Bug ID | 1205581 |
---|---|
Summary | VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.4 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | Andreas.Stieger@gmx.de |
Reporter | Andreas.Stieger@gmx.de |
QA Contact | security-team@suse.de |
Blocks | 1170644 |
Found By | --- |
Blocker | --- |
Due to CVE-2020-29488 (bug 1170644), Percona XtraBackup is modifying how xbstream handles absolute paths to prevent malicious file injections. Like the tar archiving utility, the new behavior removes the leading ���������/��������� character and references to the parent directory. Fixes are available in Percona XtraBackup versions: >= 2.4.22 >= 8.0.23-16.0 For example, ../../../d1/../d2/h.txt will be saved in the stream with the relative path ./d2/h.txt. The updated function provides a warning when creating a stream with a file with an absolute path: $ xbstream -c /tmp/data xbstream: Removing leading '/' from member names The function also will not extract files with absolute paths: $ cat a.xb | xbstream -x -C ./restore xbstream: absolute path not allowed: /tmp/bar.txt Note: a stream can contain an absolute path if created with an older version of xbstream or if the following parameter is used: -P, --absolute-names Be aware of the following: Scripts that call xbstream to store the path/file in an absolute path will strip the leading ���������/��������� and references to ���������../���������. This action could cause an unexpected result. Extracting older formatted binaries which do contain the leading ���������/��������� and path/file produce an error message and are not extracted. https://www.percona.com/blog/2021/03/23/cve-2020-29488-changes-in-how-absolute-paths-are-handled-in-percona-xtrabackup-xbstream/