Bug 1205581 - (CVE-2020-29488) VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream
VUL-0: CVE-2020-29488: xtrabackup: Changes in How Absolute Paths are Handled ...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: CVE-2020-10997
  Show dependency treegraph
Reported: 2022-11-20 12:33 UTC by Andreas Stieger
Modified: 2023-03-13 08:02 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2022-11-20 12:33:37 UTC
Due to CVE-2020-29488 (bug 1170644), Percona XtraBackup is modifying how xbstream handles absolute paths to prevent malicious file injections. Like the tar archiving utility, the new behavior removes the leading ‘/’ character and references to the parent directory.

Fixes are available in Percona XtraBackup versions:

>= 2.4.22

>= 8.0.23-16.0

For example, ../../../d1/../d2/h.txt will be saved in the stream with the relative path ./d2/h.txt.

The updated function provides a warning when creating a stream with a file with an absolute path:

$ xbstream -c /tmp/data

xbstream: Removing leading '/' from member names

The function also will not extract files with absolute paths:

$ cat a.xb | xbstream -x -C  ./restore

xbstream: absolute path not allowed: /tmp/bar.txt

Note: a stream can contain an absolute path if created with an older version of xbstream or if the following parameter is used:

    -P, --absolute-names

Be aware of the following:

Scripts that call xbstream to store the path/file in an absolute path will strip the leading ‘/’ and references to ‘../’. This action could cause an unexpected result.

Extracting older formatted binaries which do contain the leading ‘/’  and path/file produce an error message and are not extracted.

Comment 1 OBSbugzilla Bot 2022-11-20 13:35:07 UTC
This is an autogenerated message for OBS integration:
This bug (1205581) was mentioned in
https://build.opensuse.org/request/show/1036938 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / xtrabackup
Comment 2 OBSbugzilla Bot 2022-11-20 15:35:08 UTC
This is an autogenerated message for OBS integration:
This bug (1205581) was mentioned in
https://build.opensuse.org/request/show/1036940 Backports:SLE-15-SP4 / xtrabackup
Comment 3 Andreas Stieger 2022-11-21 12:20:27 UTC
Submitted for openSUSE:Backports:SLE-15-SP4:Update, pending licensedigger review. Please check where this is stuck.

xtrabackup was dropped from openSUSE:Backports:SLE-15-SP5 (SR#1036945)
Comment 4 Swamp Workflow Management 2022-11-23 14:23:55 UTC
openSUSE-SU-2022:10212-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1125418,1135095,1170644,1205581
CVE References: CVE-2020-10997,CVE-2020-29488
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    xtrabackup-2.4.26-bp154.2.3.1
Comment 5 Andreas Stieger 2022-11-23 14:43:17 UTC
Fixed in 15.4. Not fixing for 15.3. Dropped from next. Closing.