Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch vitess for CVE-2026-27969, CVE-2026-27965 [CRITICAL] - branch main" #16154

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 5 people

SPECS/vitess/CVE-2026-27965.patch

@@ -0,0 +1,285 @@
+From 4c0173293907af9cb942a6683c465c3f1e9fdb5c Mon Sep 17 00:00:00 2001
+From: Tim Vaillancourt <tim@timvaillancourt.com>
+Date: Tue, 24 Feb 2026 20:21:37 +0100
+Subject: [PATCH] Restore: make loading compressor commands from `MANIFEST`
+ opt-in (#19460)
+
+Signed-off-by: Tim Vaillancourt <tim@timvaillancourt.com>
+Co-authored-by: Mohamed Hamza <mhamza@fastmail.com>
+
+Upstream Patch reference: https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c.patch
+---
+ go/flags/endtoend/vtbackup.txt                |  1 +
+ go/flags/endtoend/vttablet.txt                |  1 +
+ go/flags/endtoend/vttestserver.txt            |  1 +
+ .../backup/vtctlbackup/backup_test.go         |  1 +
+ .../backup/vtctlbackup/backup_utils.go        |  4 +
+ .../backup/xtrabackup/xtrabackup_test.go      |  1 +
+ go/vt/mysqlctl/builtinbackupengine.go         |  5 +-
+ go/vt/mysqlctl/compression.go                 | 18 +++-
+ .../compression_external_decompressor_test.go | 93 +++++++++++++++++++
+ go/vt/mysqlctl/xtrabackupengine.go            |  5 +-
+ 10 files changed, 121 insertions(+), 9 deletions(-)
+ create mode 100644 go/vt/mysqlctl/compression_external_decompressor_test.go
+
+diff --git a/go/flags/endtoend/vtbackup.txt b/go/flags/endtoend/vtbackup.txt
+index e979381..2895154 100644
+--- a/go/flags/endtoend/vtbackup.txt
++++ b/go/flags/endtoend/vtbackup.txt
+@@ -79,6 +79,7 @@ Usage of vtbackup:
+       --emit_stats                                                  If set, emit stats to push-based monitoring and stats backends
+       --external-compressor string                                  command with arguments to use when compressing a backup.
+       --external-compressor-extension string                        extension to use when using an external compressor.
++      --external-decompressor-use-manifest                          allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --external-decompressor string                                command with arguments to use when decompressing a backup.
+       --file_backup_storage_root string                             Root directory for the file backup storage.
+       --gcs_backup_storage_bucket string                            Google Cloud Storage bucket to use for backups.
+diff --git a/go/flags/endtoend/vttablet.txt b/go/flags/endtoend/vttablet.txt
+index f431979..0d4c39f 100644
+--- a/go/flags/endtoend/vttablet.txt
++++ b/go/flags/endtoend/vttablet.txt
+@@ -117,6 +117,7 @@ Usage of vttablet:
+       --external-compressor string                                       command with arguments to use when compressing a backup.
+       --external-compressor-extension string                             extension to use when using an external compressor.
+       --external-decompressor string                                     command with arguments to use when decompressing a backup.
++      --external-decompressor-use-manifest                               allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --file_backup_storage_root string                                  Root directory for the file backup storage.
+       --filecustomrules string                                           file based custom rule path
+       --filecustomrules_watch                                            set up a watch on the target file and reload query rules when it changes
+diff --git a/go/flags/endtoend/vttestserver.txt b/go/flags/endtoend/vttestserver.txt
+index 668e31f..cdcba7a 100644
+--- a/go/flags/endtoend/vttestserver.txt
++++ b/go/flags/endtoend/vttestserver.txt
+@@ -33,6 +33,7 @@ Usage of vttestserver:
+       --external-compressor string                                       command with arguments to use when compressing a backup.
+       --external-compressor-extension string                             extension to use when using an external compressor.
