C docs html %doc docs/_build/html %changelog +* Wed Jul 12 2023 Petr Viktorin - 1:2.8.1-7 +- Mitigate CVE-2007-4559 (tarfile directory traversal). + Resolves: rhbz#2203905 + * Tue Aug 10 2021 Mohan Boddu - 1:2.8.1-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688