Import operation impossible due to CVE-2007-4559

Support
#1

Hi all,

I apologize for my bad english, since it is not my mother tongue.

I already use a Pulp 2 server. I wanted to build a new infrastructure for a Pulp 3 server. Pulp-in-one-container seemed a good solution for me.

Operating system - distribution and version:
Our standard OS in this case is a Debian 12 Bookworm (12.5).
The container engine is Podman (4.3.1).
For security reasons, the production infrastructure is working offline, I mean without any internet access.
So to populate my server I built another server in an “online zone” with pulp-in-one-container. Works like a charm ! :star_struck:

Problem:
I followed the instructions found in the import-export documentation.
I exported easily the content of the repository I populated, producing a tar file and a json one. Fine also.
On the offline side, I also have a pulp-in-one-container. So I transferred the both export files produced and tried to import them the way explained in the documentation.

But whatever I tried the import failed. :face_with_raised_eyebrow:
I mean the call to the API is ok, but the task launched afterwards fails. In the Podman logs, I can see a Python error you can see below.
It seems a Python 3.9 limitation related to the CVE-2007-4559 :frowning:
If I follow what is explained in the error message the security flaw is fixed in Python 3.14 since pulp-in-one-container is using Python 3.9.
As a reference about Python versions related to the CVE-2007-4559.

Expected outcome:
Import successful…

Workaround? Solution?
The workaround seems to be a code modification.
But it can be also an upgrade of the Python version (3.14 minimum) embedded in the container. So a new version of the container.

Other relevant data:

    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.app.tasks.importer:INFO: Validating TOC /var/lib/import_export/IMPORTS/export-018ee71f-cc60-7eb4-bea9-63f157bc9b00-20240416_1336-toc.json.
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.app.tasks.importer:INFO: Importing /var/lib/import_export/IMPORTS/export-018ee71f-cc60-7eb4-bea9-63f157bc9b00-20240416_1336-toc.json.
    /usr/lib64/python3.9/tarfile.py:2239: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details.
      warnings.warn(
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.app.tasks.importer:INFO: Importing file ./tmpwp0cngvt/pulpcore.app.modelresource.ArtifactResource.json.
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.app.tasks.importer:INFO: ...Importing resource ArtifactResource.
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.tasking.tasks:INFO: Task completed 018f05d1-d945-76b6-842c-00fd92b5a7e7
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.tasking.tasks:INFO: Starting task 018f05d1-e9e3-7593-aa90-133b1ad56648
    /usr/lib64/python3.9/tarfile.py:2239: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details.
      warnings.warn(
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.tasking.tasks:INFO: Task 018f05d1-e9e3-7593-aa90-133b1ad56648 failed ('NoneType' object is not iterable)
    pulp [cb89d45521b14b52949e881195e07166]: pulpcore.tasking.tasks:INFO:   File "/usr/local/lib/python3.9/site-packages/pulpcore/tasking/tasks.py", line 66, in _execute_task
        result = func(*args, **kwargs)

      File "/usr/local/lib/python3.9/site-packages/pulpcore/app/tasks/importer.py", line 375, in import_repository_version
        for res_class in cfg.exportable_classes:```
1 Like
#2

I know the tarfile thing should be resolved. (Not sure if it is still meant to produce the warnings.) But also i don’t think the warnings are related to the failed task you got.

What version(s) of Pulp are you running there?

#3

Is it possible that you don’t have the same versions of pulp running in the disconnected environment?
(For import-export to work the versions need to match at least exactly in the x.y part.)

Also try replacing:
for res_class in cfg.exportable_classes:
with:
for res_class in cfg.exportable_classes or []:

#4

Hi there and thank you for your suggestions.
I did not watch the Pulp versions running on servers because they are both running the same pulp-in-one-container image.
I followed this doc.
I will add that the tar file is readable. I opened it with a tar tvf.
I tried the two methods with the import passing the path argument and the toc.
I also checked the files with the import-check.
Again thanks for your ideas.

#5

The warning is just a warning, it isn’t causing any problem.

This loop is going through all the repositories in the export. src_repo_type is the type-of the repository it’s currently working on. cfg is the plugin-config for the plugin that “owns” that repository. If cfg.exportable_classes is NULL, it means the plugin it found has no exportable classes - ie, isn’t import/export enabled. You can see where this value is set here

Can you show us what plugins you have in the upstream and downstream sides, and what versions? pulp status will show that.

Also, what repository-types have been exported?