+       --external-decompressor string                                     command with arguments to use when decompressing a backup.
++      --external-decompressor-use-manifest                               allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --external_topo_global_root string                                 the path of the global topology data in the global topology server for vtcombo process
+       --external_topo_global_server_address string                       the address of the global topology server for vtcombo process
+       --external_topo_implementation string                              the topology implementation to use for vtcombo process
+diff --git a/go/test/endtoend/backup/vtctlbackup/backup_test.go b/go/test/endtoend/backup/vtctlbackup/backup_test.go
+index 92c7a2f..154f2d1 100644
+--- a/go/test/endtoend/backup/vtctlbackup/backup_test.go
++++ b/go/test/endtoend/backup/vtctlbackup/backup_test.go
+@@ -57,6 +57,7 @@ func TestBuiltinBackupWithExternalZstdCompressionAndManifestedDecompressor(t *te
+ 		CompressorEngineName:            "external",
+ 		ExternalCompressorCmd:           "zstd",
+ 		ExternalCompressorExt:           ".zst",
++		ExternalDecompressorUseManifest: true,
+ 		ManifestExternalDecompressorCmd: "zstd -d",
+ 	}
+ 
+diff --git a/go/test/endtoend/backup/vtctlbackup/backup_utils.go b/go/test/endtoend/backup/vtctlbackup/backup_utils.go
+index d93b932..78a0e57 100644
+--- a/go/test/endtoend/backup/vtctlbackup/backup_utils.go
++++ b/go/test/endtoend/backup/vtctlbackup/backup_utils.go
+@@ -95,6 +95,7 @@ type CompressionDetails struct {
+ 	ExternalCompressorCmd           string
+ 	ExternalCompressorExt           string
+ 	ExternalDecompressorCmd         string
++	ExternalDecompressorUseManifest bool
+ 	ManifestExternalDecompressorCmd string
+ }
+ 
+@@ -263,6 +264,9 @@ func getCompressorArgs(cDetails *CompressionDetails) []string {
+ 	if cDetails.ExternalDecompressorCmd != "" {
+ 		args = append(args, fmt.Sprintf("--external-decompressor=%s", cDetails.ExternalDecompressorCmd))
+ 	}
++	if cDetails.ExternalDecompressorUseManifest {
++		args = append(args, "--external-decompressor-use-manifest")
++	}
+ 	if cDetails.ManifestExternalDecompressorCmd != "" {
+ 		args = append(args, fmt.Sprintf("--manifest-external-decompressor=%s", cDetails.ManifestExternalDecompressorCmd))
+ 	}
+diff --git a/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go b/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
+index 3402a17..e18f229 100644
+--- a/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
++++ b/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
+@@ -59,6 +59,7 @@ func TestXtrabackupWithExternalZstdCompressionAndManifestedDecompressor(t *testi
+ 		CompressorEngineName:            "external",
+ 		ExternalCompressorCmd:           "zstd",
+ 		ExternalCompressorExt:           ".zst",
++		ExternalDecompressorUseManifest: true,
+ 		ManifestExternalDecompressorCmd: "zstd -d",
+ 	}
+ 
+diff --git a/go/vt/mysqlctl/builtinbackupengine.go b/go/vt/mysqlctl/builtinbackupengine.go
+index 8fac602..1106a65 100644
+--- a/go/vt/mysqlctl/builtinbackupengine.go
++++ b/go/vt/mysqlctl/builtinbackupengine.go
+@@ -1020,10 +1020,7 @@ func (be *BuiltinBackupEngine) restoreFile(ctx context.Context, params RestorePa
+ 			// for backward compatibility
+ 			deCompressionEngine = PgzipCompressor
+ 		}
+-		externalDecompressorCmd := ExternalDecompressorCmd
+-		if externalDecompressorCmd == "" && bm.ExternalDecompressor != "" {
+-			externalDecompressorCmd = bm.ExternalDecompressor
+-		}
