Bug 864194 (CVE-2014-2029)

Looking at this a little closer, this really is a security issue:
* communicate with an external server in the default configuration
* ... receives version informations of various software
* ... receives arbitrary MySQL configuration variables
* ... can run commands (with -v)

Solution is to turn this off by default and have the user request this feature through CLI or configuration.

Created attachment 578759 [details]
disable default version check

This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/222523 Factory / percona-toolkit

openSUSE 12.3 not affected. Maintenance request for 13.1:
https://build.opensuse.org/request/show/222633

requested a CVE via oss-sec

Also affects Percona XtraBackup (server:database xtrabackup)

$ PTDEBUG=1 innobackupex . 2>&1 | grep VersionCheck
# VersionCheck:991 13013 FindBin::Bin: /usr/bin
# VersionCheck:1150 13013 SELECT CONCAT(@@hostname, @@port)
# VersionCheck:1171 13013 MySQL instance: d613005ef7763ae15e44be64c85ffe8b tux3306 $VAR1 = 'dbi:mysql:;mysql_read_default_group=xtrabackup';
# VersionCheck:971 13013 Version check file percona-version-check in /tmp
# VersionCheck:1085 13013 Version check file /tmp/percona-version-check contents: 0,1390762187
# VersionCheck:1093 13013 Intsance d613005ef7763ae15e44be64c85ffe8b last checked 1390762187 now 1392756084 diff 1993897 hours until next check -529.86
# VersionCheck:1100 13013 Time to check $VAR1 = {
# VersionCheck:1093 13013 Intsance 0 last checked 1390762187 now 1392756084 diff 1993897 hours until next check -529.86
# VersionCheck:1100 13013 Time to check $VAR1 = {
# VersionCheck:1014 13013 2 instances to check
# VersionCheck:1023 13013 Using https
# VersionCheck:1189 13013 Server response: $VAR1 = {
# VersionCheck:1290 13013 Items: $VAR1 = {
# VersionCheck:1466 13013 SHOW VARIABLES
# VersionCheck:1473 13013 MySQL version for MySQL = openSUSE package on tux3306
# VersionCheck:1473 13013 MySQL version for MySQL = 5.5.33-MariaDB on tux3306
# VersionCheck:1435 13013 Perl version for $Percona::Toolkit::VERSION = undef
# VersionCheck:1350 13013 platform: Linux
# VersionCheck:1355 13013 lsb_release: /usr/bin/lsb_release
# VersionCheck:1414 13013 OS version = openSUSE 13.1 (Bottle) (i586)
# VersionCheck:1424 13013 Perl version 5.18.1
# VersionCheck:1435 13013 Perl version for $DBD::mysql::VERSION = 4.021
# VersionCheck:1220 13013 Client response: $VAR1 = {
# VersionCheck:1223 13013 Server suggestions: $VAR1 = {
# VersionCheck:971 13013 Version check file percona-version-check in /tmp
# VersionCheck:1114 13013 Updating last check time: 1392756086
# VersionCheck:1057 13013 Error updating version check file: Cannot write to /tmp/percona-version-check: Permission denied at /usr/bin/innobackupex line 1133.

This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/222792 Factory / xtrabackup

openSUSE:13.1:Update has xtrabackup 2.1.7 as of today, affected.
openSUSE:12.3:Update has xtrabackup 2.0.8, not affected.

Reproduction recipe requires removal of last check file:
$ rm /tmp/percona-version-check
# innobackupex .
[...]
140218 21:43:12  innobackupex: Executing a version check against the server...
# VersionCheck:991 15049 FindBin::Bin: /usr/bin
[...]

Fixed and tested xtrabackup. Maintenance requests: 
Percona XtraBackup: https://build.opensuse.org/request/show/222797
Percona Toolkit: https://build.opensuse.org/request/show/222633

CVE-2014-2029

can you resubmit the upadtes with the CVE mentioned in .changes pelase?

can you resubmit them with the CVE in .changes?

(In reply to comment #10)
> can you resubmit them with the CVE in .changes?

https://build.opensuse.org/request/show/223371
https://build.opensuse.org/request/show/223372

Percona has released Percona-Toolkit 2.2.7, with the following changelog:

> v2.2.7 released 2014-02-20
> 
>   * Fixed bug 1279502: --version-check behaves like spyware

When examining the diff it seems like a function get_bin_version was now introduced to sanitize input and output. While this should address some concerns regarding the execution of commands, the issue of transmitting information to an external entity remains. The openSUSE package will keep the patch to turn off automatic version checking unless explicitly enabled via configuration or switch.

This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/223756 Factory / percona-toolkit
https://build.opensuse.org/request/show/223759 13.1 / percona-toolkit

This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/224761 12.3 / percona-toolkit

openSUSE-SU-2014:0333-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 13.1 (src):    percona-toolkit-2.2.7-2.10.1, xtrabackup-2.1.7-13.2

This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/224927 13.1 / xtrabackup

openSUSE-SU-2014:0361-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 12.3 (src):    percona-toolkit-2.1.11-2.12.1

released

openSUSE-SU-2014:0363-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 13.1 (src):    xtrabackup-2.1.8-17.1