mariadb is vulnerable to CVE-2021-27928 (RCE)

  • Done
  • quality assurance status badge
Details
4 participants
  • Julien Lepiller
  • Léo Le Bouter
  • Mark H Weaver
  • zimoun
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 19 Mar 2021 11:25
(address . bug-guix@gnu.org)
7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net
CVE-2021-27928 04:15
A remote code execution issue was discovered in MariaDB 10.2 before
10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
2021-03-03 for MySQL. An untrusted search path leads to eval injection,
in which a database SUPER user can execute OS commands after modifying
wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
Oracle product.

fixes it for us since we package 10.5.8 currently.

However:

$ ./pre-inst-env guix refresh -l mariadb
Building the following 552 packages would ensure 1047 dependent
packages are rebuilt:
[..]

Is it possible to graft mariadb you think? I am thinking this issue
doesnt need updating of the "lib" output which is what's causing the
high number of dependents AIUI. I am not sure we could actually update
individual outputs right now though. Might be a good idea to split the
packages for the future.

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfBsACgkQRaix6GvN
EKZ48xAAg7TTA36nGY+2YV64wogSp0LpXk3kJwoRom9/LSnPuy0JZKo7Z7V8vJyN
cYiwvTKjSLm01UqNvsJ4fmoz6+H/LdEfNvTI2INQKZmMjxnBpfmT1dEAa2nfeh+0
160bBxHofksBSuDddLEeeJD+GtUZYpIbm1dRr0KZvOwvqWML3v4HZGfxv/QO+aCL
mdtqU9L15bMbbL3GzE4ok1+hevIuPiHTEPOmdlHpOp5EFPi0q+cWmvFc8m5Z+m94
FV9RjdMayV0Ho4rrw7JGHy0viZf5c8kiCArdGmBdUE1XMTNsdJa3DWzN3oPwjRS/
mMvPeSdhC//rxCoQLyRCADUBmOucgqZ6RotH3+SIw0jisQhvKt1hF0TvzQhOdNCX
1CAJoZ3QwsiQrUeui//Ka/lbywkhBwMtbPXxiEM8o/pSHjJcMKZzX+a7e473zbq2
amkvNsfaRDXuExdrG1JYM2p9i7zbpxLvn361ZUCwBIE4PR0sG5XgGHqTZwhp7xyf
0LTH2FHRGkqMQOUlimIETu8F8u3TLyTploojmuWsP2ZgmK99axb02b8mOBwnsDau
pugfhYnq5KkcnVy95JEQZnVNiCqNZV6vm90R3U0wUIBzLZBO1me1Qc6P+3cKXPnS
WxwqkUQnvc5V/RFUURTBsu9llwaIp0Kp4tmFLKmGx1fJCQQTq34=
=Tbur
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 19 Mar 2021 11:30
(address . control@debbugs.gnu.org)
de686d52fe6693eb528cd372273e916ea66f9b2a.camel@zaclys.net
tags 47257 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfTgACgkQRaix6GvN
EKaTjxAAnTsXmN7Q6d++/MXg2Wh35jdyfcMFLnV7xF85KxsOZFRd5gNgrEKD4nzS
AZrW//baBYsks6gbjUrjvi5zyaR/iiLNU0c+8vhJeVdvbFBl8SS0TTavlnx7SUlE
zJxpoOKeMO1YNW0YU1fRUp0ZQzyZNF7Km2XD7ajduFCEOeDDLnO8uxmpmA97h4rZ
+oTo7I1OGge6D6F10OKkO0ZEJ66o70aUtVC0JJJHpDmKnQPCs+KO+zhdGqoSfMBd
pDsCirRCD/4STJKpxV9KXdzC6JdwPImDPjnu3DWz32q2oFvLlZ5OGYSZl3bfJFlq
YLOZSCez9JQmLoWx4RBVRspMC+Yaek5OWsP0ELINOvNYnM8eesrkqYN58Q5BOdTM
jTZihGVy1qWApjVmR9F1ayYiH2Rv4QB+/OUJlyIQIDYNKBR0WaCX6PKzMNxHHcr/
2ZoE8Jxd7jeo/PUuFJ/bHkTzwgV7Ky1KxAMBLF3s5BTQygzg8mq1rejIWVYh1GfY
QO/6XSEe2NMTIVmex0S11poqGsSuBdGVvB19DvXqjGZdGlmkRnj1eeLAmfymaow/
u5s0e2TnpaIsXl8mL5rXYQ8lCbejK4DuwmDmJTDbwRGVduQZQC2odi29sdDVhSWz
6Vna3CaFGWyb/3UyYPjt3nkHLTra7xC/pKX/033RIdmGa82kO1U=
=XF1A
-----END PGP SIGNATURE-----


J
J
Julien Lepiller wrote on 19 Mar 2021 12:15
65A2F9EE-030F-4174-95B0-4A862188EA3D@lepiller.eu
You need to graft: when building a package, the output hash depends on the inputs, sources and instructions, so even if the content of the lib output does not change, its store path does, leading to a rebuild.

Le 19 mars 2021 06:25:31 GMT-04:00, "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org> a écrit :
Toggle quote (26 lines)
>CVE-2021-27928 04:15
>A remote code execution issue was discovered in MariaDB 10.2 before
>10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
>10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
>2021-03-03 for MySQL. An untrusted search path leads to eval injection,
>in which a database SUPER user can execute OS commands after modifying
>wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
>Oracle product.
>
>From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
>fixes it for us since we package 10.5.8 currently.
>
>However:
>
>$ ./pre-inst-env guix refresh -l mariadb
>Building the following 552 packages would ensure 1047 dependent
>packages are rebuilt:
>[..]
>
>Is it possible to graft mariadb you think? I am thinking this issue
>doesnt need updating of the "lib" output which is what's causing the
>high number of dependents AIUI. I am not sure we could actually update
>individual outputs right now though. Might be a good idea to split the
>packages for the future.
>
>Léo
Attachment: file
L
L
Léo Le Bouter wrote on 19 Mar 2021 12:35
[PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
(address . 47257@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210319113537.18290-2-lle-bout@zaclys.net
* gnu/packages/databases.scm (mariadb/fixed): New variable.
(mariadb)[replacement]: Graft.
---
gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

Toggle diff (53 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 8be83f5cbe..6fdb22d7fb 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
(append (find-files "extra/wolfssl")
(find-files "zlib")))
#t))))
+ (replacement mariadb/fixed)
(build-system cmake-build-system)
(outputs '("out" "lib" "dev"))
(arguments
@@ -969,6 +970,38 @@ Language.")
as a drop-in replacement of MySQL.")
(license license:gpl2)))
+(define mariadb/fixed
+ (package/inherit mariadb
+ (version "10.5.9")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://downloads.mariadb.com/MariaDB"
+ "/mariadb-" version "/source/mariadb-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "1kv8226ydyh4nyfx432dxqdkbry92c92bwlc33f1y56yp2p1kas0"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete bundled snappy and xz.
+ (delete-file-recursively "storage/tokudb/PerconaFT/third_party")
+ (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
+ ;; This file checks that the bundled sources are present and
+ ;; declares build procedures for them.
+ (("^include\\(TokuThirdParty\\)") ""))
+ (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
+ ;; Don't attempt to use the procedures we just removed.
+ ((" build_lzma build_snappy") ""))
+
+ ;; Preserve CMakeLists.txt for these.
+ (for-each (lambda (file)
+ (unless (string-suffix? "CMakeLists.txt" file)
+ (delete-file file)))
+ (append (find-files "extra/wolfssl")
+ (find-files "zlib")))
+ #t))))))
+
(define-public mariadb-connector-c
(package
(name "mariadb-connector-c")
--
2.31.0
L
L
Léo Le Bouter wrote on 19 Mar 2021 12:35
[PATCH 0/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
(address . 47257@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210319113537.18290-1-lle-bout@zaclys.net
I made a patch, please review and push if you think that's OK, I will otherwise
push it myself after some time.

The patch produces some test error, not sure if deterministic, looks related to
networking disabled in build sandboxes, log:

The servers were restarted 778 times
Spent 6689.041 of 234 seconds executing testcases

Failure: Failed 1/2711 tests, 99.96% were successful.

Failing test(s): main.system_mysql_db

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation

969 tests were skipped, 161 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 687.
mtr_report::mtr_error("there were failing test cases") called at lib/mtr_report.pm line 556
mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x19d75d0), ARRAY(0x1420d08)) called at /tmp/guix-build-mariadb-10.5.9.drv-0/mariadb-10.5.9/mysql-test/mysql-test-run.pl line 586
main::main() called at /tmp/guix-build-mariadb-10.5.9.drv-0/mariadb-10.5.9/mysql-test/mysql-test-run.pl line 387
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel" "48" "--skip-rpl" "--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed with exit code 1
@ build-failed /gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv - 1 builder for `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed with exit code 1
derivation '/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' offloaded to 'www.proxmox-2.schmilblick.org' failed: build of `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed
build of /gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv failed
View build log at '/var/log/guix/drvs/hk/1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv.bz2'.
guix build: error: build of `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed

Léo Le Bouter (1):
gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].

gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

--
2.31.0
Z
Z
zimoun wrote on 19 Mar 2021 12:35
Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
86r1kbl6kw.fsf@gmail.com
Hi,

On Fri, 19 Mar 2021 at 11:25, Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

Toggle quote (6 lines)
> Is it possible to graft mariadb you think? I am thinking this issue
> doesnt need updating of the "lib" output which is what's causing the
> high number of dependents AIUI. I am not sure we could actually update
> individual outputs right now though. Might be a good idea to split the
> packages for the future.

Instead of grafting, I would fix first check the compatibility between
mariadb and zstd. Because mariadb@10.5.8 does not build with
zstd@1.4.9, at least on my machine.

Other said, I seem better to do this fix as a whole on core-updates
without any graft. Instead of grafting here and there; and not
necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from 10.5.8
to 10.5.8).

All the best,
simon
M
M
Mark H Weaver wrote on 20 Mar 2021 01:28
Re: bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87blbemzww.fsf@netris.org
Hi Léo,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (25 lines)
> * gnu/packages/databases.scm (mariadb/fixed): New variable.
> (mariadb)[replacement]: Graft.
> ---
> gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
> 1 file changed, 33 insertions(+)
>
> diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
> index 8be83f5cbe..6fdb22d7fb 100644
> --- a/gnu/packages/databases.scm
> +++ b/gnu/packages/databases.scm
> @@ -734,6 +734,7 @@ Language.")
> (append (find-files "extra/wolfssl")
> (find-files "zlib")))
> #t))))
> + (replacement mariadb/fixed)
> (build-system cmake-build-system)
> (outputs '("out" "lib" "dev"))
> (arguments
> @@ -969,6 +970,38 @@ Language.")
> as a drop-in replacement of MySQL.")
> (license license:gpl2)))
>
> +(define mariadb/fixed
> + (package/inherit mariadb

Please don't use 'package/inherit' when the package you're defining is a
replacement to the package you're inheriting from. It creates a package
object with an infinite chain of grafts. I guess that the infinite
chain gets truncated somewhere in the grafting machinery, but I seem to
recall that this kind of thing has caused real problems in the past.

'package/inherit' is usually the right thing when defining other kinds
of package variants, however.

Thanks again for all of your recent work on improving our security. It
is a great help.

Regards,
Mark
M
M
Mark H Weaver wrote on 20 Mar 2021 01:42
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47257@debbugs.gnu.org)
878s6imz8r.fsf@netris.org
Mark H Weaver <mhw@netris.org> writes:
Toggle quote (3 lines)
> 'package/inherit' is usually the right thing when defining other kinds
> of package variants, however.

One addendum to this guideline: if the package variant you're defining
overrides the 'source' field[*], it's probably pointless to use
'package/inherit', because the fixes embodied in the original package's
replacement would most likely be lost anyway.

[*] One exception is if the overridden 'source' field merely adds some
additional patches to the original package, while taking care to
preserve any existing patches -- that last part is important, even if
the original package doesn't including any patches at the time you look.
In that case, 'package/inherit' might well be helpful.

More generally, when inheriting from another package, it's useful to ask
yourself what should happen if the package you're inheriting from is
later grafted, and to try to arrange for that to happen automatically.

Thanks,
Mark
L
L
Léo Le Bouter wrote on 25 Mar 2021 11:58
[PATCH v2] gnu: mariadb: Fix CVE-2021-27928.
(address . 47257@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210325105815.5411-1-lle-bout@zaclys.net
* gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch.
(mariadb)[replacement]: Graft.
---
gnu/local.mk | 1 +
gnu/packages/databases.scm | 34 +
.../patches/mariadb-CVE-2021-27928.patch | 629 ++++++++++++++++++
3 files changed, 664 insertions(+)
create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch

Toggle diff (519 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 14d228cfa4..40956598db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1380,6 +1380,7 @@ dist_patch_DATA = \
%D%/packages/patches/lvm2-static-link.patch \
%D%/packages/patches/mailutils-fix-uninitialized-variable.patch \
%D%/packages/patches/make-impure-dirs.patch \
+ %D%/packages/patches/mariadb-CVE-2021-27928.patch \
%D%/packages/patches/mars-install.patch \
%D%/packages/patches/mars-sfml-2.3.patch \
%D%/packages/patches/maxima-defsystem-mkdir.patch \
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 83b6a13892..75edf3fd08 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
(append (find-files "extra/wolfssl")
(find-files "zlib")))
#t))))
+ (replacement mariadb/fixed)
(build-system cmake-build-system)
(outputs '("out" "lib" "dev"))
(arguments
@@ -969,6 +970,39 @@ Language.")
as a drop-in replacement of MySQL.")
(license license:gpl2)))
+(define-public mariadb/fixed
+ (package
+ (inherit mariadb)
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://downloads.mariadb.com/MariaDB"
+ "/mariadb-" version "/source/mariadb-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "1s3vfm73911cddjhgpcbkya6nz7ag2zygg56qqzwscn5ybv28j7b"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete bundled snappy and xz.
+ (delete-file-recursively "storage/tokudb/PerconaFT/third_party")
+ (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
+ ;; This file checks that the bundled sources are present and
+ ;; declares build procedures for them.
+ (("^include\\(TokuThirdParty\\)") ""))
+ (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
+ ;; Don't attempt to use the procedures we just removed.
+ ((" build_lzma build_snappy") ""))
+
+ ;; Preserve CMakeLists.txt for these.
+ (for-each (lambda (file)
+ (unless (string-suffix? "CMakeLists.txt" file)
+ (delete-file file)))
+ (append (find-files "extra/wolfssl")
+ (find-files "zlib")))
+ #t))
+ (patches (search-patches "mariadb-CVE-2021-27928.patch"))))))
+
(define-public mariadb-connector-c
(package
(name "mariadb-connector-c")
diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
new file mode 100644
index 0000000000..eea18431cf
--- /dev/null
+++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
@@ -0,0 +1,629 @@
+From ce3a2a688db556d8d077a409fd9bf5cc013d13dd Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 18 Feb 2021 14:20:48 +0100
+Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only
+
+this should simplify run-time cluster management
+---
+ mysql-test/suite/galera/disabled.def | 2 +
+ .../galera/include/galera_load_provider.inc | 1 -
+ .../galera/include/galera_unload_provider.inc | 3 +-
+ .../suite/galera/r/galera_ist_rsync.result | 2 +-
+ .../galera/r/galera_sst_mysqldump.result | 2 +-
+ .../suite/galera/r/mysql-wsrep#33.result | 2 +-
+ .../suite/sys_vars/r/sysvars_wsrep.result | 4 +-
+ .../sys_vars/r/wsrep_notify_cmd_basic.result | 47 -----------------
+ .../sys_vars/r/wsrep_provider_basic.result | 40 ---------------
+ .../r/wsrep_provider_options_basic.result | 49 ------------------
+ .../sys_vars/t/wsrep_notify_cmd_basic.test | 43 ----------------
+ .../sys_vars/t/wsrep_provider_basic.test | 39 --------------
+ .../t/wsrep_provider_options_basic.test | 51 -------------------
+ mysql-test/suite/wsrep/disabled.def | 2 +
+ mysql-test/suite/wsrep/r/variables.result | 12 ++---
+ mysql-test/suite/wsrep/t/variables.test | 34 +++----------
+ sql/sys_vars.cc | 4 +-
+ 17 files changed, 24 insertions(+), 313 deletions(-)
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+
+diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def
+index 7fe03a9422013..a063e17d46533 100644
+--- a/mysql-test/suite/galera/disabled.def
++++ b/mysql-test/suite/galera/disabled.def
+@@ -30,3 +30,5 @@ partition : MDEV-19958 Galera test failure on galera.partition
+ query_cache: MDEV-15805 Test failure on galera.query_cache
+ sql_log_bin : MDEV-21491 galera.sql_log_bin
+ versioning_trx_id: MDEV-18590: galera.versioning_trx_id: Test failure: mysqltest: Result content mismatch
++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons
++pxc-421: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc
+index aeab7e6ea199f..e6ce6411193c2 100644
+--- a/mysql-test/suite/galera/include/galera_load_provider.inc
++++ b/mysql-test/suite/galera/include/galera_load_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Loading wsrep provider ...
+
+ --disable_query_log
+---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig';
+ --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig';
+ --enable_query_log
+
+diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc
+index edc7eb31e0e21..83438a947f03e 100644
+--- a/mysql-test/suite/galera/include/galera_unload_provider.inc
++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Unloading wsrep provider ...
+
+ --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address`
+---let $wsrep_provider_orig = `SELECT @@wsrep_provider`
+ --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options`
+
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result
+index 8a7c02ab1b6d9..80a28d349baed 100644
+--- a/mysql-test/suite/galera/r/galera_ist_rsync.result
++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result
+@@ -21,7 +21,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+index 5c530c32ce695..6bdc933a9fca7 100644
+--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result
++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+index 6a5251204b9bb..4cc49c0cf0790 100644
+--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result
++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+index e54afd2d64a24..67e1540531311 100644
+--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+@@ -349,7 +349,7 @@ NUMERIC_MIN_VALUE NULL
+ NUMERIC_MAX_VALUE NULL
+ NUMERIC_BLOCK_SIZE NULL
+ ENUM_VALUE_LIST NULL
+-READ_ONLY NO
++READ_ONLY YES
+ COMMAND_LINE_ARGUMENT REQUIRED
+ VARIABLE_NAME WSREP_ON
+ SESSION_VALUE OFF
+@@ -405,7 +405,7 @@ NUMERIC_MIN_VALUE NULL
+ NUMERIC_MAX_VALUE NULL
+ NUMERIC_BLOCK_SIZE NULL
+ ENUM_VALUE_LIST NULL
+-READ_ONLY NO
++READ_ONLY YES
+ COMMAND_LINE_ARGUMENT REQUIRED
+ VARIABLE_NAME WSREP_PROVIDER_OPTIONS
+ SESSION_VALUE NULL
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+deleted file mode 100644
+index 056ff8c817b0f..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
++++ /dev/null
+@@ -1,47 +0,0 @@
+-#
+-# wsrep_notify_cmd
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-# default
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-
+-# scope
+-SELECT @@session.wsrep_notify_cmd;
+-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-notify_cmd
+-
+-# valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-command
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-hyphenated-command
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# invalid values
+-SET @@global.wsrep_notify_cmd=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd'
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+deleted file mode 100644
+index 3e4ac8ca88362..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
++++ /dev/null
+@@ -1,40 +0,0 @@
+-#
+-# wsrep_provider
+-#
+-# save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-# default
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# scope
+-SELECT @@session.wsrep_provider;
+-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# invalid values
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so'
+-SET @@global.wsrep_provider=NULL;
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-SET @@global.wsrep_provider=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+deleted file mode 100644
+index b2e07c55b38cf..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
++++ /dev/null
+@@ -1,49 +0,0 @@
+-#
+-# wsrep_provider_options
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-SET @@global.wsrep_provider = @@global.wsrep_provider;
+-# save the initial value
+-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options;
+-# default
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# scope
+-SELECT @@session.wsrep_provider_options;
+-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-option1
+-
+-# valid values
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-name1=value1;name2=value2
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-hyphenated-name:value
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# invalid values
+-SET @@global.wsrep_provider_options=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options'
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=NULL;
+-Got one of the listed errors
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+deleted file mode 100644
+index 6d1535ba1482d..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
++++ /dev/null
+@@ -1,43 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_notify_cmd
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-
+---echo # default
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_notify_cmd=1;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+deleted file mode 100644
+index 1190ab41bb053..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
++++ /dev/null
+@@ -1,39 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider
+---echo #
+-
+---echo # save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-
+---echo # default
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider=NULL;
+-SELECT @@global.wsrep_provider;
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider=1;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+deleted file mode 100644
+index d2ea32a063786..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
++++ /dev/null
+@@ -1,51 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider_options
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+-SET @@global.wsrep_provider = @@global.wsrep_provider;
+-
+---echo # save the initial value
+-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options;
+-
+---echo # default
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # valid values
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider_options=1;
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=NULL;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # restore the initial value
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def
+index 11577bfe8b007..3d204db694580 100644
+--- a/mysql-test/suite/wsrep/disabled.def
++++ b/mysql-test/suite/wsrep/disabled.def
+@@ -10,3 +10,5 @@
+ #
+ ##############################################################################
+
++
++mdev_6832: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result
+index 9ef1b3290afd6..8bb0b426380a1 100644
+--- a/mysql-test/suite/wsrep/r/variables.result
++++ b/mysql-test/suite/wsrep/r/variables.result
+@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON;
+ ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable a
This message was truncated. Download the full message here.
J
J
Julien Lepiller wrote on 25 Mar 2021 12:06
A7D522FD-4FCE-42D3-91BB-3F1C0DC1BD66@lepiller.eu
I think you can simplify the patch a bit by inheriting the source too:

(source
(origin
(inherit (package-source mariadb))
(patches …)))

Otherwise, untested but looks good.
Attachment: file
L
L
Léo Le Bouter wrote on 25 Mar 2021 12:28
Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
b9a61cca0f95239cb0b38fc4ef0988bd11b7777e.camel@zaclys.net
On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
Toggle quote (5 lines)
> Instead of grafting, I would fix first check the compatibility
> between
> mariadb and zstd. Because mariadb@10.5.8 does not build with
> zstd@1.4.9, at least on my machine.

Can you post build logs and repro scenario? mariadb@10.5.8 built fine
for me on core-updates which has zstd@1.4.9.

Toggle quote (6 lines)
> Other said, I seem better to do this fix as a whole on core-updates
> without any graft. Instead of grafting here and there; and not
> necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> 10.5.8
> to 10.5.8).

We can't patch security issues through core-updates, especially this
RCE.

Toggle quote (2 lines)
> All the best,
> simon
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBcc88ACgkQRaix6GvN
EKZCdxAAiNryy8yLn4jl35TqulMxbI4+h3EG/zgN5Xo5qZaP/SS5XLU3rvgE2rrm
4K3/JgF7wbZbUWvii8LOxmgMPSyjc2tcVymUP4wHxmIvgg5BmKeOAKs1qYYEesAc
rSdeQwI/E8mKcQ0pERvTsPhL88qEfRxfDslZeRn/qSxXmLetVM8GZ7OPVkTITTbl
Un4XZQGIVjVu0eeBd4+4Pw/qmj9et3iIF2XCrOP7jkg/XYNwT5Z4aUu5XiECsjjq
/r/7N5zmBehvJj71GPoZ6Ds7A3cxHUdLXWA6SbwyjXERLhPshlN8Vg4lRPBgAURQ
ymGbQTqL4IKnbG1I9Zlkd9miLvMH/6FnP8DpACCMRhzYHSXGk8XVCdeqUjEnigip
Y1IqJ5i+3yIO1iOY4Cs3+TRLCivGgHd5L9OekkoDdU464CGjq7FlNLwqx7OV5NjP
R4SM4ADWQ7Xxo5ESl6BT8w8LkxE/wKqLdqVpJBH+5Qt6wri37F5mPD1m5hgCLHTV
9oyyIrT1PU31hPCFIB7GxBhX5uW2ua45pvOZDx7iMira42xaBx/3MYFM7SAuprvz
+f2ifb5MM+bdXU2PN5LwA8Dk576Fh8Ce1RBPDANJT/EwfzFNfc65akSEsyVWwScl
Qv+K9R3Z1jwPOQL8QHjeWKoN2Aly+bKoH1en3OBasMxI3QhRcEI=
=ejBl
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 25 Mar 2021 13:39
[PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
(address . 47257@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210325123921.9800-1-lle-bout@zaclys.net
* gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch.
(mariadb)[replacement]: Graft.
---
gnu/local.mk | 1 +
gnu/packages/databases.scm | 8 +
.../patches/mariadb-CVE-2021-27928.patch | 642 ++++++++++++++++++
3 files changed, 651 insertions(+)
create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch

Toggle diff (559 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 14d228cfa4..40956598db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1380,6 +1380,7 @@ dist_patch_DATA = \
%D%/packages/patches/lvm2-static-link.patch \
%D%/packages/patches/mailutils-fix-uninitialized-variable.patch \
%D%/packages/patches/make-impure-dirs.patch \
+ %D%/packages/patches/mariadb-CVE-2021-27928.patch \
%D%/packages/patches/mars-install.patch \
%D%/packages/patches/mars-sfml-2.3.patch \
%D%/packages/patches/maxima-defsystem-mkdir.patch \
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 83b6a13892..20069f9383 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
(append (find-files "extra/wolfssl")
(find-files "zlib")))
#t))))
+ (replacement mariadb/fixed)
(build-system cmake-build-system)
(outputs '("out" "lib" "dev"))
(arguments
@@ -969,6 +970,13 @@ Language.")
as a drop-in replacement of MySQL.")
(license license:gpl2)))
+(define mariadb/fixed
+ (package
+ (inherit mariadb)
+ (source (origin
+ (inherit (package-source mariadb))
+ (patches (search-patches "mariadb-CVE-2021-27928.patch"))))))
+
(define-public mariadb-connector-c
(package
(name "mariadb-connector-c")
diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
new file mode 100644
index 0000000000..39a023c159
--- /dev/null
+++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
@@ -0,0 +1,642 @@
+From 7580701e6279900fec40822952a3b874732289cf Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 18 Feb 2021 14:20:48 +0100
+Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only
+
+this should simplify run-time cluster management
+---
+ mysql-test/suite/galera/disabled.def | 2 +
+ .../galera/include/galera_load_provider.inc | 19 --------
+ .../galera/include/galera_unload_provider.inc | 3 +-
+ .../suite/galera/r/galera_ist_rsync.result | 2 +-
+ .../galera/r/galera_sst_mysqldump.result | 2 +-
+ .../suite/galera/r/mysql-wsrep#33.result | 2 +-
+ .../suite/sys_vars/r/sysvars_wsrep.result | 4 +-
+ .../sys_vars/r/wsrep_notify_cmd_basic.result | 47 -------------------
+ .../sys_vars/r/wsrep_provider_basic.result | 40 ----------------
+ .../r/wsrep_provider_options_basic.result | 46 ------------------
+ .../sys_vars/t/wsrep_notify_cmd_basic.test | 43 -----------------
+ .../sys_vars/t/wsrep_provider_basic.test | 39 ---------------
+ .../t/wsrep_provider_options_basic.test | 41 ----------------
+ mysql-test/suite/wsrep/disabled.def | 2 +
+ mysql-test/suite/wsrep/r/variables.result | 12 ++---
+ mysql-test/suite/wsrep/t/variables.test | 32 +++----------
+ sql/sys_vars.cc | 8 ++--
+ 17 files changed, 25 insertions(+), 319 deletions(-)
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+
+diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def
+index d940c702d54..83f26e81636 100644
+--- a/mysql-test/suite/galera/disabled.def
++++ b/mysql-test/suite/galera/disabled.def
+@@ -49,3 +49,5 @@ partition : MDEV-19958 Galera test failure on galera.partition
+ query_cache: MDEV-15805 Test failure on galera.query_cache
+ sql_log_bin : MDEV-21491 galera.sql_log_bin
+ versioning_trx_id : MDEV-18590 galera.versioning_trx_id
++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons
++pxc-421: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc
+index 0f843597d9c..28010cc5b71 100644
+--- a/mysql-test/suite/galera/include/galera_load_provider.inc
++++ b/mysql-test/suite/galera/include/galera_load_provider.inc
+@@ -1,25 +1,6 @@
+ --echo Loading wsrep provider ...
+
+ --disable_query_log
+---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig';
+-
+-#
+-# count occurences of successful node starts in error log
+-#
+-perl;
+- use strict;
+- my $test_log=$ENV{'LOG_FILE'} or die "LOG_FILE not set";
+- my $test_log_copy=$test_log . '.copy';
+- if (-e $test_log_copy) {
+- unlink $test_log_copy;
+- }
+-
+-EOF
+---copy_file $LOG_FILE $LOG_FILE.copy
+-
+-#
+-# now join to the cluster
+-#
+ --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig';
+
+ --enable_query_log
+diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc
+index cd841f51fbc..ed7e9bc41f0 100644
+--- a/mysql-test/suite/galera/include/galera_unload_provider.inc
++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Unloading wsrep provider ...
+
+ --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address`
+---let $wsrep_provider_orig = `SELECT @@wsrep_provider`
+ --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options`
+ --let $wsrep_error_log_orig = `SELECT @@log_error`
+ if(!$wsrep_log_error_orig)
+@@ -12,4 +11,4 @@ if(!$wsrep_log_error_orig)
+ }
+ --let LOG_FILE= $wsrep_log_error_orig
+
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result
+index 13f7d898a59..70a87c73df7 100644
+--- a/mysql-test/suite/galera/r/galera_ist_rsync.result
++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result
+@@ -23,7 +23,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+index 4ed679ba477..145b3a94775 100644
+--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result
++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+index fb0b593cc96..45c6a3f660a 100644
+--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result
++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+@@ -32,7 +32,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+index 4b6abf85434..f73bfbd13e7 100644
+--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+@@ -403,7 +403,7 @@ NUMERIC_MIN_VALUE NULL
+ NUMERIC_MAX_VALUE NULL
+ NUMERIC_BLOCK_SIZE NULL
+ ENUM_VALUE_LIST NULL
+-READ_ONLY NO
++READ_ONLY YES
+ COMMAND_LINE_ARGUMENT REQUIRED
+ GLOBAL_VALUE_PATH NULL
+ VARIABLE_NAME WSREP_ON
+@@ -463,7 +463,7 @@ NUMERIC_MIN_VALUE NULL
+ NUMERIC_MAX_VALUE NULL
+ NUMERIC_BLOCK_SIZE NULL
+ ENUM_VALUE_LIST NULL
+-READ_ONLY NO
++READ_ONLY YES
+ COMMAND_LINE_ARGUMENT REQUIRED
+ GLOBAL_VALUE_PATH NULL
+ VARIABLE_NAME WSREP_PROVIDER_OPTIONS
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+deleted file mode 100644
+index 056ff8c817b..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
++++ /dev/null
+@@ -1,47 +0,0 @@
+-#
+-# wsrep_notify_cmd
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-# default
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-
+-# scope
+-SELECT @@session.wsrep_notify_cmd;
+-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-notify_cmd
+-
+-# valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-command
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-hyphenated-command
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# invalid values
+-SET @@global.wsrep_notify_cmd=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd'
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+deleted file mode 100644
+index 3e4ac8ca883..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
++++ /dev/null
+@@ -1,40 +0,0 @@
+-#
+-# wsrep_provider
+-#
+-# save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-# default
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# scope
+-SELECT @@session.wsrep_provider;
+-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# invalid values
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so'
+-SET @@global.wsrep_provider=NULL;
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-SET @@global.wsrep_provider=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+deleted file mode 100644
+index 15949a14e39..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
++++ /dev/null
+@@ -1,46 +0,0 @@
+-#
+-# wsrep_provider_options
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# default
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# scope
+-SELECT @@session.wsrep_provider_options;
+-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# valid values
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=default;
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# invalid values
+-SET @@global.wsrep_provider_options=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options'
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=NULL;
+-Got one of the listed errors
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+deleted file mode 100644
+index 6d1535ba148..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
++++ /dev/null
+@@ -1,43 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_notify_cmd
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-
+---echo # default
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_notify_cmd=1;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+deleted file mode 100644
+index 1190ab41bb0..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
++++ /dev/null
+@@ -1,39 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider
+---echo #
+-
+---echo # save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-
+---echo # default
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider=NULL;
+-SELECT @@global.wsrep_provider;
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider=1;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+deleted file mode 100644
+index 6eb3a94b6a4..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
++++ /dev/null
+@@ -1,41 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider_options
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # default
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # valid values
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider_options=1;
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=NULL;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def
+index 11577bfe8b0..3d204db6945 100644
+--- a/mysql-test/suite/wsrep/disabled.def
++++ b/mysql-test/suite/wsrep/disabled.def
+@@ -10,3 +10,5 @@
+ #
+ ##############################################################################
+
++
++mdev_6832: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result
+index a9988fd1628..e57440125ee 100644
+--- a/mysql-test/suite/wsrep/r/variables.result
++++ b/mysql-test/suite/wsrep/r/variables.result
+@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON;
+ ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL
+ SET GLOBAL wsrep_replicate_myisam= ON;
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
+ #
+ # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+ # variables when using "_"
+@@ -151,7 +150,6 @@ wsrep_local_state_comment #
+ # Should show nothing.
+ SHOW STATUS LIKE 'x';
+ Variable_name Value
+-SET GLOBAL wsrep_provider=none;
+
+ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ Variable_name Value
+@@ -160,7 +158,6 @@ wsrep_local_state_uuid #
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ Variable_name Value
+ wsrep_last_committed #
+-SET GLOBAL wsrep_provider=none;
+
+ #
+ # MDEV#6206: wsrep_slave_threads subtracts from max_connections
+@@ -174,7 +171,7 @@ SELECT @@global.wsrep_slave_threads;
+ 1
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -183,14 +180,14 @@ Variable_name Value
+ Threads_connected 1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name Value
+-wsrep_thread_count 0
++wsrep_thread_count 2
+
+ SELECT @@global.wsrep_provider;
+ @@global.wsrep_provider
+ libgalera_smm.so
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -199,11 +196,10 @@ Variable_name Value
+ Threads_connected 1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name Value
+-wsrep_thread_count 0
++wsrep_thread_count 2
+
+ # Setting wsrep_cluste
This message was truncated. Download the full message here.
L
L
Léo Le Bouter wrote on 25 Mar 2021 13:48
(address . 47257@debbugs.gnu.org)
ebca408b79b4b828de3aca8f55a63977c6d44a42.camel@zaclys.net
v3 tested and builds fine:

$ ./pre-inst-env guix build mariadb
/gnu/store/f70jymwyfcnsghy4jg8caibci59p8rgq-mariadb-10.5.8-dev
/gnu/store/cj3qym1x1jjh02m2g23cqpbhchrbmn6c-mariadb-10.5.8-lib
/gnu/store/mpb5bdf1vkwazqfmmwcvskdm50g191bg-mariadb-10.5.8

Since we don't have PoC, I can't verify the rebased patch actually
fixes the security issue but it should. That's what we get when
manually rebasing stuff to earlier versions. Test suite passes but not
sure it actually tests this security issue being fixed.

Please review, then I will push, it's been 7 days so, let's get this
in.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBchqkACgkQRaix6GvN
EKYPgg//eqO6SAypRLSvs4AnFOgGTUuIg+lHc5CL6OBBZs1A1p0ilSFPn7MDyFuA
2JtKlkTvBiFndMem2RBKHWpxIkhd0+QTeSSSH8e2Z6c4o9a8G5uoq2b7EmmMpz8M
0sNIFCK8IhzA+nXuNngzGONKVywhY+XQ5B+6nA3P4hKDH+6zoTfhN158H9FEUz6v
2iqjj88WNVU4tZ+EJA/7TFO9T8g3JD/zX0vWpUZcaDfuot2qEEToxyp+KuA9IrUu
z3LjbKSxHChtOliTWvh6Nkg1fJnMfURKXbnsAdMKJrmh/VzYDQiwTgyO52t8G19w
m5iRyKl58/lksg0dixNvmU1l6pkbjvHfsGhC+0cX1tfCL1H52tgOJWHpNDY5SLSL
Y9jm/yqeVomOVqQyXn1WIOKYQU6tcvyf3UFHwCsju5FKdE4pBskxQGdrRyI4vCwK
a508VvxYdx155b32+a2lK+gnJnCFnlE6L+wmQhAG6o70G+E2Ki29mAh/8f0soH8U
pmvwDGSXU2Ks0Xj2gVM73nmsRNbArOzYE1OfOUTzWeUMABhKLmPif/SYlBCVVyxG
vx8IpiNyjC90VrxUFFFwHmx7UdWYN3qPplOR1v4st7Ot47LcDV8kpXwxN05le9+r
0CHrBxM3q5jxG1wfpQW6+PXq+W2G+WRhlSsDxlq0DCSoQpAcUMU=
=Av/a
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 26 Mar 2021 02:16
Re: bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
87blb6r9w9.fsf@netris.org
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (15 lines)
> v3 tested and builds fine:
>
> $ ./pre-inst-env guix build mariadb
> /gnu/store/f70jymwyfcnsghy4jg8caibci59p8rgq-mariadb-10.5.8-dev
> /gnu/store/cj3qym1x1jjh02m2g23cqpbhchrbmn6c-mariadb-10.5.8-lib
> /gnu/store/mpb5bdf1vkwazqfmmwcvskdm50g191bg-mariadb-10.5.8
>
> Since we don't have PoC, I can't verify the rebased patch actually
> fixes the security issue but it should. That's what we get when
> manually rebasing stuff to earlier versions. Test suite passes but not
> sure it actually tests this security issue being fixed.
>
> Please review, then I will push, it's been 7 days so, let's get this
> in.

Looks good to me. Please push. Thank you!

Mark
L
L
Léo Le Bouter wrote on 26 Mar 2021 02:23
9e630e7cec836881b4842129a396f23fdab2f5e0.camel@zaclys.net
On Thu, 2021-03-25 at 21:16 -0400, Mark H Weaver wrote:
Toggle quote (5 lines)
>
> Looks good to me. Please push. Thank you!
>
> Mark

Thank you for the review, pushed as
52c8d07a4f7033534a71ac7efeec21a65d35c125.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBdN6MACgkQRaix6GvN
EKY0dA/8CyM5LbzCPNlELQ1R+nTgrg7TsIWMhb61MyF2nzRJudvZ9yu3AtSQt46s
5FeXWIRIRHR7a+6pXDDNcLm/n3+SffcixegT1Vs3JBkEkxU5kJvubOu3ElurGqt6
6VTJs1BTnWeKpRlIWQvMcitoqMEkJzbG7xd1EE88zIOnoOMHRFhtI1J0VpIHrodc
EBBFaaqOfYFGeHOJhWhweed/D2ithLnYkaAaY7ulbU27yCSYBgr/hCda6E9+ZZAJ
bQE7nCnJ9fs2wKmixi5HtTkarEjkQ0A/3lD1ZnhPwNYcPM5pveHtQV4xEnBqDPfF
F+ZH/zfJrJVBJQNFj+PTTjJG0OUkqY15UzMLuKVr+njrTrWLDrveE6Ewo+EwW00k
u7fw2kN4jFx6EZov/Qfjd8LMS1sRAYAV9JjVQhSMqdcQ4+2FKW5CE6Y+QqB753Zi
KS3NOAN/slSXLB7lg8q4xZSAw9JcvMyxQ0tf1Y2pBLPLGwhETeGm3J3D3rRcGlk4
tW5ETPqqACs6B+fV3BhgPyi6+jjT013mzoC8TsdW7FF0PMnrdnuq1TL96OzSVWd2
+kPRKNDdDkXjxEfu4edhwh1n/PJnPC8pWndd2+lg59nbreP0iiDHw4Chm3Hi7F4s
h2c8cnn1yFrsAcEofmHPS5E3DFTN7V1NYpEUtm3umoVLrR3kxzI=
=yQYt
-----END PGP SIGNATURE-----


Closed
Z
Z
zimoun wrote on 29 Mar 2021 23:34
Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47257@debbugs.gnu.org)
CAJ3okZ1jNE7_uSifHdoKHM5XgPwFe4OjnyhmbhJiwiLPq8C=zQ@mail.gmail.com
On Thu, 25 Mar 2021 at 12:28, Léo Le Bouter <lle-bout@zaclys.net> wrote:
Toggle quote (9 lines)
> On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> > Instead of grafting, I would fix first check the compatibility
> > between
> > mariadb and zstd. Because mariadb@10.5.8 does not build with
> > zstd@1.4.9, at least on my machine.
>
> Can you post build logs and repro scenario? mariadb@10.5.8 built fine
> for me on core-updates which has zstd@1.4.9.

On core-updates, I get this:

Toggle snippet (52 lines)
$ git log --oneline -1 && ./pre-inst-env guix build mariadb
b20b45c6ce (HEAD -> core-updates, origin/core-updates) gnu: gd: Patch
away recent pkg-config files change that breaks php build.

[...]

Only 2061 of 5666 completed.
--------------------------------------------------------------------------
The servers were restarted 258 times
Spent 10782.523 of 607 seconds executing testcases

Failure: Failed 1/427 tests, 99.77% were successful.

Failing test(s): innodb.check_ibd_filesize

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

798 tests were skipped, 39 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 683.
mtr_report::mtr_error("there were failing test cases") called at
lib/mtr_report.pm line 552
mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x1ae0180),
ARRAY(0xd3cb68)) called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 586
main::main() called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 387
error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "./mtr" arguments: ("--verbose"
"--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel"
"64" "--skip-rpl" "--skip-test-list=unstable-tests") exit-status: 1
term-signal: #f stop-signal: #f>
phase `check' failed after 606.9 seconds
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40"
"--suite-timeout=600" "--parallel" "64" "--skip-rpl"
"--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed with exit code 1
build of /gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv failed
View build log at
'/var/log/guix/drvs/33/9560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv.bz2'.
guix build: error: build of
`/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed

Maybe, I am not doing something wrong. Then on master, it "works"
except after the ungraft. Well, it seems coherent with what I get
from core-updates. So if I am doing wrong, I do not know where.

Toggle snippet (107 lines)
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
a801c7379a (HEAD) gnu: Remove QT 4.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 6%] LOAD gnu/packages/compression.scm
[ 12%] LOAD gnu/packages/databases.scm
[ 19%] LOAD gnu/packages/engineering.scm
[ 25%] LOAD gnu/packages/messaging.scm
[ 31%] LOAD gnu/packages/password-utils.scm
[ 38%] LOAD gnu/packages/pdf.scm
[ 44%] LOAD gnu/packages/qt.scm
[ 50%] LOAD gnu/packages/sqlite.scm
[ 56%] GUILEC gnu/packages/compression.go
[ 62%] GUILEC gnu/packages/databases.go
[ 69%] GUILEC gnu/packages/engineering.go
[ 75%] GUILEC gnu/packages/messaging.go
[ 81%] GUILEC gnu/packages/password-utils.go
[ 88%] GUILEC gnu/packages/pdf.go
[ 94%] GUILEC gnu/packages/qt.go
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/231bip1j7j3prx4q6mr44f3hdn8sl9nh-mariadb-10.5.8-dev
/gnu/store/43sbv46pn6a31722savgbqcrryyn513h-mariadb-10.5.8-lib
/gnu/store/68az8ch2l6x0ldjnjhqsmpn19ns9srjp-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
52c8d07a4f (HEAD) gnu: mariadb: Fix CVE-2021-27928.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/databases.scm
[100%] GUILEC gnu/packages/databases.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
6e7ba45357 (HEAD) gnu: sqlite: Update to 3.32.3 [security fixes].
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/sqlite.scm
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
692f1e5217 (HEAD) DRAFT: gnu: zstd: Fix test suite.
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/q33xvan4j71f4kil0lg4h2yk549al1rv-zstd-1.4.9-lib
/gnu/store/rixmvq9497dwqxr7apa4n70gmhb50lc7-zstd-1.4.9
/gnu/store/2ym2nn0rmzgigagj7zrx4s6gidk94pqg-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
93fee48ada (HEAD -> fix-zstd) DRAFT: gnu: zstd: Update to 1.4.9 (ungraft).
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/mmsp9ym0d3zcc0g1rr2gwmxb5pcq1wkm-zstd-1.4.9-lib
/gnu/store/6bi9kvsj0si590ra99yzb8dchikzlxb1-zstd-1.4.9
/gnu/store/1cnbqm29rc0gp30h18x7hs785c55fl0m-zstd-1.4.9-static
guix build: error: build of
`/gnu/store/5927s1x3hpfv4v9rsc9y06kycx93zqvh-mariadb-10.5.8.drv'
failed

I could be wrong... and I have not investigated more. As I said
elsewhere, grafting zstd from 1.4.4 to 1.4.9 seems totally *wrong*.
There is ~1.5 years and 4 releases between these 2 releases.

BTW, note that:

$ guix graph --path mariadb zstd
guix graph: error: no path from 'mariadb@10.5.8' to 'zstd@1.4.9'

Grafting MariaDB makes sense here. The culprit is zstd, IMHO.

Toggle quote (9 lines)
> > Other said, I seem better to do this fix as a whole on core-updates
> > without any graft. Instead of grafting here and there; and not
> > necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> > 10.5.8
> > to 10.5.8).
>
> We can't patch security issues through core-updates, especially this
> RCE.

I will not comment because I am bored by all that.


Last, you have been prompted to commit a major update and disable the
test-suite for zstd, and I am still waiting that you are prompt again
to fix it; especially when a proposal fix is done here:



Best regards,
simon
L
L
Léo Le Bouter wrote on 30 Mar 2021 02:26
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 47257@debbugs.gnu.org)
2139d0ea45c3f97bbd8bf1a7eea355b94709b710.camel@zaclys.net
Hello!

Simon,

I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
patch. Thank you for it. Let's watch for upstream zstd fix also.

I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.

Ubuntu released a patch in the mean time, so while we couldnt make such
patch in a timely manner because the backport was non-trivial and
security-sensitive also didnt want to risk failing to fix the flaw
because I don't have much expertise on it, Ubuntu now has done that
work and we can just use it.

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBicDYACgkQRaix6GvN
EKY7pw//eER5MDoHjHDsnMjPLJPHWz+TZuaK+sYJwtIK7WYk5sgSWpYa+LmykbGX
T4G973vTwNbE9yf2Rd3Hn/OnhvKA8pGnTNtxTfrOfD035INtY2aEqVz4kMINOu6j
twg/EkvVK784WPOf3Z/76SOngLi6Y5mwRtdpsvLSeq1FYD6oNRMAcIYIcVyXuHKx
4nRowSOAf0es9LEBgoPvSdddIPh0O3V8MLq4TtKFId/rpBkhChHJ0WoD5h5WdIyS
eHsJIJKdfxaXO5SrMdZG83GqGq3O6mOpZcj9DobOH2cZ2gmP0EWdtBPNfp7LBYaV
kYBRUeGdSq/5/HwmhDFZmXa81MnxKt+aUuINT3blXdsU85sZ8IYO2pbuhbu7k2ll
HUoAw6GfZqJXUOmWXFyKDRK/yhA73kH7+s5eIKMWc2RR7cKCARzaXQvnOO3h4C4/
NyWCSJv/2TQd0X5lEFjg2+3Nzalx7PGio71SsO13k4qHwhC4VwZbSJaiH+eaSENl
hYzS04eQXoN3JRN1F9Vk3mk6Dijr6y8TEFFlaHZUbPrHplU6Ux6fW9MdZLYe1qAz
nAJoh7/FZstNiBGJgG1S5HaE2bYOp0+KxrgUbdwjOUOA/JQmcpNfe1521IRwlRHo
yJ1TbpcQlJyUXhaWfrkLlJwYbj2Cwq6sJpv0CgqaYLEzMGwNcD4=
=Koe5
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 30 Mar 2021 10:29
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47257@debbugs.gnu.org)
CAJ3okZ2UnAvoBhCihgisUXv8xoJNgPq+h4jretcj_fPVpq=rSQ@mail.gmail.com
Hi Léo,

On Tue, 30 Mar 2021 at 02:26, Léo Le Bouter <lle-bout@zaclys.net> wrote:

Toggle quote (3 lines)
> I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
> patch. Thank you for it. Let's watch for upstream zstd fix also.

Thanks. It mitigates zstd, even if it does not solve MariaDB. One
foot, then another. :-)

Toggle quote (2 lines)
> I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.

Cool! LTGM.

Toggle quote (6 lines)
> Ubuntu released a patch in the mean time, so while we couldnt make such
> patch in a timely manner because the backport was non-trivial and
> security-sensitive also didnt want to risk failing to fix the flaw
> because I don't have much expertise on it, Ubuntu now has done that
> work and we can just use it.

Thanks for taking care. And do not consider my concerns as a slowdown
but instead as a way to reach something better. For instance
9feef62b73 seems The Right Thing (AFAIU), whereas 6f873731a0 and
2bcfb944bd are not (AFAIK). On one hand, I agree that ~3 weeks
appears long through the lens of security vulnerabilities. On the
other hand, it is usually worth to take the time; as here. :-)
Examine the various options and so the best move always takes time.

Well, thanks for pushing forward with security.

All the best,
simon
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47257@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47257
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch