subject:"Bug#826728\: percona\-toolkit\: \(CVE\-2014\-2029\) scripts call back home and leak information"

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-22 Thread Guillem Jover

Hi!

On Fri, 2016-11-18 at 17:21:58 +0100, Dario Minnucci wrote:
> On 11/04/16 14:38, Guillem Jover wrote:
> > ... 
> > This is the relevant strace part for percona-toolkit 2.2.18-1:
> > 
> > ,---
> > connect(3, {sa_family=AF_INET, sin_port=htons(443), 
> > sin_addr=inet_addr("74.121.199.234")}, 16) = 0
> > `---
> > 
> > Where 74.121.199.234 is www.percona.com.

> I've just discussed this issue with upstream just a minute ago and it seems 
> there is a simple
> solution for it...
> 
> There is a global configuration file to affect every percona-toolkit package 
> tools.
> (See: 
> https://www.percona.com/doc/percona-toolkit/2.2/configuration_files.html)
> 
> The workaround consists in create (or modify) the file 
> '/etc/percona-toolkit/percona-toolkit.conf'
> an add 'noversion-check' to it.

> ---%<-
> cat << EOF >> /etc/percona-toolkit/percona-toolkit.conf
> noversion-check
> EOF
> ---%<-

> This global configuration file (/etc/percona-toolkit/percona-toolkit.conf) 
> should be read by every
> tool in percona-toolkit package disabling the 'call home' functionality.
> 
> Can you try this solution and report results?

Yes, this seems to work! After making sure there's no version
timestamp file, stracing one of the programs does not show any
connection attempts anymore. And of course there's neither a message
prompting to upgrade the software (when run on a jessie system with an
older than published version).

So shipping such file by default would seem to fix this problem. Could
you prepare this for unstable and also stable?

Thanks,
Guillem

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-18 Thread Dario Minnucci

Hi guys,

On 11/04/16 14:38, Guillem Jover wrote:
> ... 
> This is the relevant strace part for percona-toolkit 2.2.18-1:
> 
> ,---
> connect(3, {sa_family=AF_INET, sin_port=htons(443), 
> sin_addr=inet_addr("74.121.199.234")}, 16) = 0
> `---
> 
> Where 74.121.199.234 is www.percona.com.
> 

I've just discussed this issue with upstream just a minute ago and it seems 
there is a simple
solution for it...

There is a global configuration file to affect every percona-toolkit package 
tools.
(See: https://www.percona.com/doc/percona-toolkit/2.2/configuration_files.html)

The workaround consists in create (or modify) the file 
'/etc/percona-toolkit/percona-toolkit.conf'
an add 'noversion-check' to it.

---%<-
cat << EOF >> /etc/percona-toolkit/percona-toolkit.conf
noversion-check
EOF
---%<-

This global configuration file (/etc/percona-toolkit/percona-toolkit.conf) 
should be read by every
tool in percona-toolkit package disabling the 'call home' functionality.

Can you try this solution and report results?

-- 
 Dario Minnucci 
 Phone: +34 902021030 | Fax: +34 902024417
 Key fingerprint = BAA1 7AAF B21D 6567 D457  D67D A82F BB83 F3D5 7033

signature.asc
Description: OpenPGP digital signature

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-15 Thread Michael Prokop

* Dario Minnucci [Fri Nov 04, 2016 at 04:50:13PM +0100]:

> Sorry for the delay on this one.

> I was discussing this issue with upstream and I think we have a solution to 
> disable 'version-check'
> for all tools in a single configuration file.

> I'm contacting upstream again and I let you know the procedure to follow in 
> order to fix this bug.

Is there any URL available to track progress on this issue?
(I couldn't find anything at
https://bugs.launchpad.net/percona-toolkit though I might have used
the wrong keywords.)

percona-toolkit for sure should be part of stretch, so it would be
sad to miss the "soft" freeze as of 2017-01-05 for some reason like
this (jftr, see
https://release.debian.org/stretch/freeze_policy.html +
https://wiki.debian.org/DebianStretch).

regards,
-mika-


signature.asc
Description: Digital signature

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-04 Thread Dario Minnucci

Hi guys,

Sorry for the delay on this one.

I was discussing this issue with upstream and I think we have a solution to 
disable 'version-check'
for all tools in a single configuration file.

I'm contacting upstream again and I let you know the procedure to follow in 
order to fix this bug.

