diff --git a/percona-toolkit-2.2.x-disable-default-version-check.patch b/percona-toolkit-2.2.x-disable-default-version-check.patch new file mode 100644 index 0000000..c0ae949 --- /dev/null +++ b/percona-toolkit-2.2.x-disable-default-version-check.patch @@ -0,0 +1,276 @@ +From: Andreas Stieger +Date: Mon, 17 Feb 2014 00:15:35 +0000 +Subject: disable automatic version check for all tools +References: https://bugzilla.novell.com/show_bug.cgi?id=864194 https://bugs.launchpad.net/percona-toolkit/+bug/1279502 +Upstream: no + +Prevents transmission of version information to an external host +in the default configuration. +Can be used by owner of a Percona Server (or an attacker who can +control this destination for the client) to collect arbitrary +MySQL configuration parameters and execute commands (with -v). +Now the version check needs to be requested via command line or +global/tool specific/user configuration. (--version-check) + +Note that the doc is parsed into a Perl Getopt::Long spec at runtime. +Setting "default: no" does not work, "default: 0" would work. +The spec file contains a %check section that tests this. +Patching the source was chosen over supplying default configuration +files in /etc/percona-toolkit/percona-toolkit.conf because not all +tools actually support the version check and would throw warnings. + +--- + bin/pt-archiver | 2 -- + bin/pt-config-diff | 2 -- + bin/pt-deadlock-logger | 2 -- + bin/pt-diskstats | 2 -- + bin/pt-duplicate-key-checker | 2 -- + bin/pt-find | 2 -- + bin/pt-fk-error-logger | 2 -- + bin/pt-heartbeat | 2 -- + bin/pt-index-usage | 2 -- + bin/pt-kill | 2 -- + bin/pt-online-schema-change | 2 -- + bin/pt-query-digest | 2 -- + bin/pt-slave-delay | 2 -- + bin/pt-slave-restart | 2 -- + bin/pt-table-checksum | 2 -- + bin/pt-table-sync | 2 -- + bin/pt-upgrade | 2 -- + bin/pt-variable-advisor | 2 -- + 18 files changed, 36 deletions(-) + +Index: percona-toolkit-2.2.6/bin/pt-archiver +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-archiver 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-archiver 2014-02-16 23:14:22.000000000 +0000 +@@ -7482,8 +7482,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-config-diff +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-config-diff 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-config-diff 2014-02-16 23:14:22.000000000 +0000 +@@ -5580,8 +5580,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-deadlock-logger +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-deadlock-logger 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-deadlock-logger 2014-02-16 23:14:22.000000000 +0000 +@@ -5349,8 +5349,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-diskstats +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-diskstats 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-diskstats 2014-02-16 23:14:22.000000000 +0000 +@@ -5485,8 +5485,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-duplicate-key-checker +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-duplicate-key-checker 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-duplicate-key-checker 2014-02-16 23:14:22.000000000 +0000 +@@ -5450,8 +5450,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-find +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-find 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-find 2014-02-16 23:14:22.000000000 +0000 +@@ -4457,8 +4457,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-fk-error-logger +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-fk-error-logger 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-fk-error-logger 2014-02-16 23:14:22.000000000 +0000 +@@ -4352,8 +4352,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-heartbeat +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-heartbeat 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-heartbeat 2014-02-16 23:14:22.000000000 +0000 +@@ -6036,8 +6036,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-index-usage +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-index-usage 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-index-usage 2014-02-16 23:14:22.000000000 +0000 +@@ -7365,8 +7365,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-kill +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-kill 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-kill 2014-02-16 23:14:22.000000000 +0000 +@@ -7643,8 +7643,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-online-schema-change +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-online-schema-change 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-online-schema-change 2014-02-16 23:14:22.000000000 +0000 +@@ -11315,8 +11315,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-query-digest +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-query-digest 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-query-digest 2014-02-16 23:14:22.000000000 +0000 +@@ -16285,8 +16285,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-slave-delay +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-slave-delay 