innobackupex writes "stdout" and "stderr" files to cwd and leaves them behind
Bug #687544 reported by
Ville Skyttä
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona XtraBackup moved to https://jira.percona.com/projects/PXB |
Fix Released
|
Medium
|
Valentine Gostev | ||
1.6 |
Fix Released
|
Medium
|
Valentine Gostev | ||
2.0 |
Fix Released
|
Medium
|
Valentine Gostev |
Bug Description
innobackupex-1.5.1 from xtrabackup-
There's nothing in innobackupex-1.5.1 --help about this, there's no documentation in the rpm, and there was not a mention about this in the release notes. Also, it seems to write to these files blindly which may result in an arbitrary file overwrite vulnerability (if these files exist and are symlinks).
I suggest using secure temporary files for these (e.g. using the File::Temp module), and cleaning them up on exit.
Related branches
lp:~longbow/percona-xtrabackup/fix_687544
- Alexey Kopytov (community): Approve
-
Diff: 46 lines (+6/-7)1 file modifiedinnobackupex (+6/-7)
lp:~longbow/percona-xtrabackup/fix687544-1.6
- Alexey Kopytov (community): Approve
- Valentine Gostev (community): Needs Resubmitting
-
Diff: 46 lines (+6/-7)1 file modifiedinnobackupex (+6/-7)
Changed in percona-xtrabackup: | |
assignee: | nobody → Valentine Gostev (core-longbow) |
Changed in percona-xtrabackup: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Changed in percona-xtrabackup: | |
assignee: | Valentine Gostev (core-longbow) → Rodrigo Gadea (rodrigo-gadea-percona) |
importance: | Wishlist → Medium |
Changed in percona-xtrabackup: | |
status: | Confirmed → Triaged |
Changed in percona-xtrabackup: | |
status: | Triaged → In Progress |
Changed in percona-xtrabackup: | |
assignee: | Rodrigo Gadea (rodrigo-gadea-percona) → Valentine Gostev (longbow) |
To post a comment you must log in.
This also means that innobackupex can only run if it is has permissions to create and write files. With XtraBackup 1.2, this was not the case. So an upgrade to 1.6 breaks my backup script.