Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
Hi! On Fri, 2016-11-18 at 17:21:58 +0100, Dario Minnucci wrote: > On 11/04/16 14:38, Guillem Jover wrote: > > ... > > This is the relevant strace part for percona-toolkit 2.2.18-1: > > > > ,--- > > connect(3, {sa_family=AF_INET, sin_port=htons(443), > > sin_addr=inet_addr("74.121.199.234")}, 16) = 0 > > `--- > > > > Where 74.121.199.234 is www.percona.com. > I've just discussed this issue with upstream just a minute ago and it seems > there is a simple > solution for it... > > There is a global configuration file to affect every percona-toolkit package > tools. > (See: > https://www.percona.com/doc/percona-toolkit/2.2/configuration_files.html) > > The workaround consists in create (or modify) the file > '/etc/percona-toolkit/percona-toolkit.conf' > an add 'noversion-check' to it. > ---%<- > cat << EOF >> /etc/percona-toolkit/percona-toolkit.conf > noversion-check > EOF > ---%<- > This global configuration file (/etc/percona-toolkit/percona-toolkit.conf) > should be read by every > tool in percona-toolkit package disabling the 'call home' functionality. > > Can you try this solution and report results? Yes, this seems to work! After making sure there's no version timestamp file, stracing one of the programs does not show any connection attempts anymore. And of course there's neither a message prompting to upgrade the software (when run on a jessie system with an older than published version). So shipping such file by default would seem to fix this problem. Could you prepare this for unstable and also stable? Thanks, Guillem
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
Hi guys, On 11/04/16 14:38, Guillem Jover wrote: > ... > This is the relevant strace part for percona-toolkit 2.2.18-1: > > ,--- > connect(3, {sa_family=AF_INET, sin_port=htons(443), > sin_addr=inet_addr("74.121.199.234")}, 16) = 0 > `--- > > Where 74.121.199.234 is www.percona.com. > I've just discussed this issue with upstream just a minute ago and it seems there is a simple solution for it... There is a global configuration file to affect every percona-toolkit package tools. (See: https://www.percona.com/doc/percona-toolkit/2.2/configuration_files.html) The workaround consists in create (or modify) the file '/etc/percona-toolkit/percona-toolkit.conf' an add 'noversion-check' to it. ---%<- cat << EOF >> /etc/percona-toolkit/percona-toolkit.conf noversion-check EOF ---%<- This global configuration file (/etc/percona-toolkit/percona-toolkit.conf) should be read by every tool in percona-toolkit package disabling the 'call home' functionality. Can you try this solution and report results? -- Dario MinnucciPhone: +34 902021030 | Fax: +34 902024417 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033 signature.asc Description: OpenPGP digital signature
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
* Dario Minnucci [Fri Nov 04, 2016 at 04:50:13PM +0100]: > Sorry for the delay on this one. > I was discussing this issue with upstream and I think we have a solution to > disable 'version-check' > for all tools in a single configuration file. > I'm contacting upstream again and I let you know the procedure to follow in > order to fix this bug. Is there any URL available to track progress on this issue? (I couldn't find anything at https://bugs.launchpad.net/percona-toolkit though I might have used the wrong keywords.) percona-toolkit for sure should be part of stretch, so it would be sad to miss the "soft" freeze as of 2017-01-05 for some reason like this (jftr, see https://release.debian.org/stretch/freeze_policy.html + https://wiki.debian.org/DebianStretch). regards, -mika- signature.asc Description: Digital signature
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
Hi guys, Sorry for the delay on this one. I was discussing this issue with upstream and I think we have a solution to disable 'version-check' for all tools in a single configuration file. I'm contacting upstream again and I let you know the procedure to follow in order to fix this bug. > > Dario, side question: if you want a hand co-maintain percona-toolkit id be > happy to help as we use them at work so we do care about those tools. > Sandro, help is always welcome under https://anonscm.debian.org/cgit/collab-maint/percona-toolkit.git/ Regards, -- Dario MinnucciPhone: +34 902021030 | Fax: +34 902024417 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
Hi! On Thu, 2016-11-03 at 13:51:40 -0400, Sandro Tosi wrote: > On Wed, 8 Jun 2016 14:21:14 +0200 Guillem Joverwrote: > > This package contains many scripts which call back home to check for > > a new upstream versions. In addition they also report back things such > > as hostname and port and similar. It seems this was previously disabled > > or removed due to CVE-2014-2029 (#740846), but the patch got lost > > somewhere? > can you clarify what you see and/or in which scripts you saw the > callback happening automatically? Yeah, sorry I see the initial report is pretty much lacking any kind of detail. I had to do some digging myself because I didn't even remember what was going on. :/ > i had a quick look and it appears this feature is not enabled by > default (as also clarified at https://www.percona.com/version-check); > for example in pt-duplicate-key-checker i can see: > ># ># Do the version-check ># >if ( $o->get('version-check') && (!$o->has('quiet') || !$o->get('quiet')) > ) { > VersionCheck::version_check( > force => $o->got('version-check'), > instances => [ {dbh => $dbh, dsn => $dsn} ], > ); >} > > which only triggers the version check if the `version-check` cli > switch/config parameters are set. While this might appear so, it does not match reality. On a jessie system: ,--- $ ls /etc/percona-toolkit/percona-version-check ls: cannot access /etc/percona-toolkit/percona-version-check: No such file or directory $ pt-diskstats # A software update is available: # * The current version for Percona::Toolkit is 2.2.14. […normal command output…] $ ls -la /etc/percona-toolkit/percona-version-check -rw-r--r-- 1 root root 13 Nov 4 14:26 /etc/percona-toolkit/percona-version-check $ pt-diskstats […normal command output…] `--- As you can see the commands check at least once on first invocation, and then might check more often based on the timestamps in that file. We are currently running some of the percona commands with an explicit --no-version-check option to avoid this. If you do the same check on a sid system, after removing the /etc/percona-toolkit/percona-version-check file, it will still connect but might be silent due to the version being newer than what it can find. An strace will reveal that it's still connecting to percona.com: This is the relevant strace part for percona-toolkit 2.2.18-1: ,--- connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("74.121.199.234")}, 16) = 0 `--- Where 74.121.199.234 is www.percona.com. Thanks, Guillem
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
On Wed, 8 Jun 2016 14:21:14 +0200 Guillem Joverwrote: > This package contains many scripts which call back home to check for > a new upstream versions. In addition they also report back things such > as hostname and port and similar. It seems this was previously disabled > or removed due to CVE-2014-2029 (#740846), but the patch got lost > somewhere? hello Guillem, can you clarify what you see and/or in which scripts you saw the callback happening automatically? i had a quick look and it appears this feature is not enabled by default (as also clarified at https://www.percona.com/version-check); for example in pt-duplicate-key-checker i can see: # # Do the version-check # if ( $o->get('version-check') && (!$o->has('quiet') || !$o->get('quiet')) ) { VersionCheck::version_check( force => $o->got('version-check'), instances => [ {dbh => $dbh, dsn => $dsn} ], ); } which only triggers the version check if the `version-check` cli switch/config parameters are set. Dario, side question: if you want a hand co-maintain percona-toolkit id be happy to help as we use them at work so we do care about those tools. thanks, sandro
Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information
Package: percona-toolkit Version: 2.2.11-1~dfsg1 Severity: grave Tags: security Hi! This package contains many scripts which call back home to check for a new upstream versions. In addition they also report back things such as hostname and port and similar. It seems this was previously disabled or removed due to CVE-2014-2029 (#740846), but the patch got lost somewhere? This affects the current stable/testing/unstable distributions AFAICS. Thanks, Guillem