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-slave-delay 2014-02-16 23:14:22.000000000 +0000 +@@ -4715,8 +4715,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-slave-restart +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-slave-restart 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-slave-restart 2014-02-16 23:14:22.000000000 +0000 +@@ -5655,8 +5655,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-table-checksum +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-table-checksum 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-table-checksum 2014-02-16 23:14:22.000000000 +0000 +@@ -12331,8 +12331,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-table-sync +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-table-sync 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-table-sync 2014-02-16 23:14:22.000000000 +0000 +@@ -12518,8 +12518,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-upgrade +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-upgrade 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-upgrade 2014-02-16 23:14:22.000000000 +0000 +@@ -11020,8 +11020,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two +Index: percona-toolkit-2.2.6/bin/pt-variable-advisor +=================================================================== +--- percona-toolkit-2.2.6.orig/bin/pt-variable-advisor 2013-12-20 03:10:55.000000000 +0000 ++++ percona-toolkit-2.2.6/bin/pt-variable-advisor 2014-02-16 23:14:22.000000000 +0000 +@@ -5985,8 +5985,6 @@ Show version and exit. + + =item --[no]version-check + +-default: yes +- + Check for the latest version of Percona Toolkit, MySQL, and other programs. + + This is a standard "check for updates automatically" feature, with two diff --git a/percona-toolkit.changes b/percona-toolkit.changes index e557cdc..3443b1f 100644 --- a/percona-toolkit.changes +++ b/percona-toolkit.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Sun Feb 16 23:57:34 UTC 2014 - andreas.stieger@gmx.de + +- disable automatic version check for all tools [bnc#864194] + Prevents transmission of version information to an external host + in the default configuration. + Can be used by owner of a Percona Server (or an attacker who can + control this destination for the client) to collect arbitrary + MySQL configuration parameters and execute commands (with -v). + Now the version check needs to be requested via command line or + global/tool specific/user configuration. (--version-check) +- added /etc/percona-toolkit/percona-toolkit.conf configuration + directory and template configuration file +- added patches: + * percona-toolkit-2.2.x-disable-default-version-check.patch + ------------------------------------------------------------------- Fri Dec 27 21:35:21 UTC 2013 - andreas.stieger@gmx.de diff --git a/percona-toolkit.conf b/percona-toolkit.conf new file mode 100644 index 0000000..a45d0d3 --- /dev/null +++ b/percona-toolkit.conf @@ -0,0 +1,13 @@ +## Default configuration for all Percona Toolkit tools in the +## openSUSE package +## +## For syntax see http://www.percona.com/doc/percona-toolkit/2.2/configuration_files.html +## +## The configuration files are read in order: +## 1. /etc/percona-toolkit/percona-toolkit.conf +## 2. /etc/percona-toolkit/NAME.conf, where NAME is the name of the tool +## 3. ~/.percona-toolkit.conf +## 4. ~/.NAME.conf, where NAME is the name of the tool +# + + diff --git a/percona-toolkit.spec b/percona-toolkit.spec index ee91703..0ef8e62 100644 --- a/percona-toolkit.spec +++ b/percona-toolkit.spec @@ -1,7 +1,7 @@ # # spec file for package percona-toolkit # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ Version: 2.2.6 Release: 0 Url: https://www.percona.com/software/percona-toolkit/ Source: https://www.percona.com/redir/downloads/%{name}/%{version}/%{name}-%{version}.tar.gz +Source2: %name.conf +Patch0: percona-toolkit-2.2.x-disable-default-version-check.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} < 1140 Requires: perl = %{perl_version} @@ -57,6 +59,7 @@ This collection was formerly known as Maatkit. %prep %setup -q +%patch0 -p1 %build %{__perl} Makefile.PL INSTALLDIRS=vendor < /dev/null @@ -66,17 +69,29 @@ make %{?_smp_mflags} %perl_make_install %perl_process_packlist %if 0%{?suse_version} < 1130 -%__rm -rf $RPM_BUILD_ROOT%perl_vendorarch/auto/%{name} -%__rm -rf $RPM_BUILD_ROOT/var/adm/perl-modules/%{name} +%__rm -rf %buildroot/%perl_vendorarch/auto/%{name} +%__rm -rf %buildroot/var/adm/perl-modules/%{name} %endif +# a blank configuration file +%__mkdir -p %buildroot/etc/%name +%__cp %{S:2} %buildroot/etc/%name/ -%clean -rm -rf $RPM_BUILD_ROOT +%check +# check that --version-check is off bnc#864194 +for PTCMD in %buildroot/%{_bindir}/pt-* +do + $PTCMD --help 2>&1 | + grep "\--version-check" || continue # skip tools that don't support version checks + $PTCMD --help 2>&1 | + grep "\--version-check.*FALSE" # fail those that don't have it disabled +done %files %defattr(-,root,root,-) %doc COPYING README Changelog +%dir /etc/%name %{_bindir}/pt* %{_mandir}/man1/*.1* +%config /etc/%name/%name.conf %changelog