Bug 864194 (CVE-2014-2029)

Summary: VUL-0: CVE-2014-2029: Percona Toolkit and XtraBackup automatic version check transmits information to external entity
Product: [openSUSE] openSUSE 13.1 Reporter: Andreas Stieger <Andreas.Stieger>
Component: OtherAssignee: Andreas Stieger <Andreas.Stieger>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: meissner, security-team
Version: Final   
Target Milestone: ---   
Hardware: All   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: disable default version check

Description Andreas Stieger 2014-02-16 20:59:01 UTC
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0

From https://bugs.launchpad.net/percona-toolkit/+bug/1279502
There is a security / privacy concern, even though the automatic version check is mentioned on the change log.

It would make sense for a distribution maintained package to turn this off by default.

Reproducible: Always

Steps to Reproduce:
user@host:~> PTDEBUG=1 pt-index-usage
user#host:~> PTDEBUG=1 pt-index-usage 2>&1 | grep VersionCheck
Actual Results:  
user#host:~> PTDEBUG=1 pt-index-usage
[...]
# OptionParser:974 9596 version-check default: yes
# VersionCheck:5696 9596 Version check file percona-version-check in /tmp
# VersionCheck:5810 9596 Version check file /tmp/percona-version-check contents: 0,1390762187
[...]

user#host:~> PTDEBUG=1 pt-index-usage 2>&1 | grep VersionCheck
# VersionCheck:5716 9621 FindBin::Bin: /usr/bin
# VersionCheck:5875 9621 SELECT CONCAT(@@hostname, @@port)
# VersionCheck:5896 9621 MySQL instance: d613005ef7763ae15e44be64c85ffe8b tux3306 $VAR1 = {};
# VersionCheck:5696 9621 Version check file percona-version-check in /tmp
# VersionCheck:5810 9621 Version check file /tmp/percona-version-check contents: 0,1390762187
# VersionCheck:5818 9621 Intsance d613005ef7763ae15e44be64c85ffe8b last checked 1390762187 now 1392584082 diff 1821895 hours until next check -482.08
# VersionCheck:5825 9621 Time to check $VAR1 = {
# VersionCheck:5818 9621 Intsance 0 last checked 1390762187 now 1392584082 diff 1821895 hours until next check -482.08
# VersionCheck:5825 9621 Time to check $VAR1 = {
# VersionCheck:5739 9621 2 instances to check
# VersionCheck:5748 9621 Using https
# VersionCheck:5914 9621 Server response: $VAR1 = {
# VersionCheck:6015 9621 Items: $VAR1 = {
# VersionCheck:6160 9621 Perl version for $DBD::mysql::VERSION = 4.021
# VersionCheck:6160 9621 Perl version for $Percona::Toolkit::VERSION = 2.2.6
# VersionCheck:6149 9621 Perl version 5.18.1
# VersionCheck:6075 9621 platform: Linux
# VersionCheck:6080 9621 lsb_release: /usr/bin/lsb_release
# VersionCheck:6139 9621 OS version = openSUSE 13.1 (Bottle) (i586)
# VersionCheck:6191 9621 SHOW VARIABLES
# VersionCheck:6198 9621 MySQL version for MySQL = openSUSE package on tux3306
# VersionCheck:6198 9621 MySQL version for MySQL = 5.5.33-MariaDB on tux3306
# VersionCheck:5945 9621 Client response: $VAR1 = {
# VersionCheck:5948 9621 Server suggestions: $VAR1 = {
# VersionCheck:5696 9621 Version check file percona-version-check in /tmp
# VersionCheck:5839 9621 Updating last check time: 1392584083
# VersionCheck:5782 9621 Error updating version check file: Cannot write to /tmp/percona-version-check: Permission denied at /usr/bin/pt-index-usage line 5858.


Expected Results:  
1. package owns /etc/percona-toolkit
2. package ghosts /etc/percona-toolkit/percona-toolkit.conf (pt-*.conf)
3. commands do not run version checks by default, unless specifically asked to do so
Comment 1 Andreas Stieger 2014-02-17 00:25:59 UTC
Looking at this a little closer, this really is a security issue:
* communicate with an external server in the default configuration
* ... receives version informations of various software
* ... receives arbitrary MySQL configuration variables
* ... can run commands (with -v)

Solution is to turn this off by default and have the user request this feature through CLI or configuration.
Comment 2 Andreas Stieger 2014-02-17 00:26:47 UTC
Created attachment 578759 [details]
disable default version check
Comment 3 Bernhard Wiedemann 2014-02-17 01:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/222523 Factory / percona-toolkit
Comment 4 Andreas Stieger 2014-02-17 19:24:16 UTC
openSUSE 12.3 not affected. Maintenance request for 13.1:
https://build.opensuse.org/request/show/222633
Comment 5 Marcus Meissner 2014-02-18 12:36:50 UTC
requested a CVE via oss-sec
Comment 6 Andreas Stieger 2014-02-18 20:43:27 UTC
Also affects Percona XtraBackup (server:database xtrabackup)

$ PTDEBUG=1 innobackupex . 2>&1 | grep VersionCheck
# VersionCheck:991 13013 FindBin::Bin: /usr/bin
# VersionCheck:1150 13013 SELECT CONCAT(@@hostname, @@port)
# VersionCheck:1171 13013 MySQL instance: d613005ef7763ae15e44be64c85ffe8b tux3306 $VAR1 = 'dbi:mysql:;mysql_read_default_group=xtrabackup';
# VersionCheck:971 13013 Version check file percona-version-check in /tmp
# VersionCheck:1085 13013 Version check file /tmp/percona-version-check contents: 0,1390762187
# VersionCheck:1093 13013 Intsance d613005ef7763ae15e44be64c85ffe8b last checked 1390762187 now 1392756084 diff 1993897 hours until next check -529.86
# VersionCheck:1100 13013 Time to check $VAR1 = {
# VersionCheck:1093 13013 Intsance 0 last checked 1390762187 now 1392756084 diff 1993897 hours until next check -529.86
# VersionCheck:1100 13013 Time to check $VAR1 = {
# VersionCheck:1014 13013 2 instances to check
# VersionCheck:1023 13013 Using https
# VersionCheck:1189 13013 Server response: $VAR1 = {
# VersionCheck:1290 13013 Items: $VAR1 = {
# VersionCheck:1466 13013 SHOW VARIABLES
# VersionCheck:1473 13013 MySQL version for MySQL = openSUSE package on tux3306
# VersionCheck:1473 13013 MySQL version for MySQL = 5.5.33-MariaDB on tux3306
# VersionCheck:1435 13013 Perl version for $Percona::Toolkit::VERSION = undef
# VersionCheck:1350 13013 platform: Linux
# VersionCheck:1355 13013 lsb_release: /usr/bin/lsb_release
# VersionCheck:1414 13013 OS version = openSUSE 13.1 (Bottle) (i586)
# VersionCheck:1424 13013 Perl version 5.18.1
# VersionCheck:1435 13013 Perl version for $DBD::mysql::VERSION = 4.021
# VersionCheck:1220 13013 Client response: $VAR1 = {
# VersionCheck:1223 13013 Server suggestions: $VAR1 = {
# VersionCheck:971 13013 Version check file percona-version-check in /tmp
# VersionCheck:1114 13013 Updating last check time: 1392756086
# VersionCheck:1057 13013 Error updating version check file: Cannot write to /tmp/percona-version-check: Permission denied at /usr/bin/innobackupex line 1133.
Comment 7 Bernhard Wiedemann 2014-02-18 22:10:36 UTC
This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/222792 Factory / xtrabackup
Comment 8 Andreas Stieger 2014-02-18 22:18:01 UTC
openSUSE:13.1:Update has xtrabackup 2.1.7 as of today, affected.
openSUSE:12.3:Update has xtrabackup 2.0.8, not affected.

Reproduction recipe requires removal of last check file:
$ rm /tmp/percona-version-check
# innobackupex .
[...]
140218 21:43:12  innobackupex: Executing a version check against the server...
# VersionCheck:991 15049 FindBin::Bin: /usr/bin
[...]

Fixed and tested xtrabackup. Maintenance requests: 
Percona XtraBackup: https://build.opensuse.org/request/show/222797
Percona Toolkit: https://build.opensuse.org/request/show/222633
Comment 9 Marcus Meissner 2014-02-20 10:39:21 UTC
CVE-2014-2029

can you resubmit the upadtes with the CVE mentioned in .changes pelase?
Comment 10 Marcus Meissner 2014-02-21 09:51:18 UTC
can you resubmit them with the CVE in .changes?
Comment 11 Andreas Stieger 2014-02-21 13:35:41 UTC
(In reply to comment #10)
> can you resubmit them with the CVE in .changes?

https://build.opensuse.org/request/show/223371
https://build.opensuse.org/request/show/223372
Comment 12 Andreas Stieger 2014-02-24 19:29:02 UTC
Percona has released Percona-Toolkit 2.2.7, with the following changelog:

> v2.2.7 released 2014-02-20
> 
>   * Fixed bug 1279502: --version-check behaves like spyware

When examining the diff it seems like a function get_bin_version was now introduced to sanitize input and output. While this should address some concerns regarding the execution of commands, the issue of transmitting information to an external entity remains. The openSUSE package will keep the patch to turn off automatic version checking unless explicitly enabled via configuration or switch.
Comment 13 Bernhard Wiedemann 2014-02-24 20:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/223756 Factory / percona-toolkit
https://build.opensuse.org/request/show/223759 13.1 / percona-toolkit
Comment 14 Bernhard Wiedemann 2014-03-05 21:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/224761 12.3 / percona-toolkit
Comment 15 Swamp Workflow Management 2014-03-06 09:04:35 UTC
openSUSE-SU-2014:0333-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 13.1 (src):    percona-toolkit-2.2.7-2.10.1, xtrabackup-2.1.7-13.2
Comment 16 Bernhard Wiedemann 2014-03-07 00:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (864194) was mentioned in
https://build.opensuse.org/request/show/224927 13.1 / xtrabackup
Comment 17 Swamp Workflow Management 2014-03-13 14:04:21 UTC
openSUSE-SU-2014:0361-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 12.3 (src):    percona-toolkit-2.1.11-2.12.1
Comment 18 Marcus Meissner 2014-03-13 14:20:51 UTC
released
Comment 19 Swamp Workflow Management 2014-03-13 15:04:21 UTC
openSUSE-SU-2014:0363-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864194
CVE References: CVE-2014-2029
Sources used:
openSUSE 13.1 (src):    xtrabackup-2.1.8-17.1