Headline
CVE-2020-29050: CVE-2020-29050
SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.
Name
CVE-2020-29050
Description
SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows direct …
Source
CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References
DSA-5036-1
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package
Release
Version
Status
sphinxsearch (PTS)
stretch
2.2.11-1.1
vulnerable
buster
2.2.11-2
vulnerable
buster (security)
2.2.11-2+deb10u1
fixed
bookworm, sid
2.2.11-8
fixed
The information below is based on the following data on fixed versions.
Package
Type
Release
Fixed Version
Urgency
Origin
Debian Bugs
sphinxsearch
source
buster
2.2.11-2+deb10u1
DSA-5036-1
sphinxsearch
source
(unstable)
2.2.11-3
Notes
Backported for sphinxsearch from: https://github.com/manticoresoftware/manticoresearch/commit/66b5761ad258c60b1866a8e1333f86e74f48035
and https://github.com/manticoresoftware/manticoresearch/commit/6e597ff61e1e910559f6ed541ff32520085af6aa
Backported patch: https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch