[Bug 1205581] New: VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream
http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 Bug ID: 1205581 Summary: VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger@gmx.de Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de Blocks: 1170644 Found By: --- Blocker: --- Due to CVE-2020-29488 (bug 1170644), Percona XtraBackup is modifying how xbstream handles absolute paths to prevent malicious file injections. Like the tar archiving utility, the new behavior removes the leading ���/��� character and references to the parent directory. Fixes are available in Percona XtraBackup versions:
= 2.4.22
= 8.0.23-16.0
For example, ../../../d1/../d2/h.txt will be saved in the stream with the relative path ./d2/h.txt. The updated function provides a warning when creating a stream with a file with an absolute path: $ xbstream -c /tmp/data xbstream: Removing leading '/' from member names The function also will not extract files with absolute paths: $ cat a.xb | xbstream -x -C ./restore xbstream: absolute path not allowed: /tmp/bar.txt Note: a stream can contain an absolute path if created with an older version of xbstream or if the following parameter is used: -P, --absolute-names Be aware of the following: Scripts that call xbstream to store the path/file in an absolute path will strip the leading ���/��� and references to ���../���. This action could cause an unexpected result. Extracting older formatted binaries which do contain the leading ���/��� and path/file produce an error message and are not extracted. https://www.percona.com/blog/2021/03/23/cve-2020-29488-changes-in-how-absolu... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 http://bugzilla.opensuse.org/show_bug.cgi?id=1205581#c1 --- Comment #1 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1205581) was mentioned in https://build.opensuse.org/request/show/1036938 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / xtrabackup -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 http://bugzilla.opensuse.org/show_bug.cgi?id=1205581#c2 --- Comment #2 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1205581) was mentioned in https://build.opensuse.org/request/show/1036940 Backports:SLE-15-SP4 / xtrabackup -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 http://bugzilla.opensuse.org/show_bug.cgi?id=1205581#c3 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |Andreas.Stieger@gmx.de Assignee|Andreas.Stieger@gmx.de |security-team@suse.de --- Comment #3 from Andreas Stieger <Andreas.Stieger@gmx.de> --- Submitted for openSUSE:Backports:SLE-15-SP4:Update, pending licensedigger review. Please check where this is stuck. xtrabackup was dropped from openSUSE:Backports:SLE-15-SP5 (SR#1036945) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 http://bugzilla.opensuse.org/show_bug.cgi?id=1205581#c5 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Andreas Stieger <Andreas.Stieger@gmx.de> --- Fixed in 15.4. Not fixing for 15.3. Dropped from next. Closing. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com