#6

Hello @ggainey
Here is the result of the pulp status on both servers:

##### Upstream server (online) #####
$ pulp status
{
  "versions": [
    {
      "component": "core",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulpcore.app",
      "domain_compatible": true
    },
    {
      "component": "ansible",
      "version": "0.21.3",
      "package": "pulp-ansible",
      "module": "pulp_ansible.app",
      "domain_compatible": false
    },
    {
      "component": "container",
      "version": "2.19.2",
      "package": "pulp-container",
      "module": "pulp_container.app",
      "domain_compatible": false
    },
    {
      "component": "deb",
      "version": "3.2.0",
      "package": "pulp_deb",
      "module": "pulp_deb.app",
      "domain_compatible": false
    },
    {
      "component": "gem",
      "version": "0.5.0",
      "package": "pulp-gem",
      "module": "pulp_gem.app",
      "domain_compatible": true
    },
    {
      "component": "maven",
      "version": "0.8.0",
      "package": "pulp-maven",
      "module": "pulp_maven.app",
      "domain_compatible": false
    },
    {
      "component": "ostree",
      "version": "2.3.0",
      "package": "pulp-ostree",
      "module": "pulp_ostree.app",
      "domain_compatible": true
    },
    {
      "component": "python",
      "version": "3.11.0",
      "package": "pulp-python",
      "module": "pulp_python.app",
      "domain_compatible": false
    },
    {
      "component": "rpm",
      "version": "3.25.1",
      "package": "pulp-rpm",
      "module": "pulp_rpm.app",
      "domain_compatible": true
    },
    {
      "component": "certguard",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulp_certguard.app",
      "domain_compatible": true
    },
    {
      "component": "file",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulp_file.app",
      "domain_compatible": true
    }



##### Downstream server (offline) #####
$ pulp status
{
  "versions": [
    {
      "component": "core",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulpcore.app",
      "domain_compatible": true
    },
    {
      "component": "ansible",
      "version": "0.21.3",
      "package": "pulp-ansible",
      "module": "pulp_ansible.app",
      "domain_compatible": false
    },
    {
      "component": "container",
      "version": "2.19.2",
      "package": "pulp-container",
      "module": "pulp_container.app",
      "domain_compatible": false
    },
    {
      "component": "deb",
      "version": "3.2.0",
      "package": "pulp_deb",
      "module": "pulp_deb.app",
      "domain_compatible": false
    },
    {
      "component": "gem",
      "version": "0.5.0",
      "package": "pulp-gem",
      "module": "pulp_gem.app",
      "domain_compatible": true
    },
    {
      "component": "maven",
      "version": "0.8.0",
      "package": "pulp-maven",
      "module": "pulp_maven.app",
      "domain_compatible": false
    },
    {
      "component": "ostree",
      "version": "2.3.0",
      "package": "pulp-ostree",
      "module": "pulp_ostree.app",
      "domain_compatible": true
    },
    {
      "component": "python",
      "version": "3.11.0",
      "package": "pulp-python",
      "module": "pulp_python.app",
      "domain_compatible": false
    },
    {
      "component": "rpm",
      "version": "3.25.1",
      "package": "pulp-rpm",
      "module": "pulp_rpm.app",
      "domain_compatible": true
    },
    {
      "component": "certguard",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulp_certguard.app",
      "domain_compatible": true
    },
    {
      "component": "file",
      "version": "3.49.1",
      "package": "pulpcore",
      "module": "pulp_file.app",
      "domain_compatible": true
    }

I am afraid they are the same (pulp-in-one-container).

The exported repository is a maven repository.
Maybe it is the cause of my problem. When I make the import, nowhere I explicit the maven repository type. Neither in the downstream repository creation nor in the downstream importer…

Could it be the cause of the failed task…?

#7

Uh…pulp-maven doesn’t support pulp-import-export currently. How did it end up in a pulp-export-file?

Would it be possible for you to put your export-file somewhere we could find it?

#8

Oooh, there it is - the Export process is perfectly happy to export things, that can’t be Imported: https://github.com/pulp/pulpcore/blob/main/pulpcore/app/importexport.py#L173

@Smollbear - can you open an issue on this? You shouldn’t be able to build an Exporter for repositories that are for types that don’t yet support import/export.

That doesn’t help your immediate need though. Right now, you can’t use PIE on pulp_maven.

1 Like
#9

Yes it is. You got the point :slight_smile:
I double-checked my export and did not see any problem in it.
I tried to find a way to share it with you. I just uploaded it in my google drive (no need to secure it there are maven packages).
If you need it I can share a link.
I will open an issue on this. But I would prefer to open an issue because I cannot import back my export :smiley:
Can I ask you if you think about a workaround ?
I am happy to use the maven plugin in the upstream server since I am able to get the packages and their dependencies from the pom.xml of the projects and through the Pulp Maven plugin.
So my upstream maven repository is easily and exactly populated…
Thx very much :wink:

1 Like
#10

My assumption was that you are dealing with a disconnected environment. Is that actually true?
Would it be possible that your second pulp can talk to the first one via any network connection?
In that case replicate may be even more convenient to you.
A first peek however did not reveal to me it was already implemented either.

#11

Yes.
I have an online upstream server and an offline downstream server.
There are no links in between.
The only solution is export/import.
Both are running the same pulp-in-one-container image. Consequently versions are consistent.
I must also say that I try to work on a maven repository.
If I am granted to link the both servers, is the replication able to work on a maven repo ?

#12

Here is the issue: