CVE-2020-29488: Changes in How Absolute Paths are Handled in Percona XtraBackup xbstream

CVE-2020-29488Due to CVE-2020-29488, Percona XtraBackup is modifying how xbstream handles absolute paths to prevent malicious file injections. Like the tar archiving utility, the new behavior removes the leading ‘/’ character and references to the parent directory.

Fixes are available in Percona XtraBackup versions:

>= 2.4.22

>= 8.0.23-16.0

For example, ../../../d1/../d2/h.txt will be saved in the stream with the relative path ./d2/h.txt.

The updated function provides a warning when creating a stream with a file with an absolute path:

$ xbstream -c /tmp/data

xbstream: Removing leading '/' from member names

The function also will not extract files with absolute paths:

$ cat a.xb | xbstream -x -C  ./restore

xbstream: absolute path not allowed: /tmp/bar.txt

Note: a stream can contain an absolute path if created with an older version of xbstream or if the following parameter is used:

  • -P, --absolute-names

Be aware of the following:

Scripts that call xbstream to store the path/file in an absolute path will strip the leading ‘/’ and references to ‘../’. This action could cause an unexpected result.

Extracting older formatted binaries which do contain the leading ‘/’  and path/file produce an error message and are not extracted.

Share this post

Leave a Reply