http://bugzilla.opensuse.org/show_bug.cgi?id=1205581 Bug ID: 1205581 Summary: VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger@gmx.de Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de Blocks: 1170644 Found By: --- Blocker: --- Due to CVE-2020-29488 (bug 1170644), Percona XtraBackup is modifying how xbstream handles absolute paths to prevent malicious file injections. Like the tar archiving utility, the new behavior removes the leading ���/��� character and references to the parent directory. Fixes are available in Percona XtraBackup versions:

= 2.4.22

= 8.0.23-16.0

For example, ../../../d1/../d2/h.txt will be saved in the stream with the relative path ./d2/h.txt. The updated function provides a warning when creating a stream with a file with an absolute path: $ xbstream -c /tmp/data xbstream: Removing leading '/' from member names The function also will not extract files with absolute paths: $ cat a.xb | xbstream -x -C ./restore xbstream: absolute path not allowed: /tmp/bar.txt Note: a stream can contain an absolute path if created with an older version of xbstream or if the following parameter is used: -P, --absolute-names Be aware of the following: Scripts that call xbstream to store the path/file in an absolute path will strip the leading ���/��� and references to ���../���. This action could cause an unexpected result. Extracting older formatted binaries which do contain the leading ���/��� and path/file produce an error message and are not extracted. https://www.percona.com/blog/2021/03/23/cve-2020-29488-changes-in-how-absolu... -- You are receiving this mail because: You are on the CC list for the bug.