> 
> Dario, side question: if you want a hand co-maintain percona-toolkit id be
> happy to help as we use them at work so we do care about those tools.
> 

Sandro, help is always welcome under 
https://anonscm.debian.org/cgit/collab-maint/percona-toolkit.git/

Regards,

-- 
 Dario Minnucci 
 Phone: +34 902021030 | Fax: +34 902024417
 Key fingerprint = BAA1 7AAF B21D 6567 D457  D67D A82F BB83 F3D5 7033

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-04 Thread Guillem Jover

Hi!

On Thu, 2016-11-03 at 13:51:40 -0400, Sandro Tosi wrote:
> On Wed, 8 Jun 2016 14:21:14 +0200 Guillem Jover  wrote:
> > This package contains many scripts which call back home to check for
> > a new upstream versions. In addition they also report back things such
> > as hostname and port and similar. It seems this was previously disabled
> > or removed due to CVE-2014-2029 (#740846), but the patch got lost
> > somewhere?

> can you clarify what you see and/or in which scripts you saw the
> callback happening automatically?

Yeah, sorry I see the initial report is pretty much lacking any kind
of detail. I had to do some digging myself because I didn't even
remember what was going on. :/

> i had a quick look and it appears this feature is not enabled by
> default (as also clarified at https://www.percona.com/version-check);
> for example in pt-duplicate-key-checker i can see:
> 
># 
># Do the version-check
># 
>if ( $o->get('version-check') && (!$o->has('quiet') || !$o->get('quiet')) 
> ) {
>   VersionCheck::version_check(
>  force => $o->got('version-check'),
>  instances => [ {dbh => $dbh, dsn => $dsn} ],
>   );
>}
> 
> which only triggers the version check if the `version-check` cli
> switch/config parameters are set.

While this might appear so, it does not match reality. On a jessie
system:

  ,---
  $ ls /etc/percona-toolkit/percona-version-check
  ls: cannot access /etc/percona-toolkit/percona-version-check: No such file or 
directory
  $ pt-diskstats

  # A software update is available:
  #   * The current version for Percona::Toolkit is 2.2.14.

  […normal command output…]
  $ ls -la /etc/percona-toolkit/percona-version-check
  -rw-r--r-- 1 root root 13 Nov  4 14:26 
/etc/percona-toolkit/percona-version-check
  $ pt-diskstats
  […normal command output…]
  `---

As you can see the commands check at least once on first invocation,
and then might check more often based on the timestamps in that file.
We are currently running some of the percona commands with an explicit
--no-version-check option to avoid this.

If you do the same check on a sid system, after removing the
/etc/percona-toolkit/percona-version-check file, it will still connect
but might be silent due to the version being newer than what it can
find. An strace will reveal that it's still connecting to percona.com:

This is the relevant strace part for percona-toolkit 2.2.18-1:

,---
connect(3, {sa_family=AF_INET, sin_port=htons(443), 
sin_addr=inet_addr("74.121.199.234")}, 16) = 0
`---

Where 74.121.199.234 is www.percona.com.

Thanks,
Guillem

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-11-03 Thread Sandro Tosi

On Wed, 8 Jun 2016 14:21:14 +0200 Guillem Jover  wrote:
> This package contains many scripts which call back home to check for
> a new upstream versions. In addition they also report back things such
> as hostname and port and similar. It seems this was previously disabled
> or removed due to CVE-2014-2029 (#740846), but the patch got lost
> somewhere?

hello Guillem,
can you clarify what you see and/or in which scripts you saw the
callback happening automatically?

i had a quick look and it appears this feature is not enabled by
default (as also clarified at https://www.percona.com/version-check);
for example in pt-duplicate-key-checker i can see:

   # 
   # Do the version-check
   # 
   if ( $o->get('version-check') && (!$o->has('quiet') || !$o->get('quiet')) ) {
  VersionCheck::version_check(
 force => $o->got('version-check'),
 instances => [ {dbh => $dbh, dsn => $dsn} ],
  );
   }

which only triggers the version check if the `version-check` cli
switch/config parameters are set.

Dario, side question: if you want a hand co-maintain percona-toolkit id be
happy to help as we use them at work so we do care about those tools.

thanks,
sandro

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

2016-06-08 Thread Guillem Jover

Package: percona-toolkit
Version: 2.2.11-1~dfsg1
Severity: grave
Tags: security

Hi!

This package contains many scripts which call back home to check for
a new upstream versions. In addition they also report back things such
as hostname and port and similar. It seems this was previously disabled
or removed due to CVE-2014-2029 (#740846), but the patch got lost
somewhere?

This affects the current stable/testing/unstable distributions AFAICS.

Thanks,
Guillem

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

Bug#826728: percona-toolkit: (CVE-2014-2029) scripts call back home and leak information

7 matches

Site Navigation

Mail list logo

Footer information