[#MDEV-23884] donor uses invalid SST methods

[MDEV-23884] donor uses invalid SST methods Created: 2020-10-03 Updated: 2023-10-18 Resolved: 2020-10-07
Status:	Closed
Project:	MariaDB Server
Component/s:	Galera SST
Affects Version/s:	10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s:	10.1.47, 10.2.34, 10.3.25, 10.4.15, 10.5.6

Type:

Bug

Priority:

Blocker

Reporter:

Sergei Golubchik

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-31470~~	When set at runtime, wsrep_sst_method...	Closed

Description

during SST a joiner sends an sst method name to the donor. Donor then appends it to the "wsrep_sst_" string to get the name of the sst script to use, e.g. wsrep_sst_rsync. There is no validation or filtering here, so if the malicious joiner sends, for example, "rsync `rm -rf /`" the donor will execute that too.

Comments

Comment by Sergei Golubchik [ 2020-10-31 ]

CVE-2020-15180

Generated at Thu Feb 08 09:25:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-23884] donor uses invalid SST methods Created: 2020-10-03 Updated: 2023-10-18 Resolved: 2020-10-07