[MDEV-33727] mariadb-dump trusts the server and does not validate the data - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.2.4, 11.1.5, 11.4.2
Component/s: Scripts & Clients
Labels:
None

Description

mariadb-dump trusts the server and puts the data it receives into the dump without validation or escaping. Malicious server can inject thus \! command into the dump.

Attachments

Issue Links

causes

MDEV-34183 MariaDB 10.6.18 seems to generate invalid SQL dumps

Closed

MDEV-34203 Sandbox mode \- is not compatible with --binary-mode

Closed

MDEV-34339 mariadb_repo_setup package doesn't work with MariaDB 10.6 and Debian 12 Bookworm

Closed

is blocked by

MDEV-21778 Disable system commands in mysql/mariadb client

Closed

links to

CVE-2024-21096

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2024-04-04 22:31

this applies to numbers, to the server version in the first protocol packet, to identifiers, etc

Sergei Golubchik added a comment - 2024-04-04 22:31 this applies to numbers, to the server version in the first protocol packet, to identifiers, etc

Sergei Golubchik added a comment - 2024-05-05 11:08

Solved by using the sandbox mode of the mariadb command line client

Sergei Golubchik added a comment - 2024-05-05 11:08 Solved by using the sandbox mode of the mariadb command line client

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-03-19 22:22

Updated:: 2024-06-17 08:14

Resolved:: 2024-05-05 11:08

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server