++		externalDecompressorCmd := resolveExternalDecompressor(bm.ExternalDecompressor)
+ 		if externalDecompressorCmd != "" {
+ 			if deCompressionEngine == ExternalCompressor {
+ 				deCompressionEngine = externalDecompressorCmd
+diff --git a/go/vt/mysqlctl/compression.go b/go/vt/mysqlctl/compression.go
+index c2d3cbb..5737b70 100644
+--- a/go/vt/mysqlctl/compression.go
++++ b/go/vt/mysqlctl/compression.go
+@@ -52,9 +52,10 @@ var (
+ 	ExternalCompressorCmd           string
+ 	ExternalCompressorExt           string
+ 	ExternalDecompressorCmd         string
++	ExternalDecompressorUseManifest bool
+ 	ManifestExternalDecompressorCmd string
+ 
+-	errUnsupportedDeCompressionEngine = errors.New("unsupported engine in MANIFEST. You need to provide --external-decompressor if using 'external' compression engine")
++	errUnsupportedDeCompressionEngine = errors.New("unsupported engine in MANIFEST. You need to provide --external-decompressor if using 'external' compression engine. Alternatively, set --external-decompressor-use-manifest to use the decompressor command from the backup manifest, but this is NOT RECOMMENDED as it is a security risk")
+ 	errUnsupportedCompressionEngine   = errors.New("unsupported engine value for --compression-engine-name. supported values are 'external', 'pgzip', 'pargzip', 'zstd', 'lz4'")
+ 
+ 	// this is used by getEngineFromExtension() to figure out which engine to use in case the user didn't specify
+@@ -77,6 +78,7 @@ func registerBackupCompressionFlags(fs *pflag.FlagSet) {
+ 	fs.StringVar(&ExternalCompressorCmd, "external-compressor", ExternalCompressorCmd, "command with arguments to use when compressing a backup.")
+ 	fs.StringVar(&ExternalCompressorExt, "external-compressor-extension", ExternalCompressorExt, "extension to use when using an external compressor.")
+ 	fs.StringVar(&ExternalDecompressorCmd, "external-decompressor", ExternalDecompressorCmd, "command with arguments to use when decompressing a backup.")
++	fs.BoolVar(&ExternalDecompressorUseManifest, "external-decompressor-use-manifest", ExternalDecompressorUseManifest, "allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.")
+ 	fs.StringVar(&ManifestExternalDecompressorCmd, "manifest-external-decompressor", ManifestExternalDecompressorCmd, "command with arguments to store in the backup manifest when compressing a backup with an external compression engine.")
+ }
+ 
+@@ -91,6 +93,20 @@ func getExtensionFromEngine(engine string) (string, error) {
+ 	return "", fmt.Errorf("%w %q", errUnsupportedCompressionEngine, engine)
+ }
+ 
++// resolveExternalDecompressor returns the external decompressor command to use
++// at restore time. The CLI flag (--external-decompressor) takes precedence. The
++// backup manifest value is only used when --external-decompressor-use-manifest
++// is explicitly set to true.
++func resolveExternalDecompressor(manifestDecompressor string) string {
++	if ExternalDecompressorCmd != "" {
++		return ExternalDecompressorCmd
++	}
++	if ExternalDecompressorUseManifest && manifestDecompressor != "" {
++		return manifestDecompressor
++	}
++	return ""
++}
++
+ // Validates if the external decompressor exists and return its path.
+ func validateExternalCmd(cmd string) (string, error) {
+ 	if cmd == "" {
+diff --git a/go/vt/mysqlctl/compression_external_decompressor_test.go b/go/vt/mysqlctl/compression_external_decompressor_test.go
+new file mode 100644
+index 0000000..fd4732a
+--- /dev/null
++++ b/go/vt/mysqlctl/compression_external_decompressor_test.go
+@@ -0,0 +1,93 @@
++/*
++Copyright 2026 The Vitess Authors.
++
++Licensed under the Apache License, Version 2.0 (the "License");
++you may not use this file except in compliance with the License.
++You may obtain a copy of the License at
++
++	http://www.apache.org/licenses/LICENSE-2.0
++
++Unless required by applicable law or agreed to in writing, software
++distributed under the License is distributed on an "AS IS" BASIS,
++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++See the License for the specific language governing permissions and
++limitations under the License.
++*/
++
++package mysqlctl
++
++import (
++	"testing"
++
++	"github.com/stretchr/testify/assert"
++)
++
++func TestResolveExternalDecompressor(t *testing.T) {
++	tests := []struct {
++		name                 string
++		cliDecompressorCmd   string
++		useManifest          bool
++		manifestDecompressor string
++		expected             string
++	}{
++		{
++			name:                 "CLI flag takes precedence over manifest",
++			cliDecompressorCmd:   "zstd -d",
++			useManifest:          true,
++			manifestDecompressor: "gzip -d",
++			expected:             "zstd -d",
++		},
++		{
++			name:                 "CLI flag takes precedence even when use-manifest is false",
++			cliDecompressorCmd:   "zstd -d",
++			useManifest:          false,
++			manifestDecompressor: "gzip -d",
++			expected:             "zstd -d",
++		},
++		{
++			name:                 "manifest used when use-manifest is true and no CLI flag",
++			cliDecompressorCmd:   "",
++			useManifest:          true,
++			manifestDecompressor: "gzip -d",
++			expected:             "gzip -d",
++		},
++		{
++			name:                 "manifest ignored when use-manifest is false",
++			cliDecompressorCmd:   "",
++			useManifest:          false,
++			manifestDecompressor: "gzip -d",
++			expected:             "",
++		},
++		{
++			name:                 "empty when nothing is set",
++			cliDecompressorCmd:   "",
++			useManifest:          false,
++			manifestDecompressor: "",
++			expected:             "",
++		},
++		{
++			name:                 "empty when use-manifest is true but manifest is empty",
++			cliDecompressorCmd:   "",
++			useManifest:          true,
++			manifestDecompressor: "",
++			expected:             "",
++		},
++	}
++
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			origCmd := ExternalDecompressorCmd
++			origAllow := ExternalDecompressorUseManifest
++			t.Cleanup(func() {
++				ExternalDecompressorCmd = origCmd
++				ExternalDecompressorUseManifest = origAllow
++			})
++
++			ExternalDecompressorCmd = tt.cliDecompressorCmd
++			ExternalDecompressorUseManifest = tt.useManifest
++
++			result := resolveExternalDecompressor(tt.manifestDecompressor)
++			assert.Equal(t, tt.expected, result)
++		})
++	}
++}
+diff --git a/go/vt/mysqlctl/xtrabackupengine.go b/go/vt/mysqlctl/xtrabackupengine.go
+index 6b3d04c..5976a93 100644
+--- a/go/vt/mysqlctl/xtrabackupengine.go
++++ b/go/vt/mysqlctl/xtrabackupengine.go
+@@ -637,10 +637,7 @@ func (be *XtrabackupEngine) extractFiles(ctx context.Context, logger logutil.Log
+ 				// then we assign the default value of compressionEngine.
+ 				deCompressionEngine = PgzipCompressor
+ 			}
+-			externalDecompressorCmd := ExternalDecompressorCmd
+-			if externalDecompressorCmd == "" && bm.ExternalDecompressor != "" {
+-				externalDecompressorCmd = bm.ExternalDecompressor
+-			}
++			externalDecompressorCmd := resolveExternalDecompressor(bm.ExternalDecompressor)
+ 			if externalDecompressorCmd != "" {
+ 				if deCompressionEngine == ExternalCompressor {
+ 					deCompressionEngine = externalDecompressorCmd
+-- 
+2.43.0
+