bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)

From:	zimoun
Subject:	bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date:	Mon, 29 Mar 2021 23:34:15 +0200

On Thu, 25 Mar 2021 at 12:28, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> > Instead of grafting, I would fix first check the compatibility
> > between
> > mariadb  and zstd.  Because mariadb@10.5.8 does not build with
> > zstd@1.4.9, at least on my machine.
>
> Can you post build logs and repro scenario? mariadb@10.5.8 built fine
> for me on core-updates which has zstd@1.4.9.

On core-updates, I get this:

--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && ./pre-inst-env guix build mariadb
b20b45c6ce (HEAD -> core-updates, origin/core-updates) gnu: gd: Patch
away recent pkg-config files change that breaks php build.

[...]

Only  2061  of 5666 completed.
--------------------------------------------------------------------------
The servers were restarted 258 times
Spent 10782.523 of 607 seconds executing testcases

Failure: Failed 1/427 tests, 99.77% were successful.

Failing test(s): innodb.check_ibd_filesize

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

798 tests were skipped, 39 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 683.
    mtr_report::mtr_error("there were failing test cases") called at
lib/mtr_report.pm line 552
    mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x1ae0180),
ARRAY(0xd3cb68)) called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 586
    main::main() called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 387
error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "./mtr" arguments: ("--verbose"
"--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel"
"64" "--skip-rpl" "--skip-test-list=unstable-tests") exit-status: 1
term-signal: #f stop-signal: #f>
phase `check' failed after 606.9 seconds
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40"
"--suite-timeout=600" "--parallel" "64" "--skip-rpl"
"--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed with exit code 1
build of /gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv failed
View build log at
'/var/log/guix/drvs/33/9560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv.bz2'.
guix build: error: build of
`/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---

Maybe, I am not doing something wrong.  Then on master, it "works"
except after the ungraft.   Well, it seems coherent with what I get
from core-updates.  So if I am doing wrong, I do not know where.

--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
a801c7379a (HEAD) gnu: Remove QT 4.
 cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
 cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
  GEN      scripts/guix
Compiling Scheme modules...
[  6%] LOAD     gnu/packages/compression.scm
[ 12%] LOAD     gnu/packages/databases.scm
[ 19%] LOAD     gnu/packages/engineering.scm
[ 25%] LOAD     gnu/packages/messaging.scm
[ 31%] LOAD     gnu/packages/password-utils.scm
[ 38%] LOAD     gnu/packages/pdf.scm
[ 44%] LOAD     gnu/packages/qt.scm
[ 50%] LOAD     gnu/packages/sqlite.scm
[ 56%] GUILEC   gnu/packages/compression.go
[ 62%] GUILEC   gnu/packages/databases.go
[ 69%] GUILEC   gnu/packages/engineering.go
[ 75%] GUILEC   gnu/packages/messaging.go
[ 81%] GUILEC   gnu/packages/password-utils.go
[ 88%] GUILEC   gnu/packages/pdf.go
[ 94%] GUILEC   gnu/packages/qt.go
[100%] GUILEC   gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/231bip1j7j3prx4q6mr44f3hdn8sl9nh-mariadb-10.5.8-dev
/gnu/store/43sbv46pn6a31722savgbqcrryyn513h-mariadb-10.5.8-lib
/gnu/store/68az8ch2l6x0ldjnjhqsmpn19ns9srjp-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
52c8d07a4f (HEAD) gnu: mariadb: Fix CVE-2021-27928.
 cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
 cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
  GEN      scripts/guix
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/databases.scm
[100%] GUILEC   gnu/packages/databases.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
6e7ba45357 (HEAD) gnu: sqlite: Update to 3.32.3 [security fixes].
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/sqlite.scm
[100%] GUILEC   gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
692f1e5217 (HEAD) DRAFT: gnu: zstd: Fix test suite.
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/compression.scm
[100%] GUILEC   gnu/packages/compression.go
/gnu/store/q33xvan4j71f4kil0lg4h2yk549al1rv-zstd-1.4.9-lib
/gnu/store/rixmvq9497dwqxr7apa4n70gmhb50lc7-zstd-1.4.9
/gnu/store/2ym2nn0rmzgigagj7zrx4s6gidk94pqg-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
93fee48ada (HEAD -> fix-zstd) DRAFT: gnu: zstd: Update to 1.4.9 (ungraft).
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/compression.scm
[100%] GUILEC   gnu/packages/compression.go
/gnu/store/mmsp9ym0d3zcc0g1rr2gwmxb5pcq1wkm-zstd-1.4.9-lib
/gnu/store/6bi9kvsj0si590ra99yzb8dchikzlxb1-zstd-1.4.9
/gnu/store/1cnbqm29rc0gp30h18x7hs785c55fl0m-zstd-1.4.9-static
guix build: error: build of
`/gnu/store/5927s1x3hpfv4v9rsc9y06kycx93zqvh-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---

I could be wrong... and I have not investigated more.  As I said
elsewhere, grafting zstd from 1.4.4 to 1.4.9 seems totally *wrong*.
There is ~1.5 years and 4 releases between these 2 releases.

BTW, note that:

   $ guix graph --path mariadb zstd
   guix graph: error: no path from 'mariadb@10.5.8' to 'zstd@1.4.9'

Grafting MariaDB makes sense here.  The culprit is zstd, IMHO.

> > Other said, I seem better to do this fix as a whole on core-updates
> > without any graft.  Instead of grafting here and there; and not
> > necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> > 10.5.8
> > to 10.5.8).
>
> We can't patch security issues through core-updates, especially this
> RCE.

I will not comment because I am bored by all that.


Last, you have been prompted to commit a major update and disable the
test-suite for zstd, and I am still waiting that you are prompt again
to fix it; especially when a proposal fix is done here:

<https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00295.html>


Best regards,
simon

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), Léo Le Bouter, 2021/03/19
- bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), Julien Lepiller, 2021/03/19
- bug#47257: [PATCH 0/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928]., Léo Le Bouter, 2021/03/19
  - bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928]., Léo Le Bouter, 2021/03/19
    - bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928]., Mark H Weaver, 2021/03/19
    - bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928]., Mark H Weaver, 2021/03/19
- bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), zimoun, 2021/03/19
  - bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), Léo Le Bouter, 2021/03/25
    - bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), zimoun <=
    - bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), Léo Le Bouter, 2021/03/29
    - bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE), zimoun, 2021/03/30
- bug#47257: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928., Léo Le Bouter, 2021/03/25
  - bug#47257: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928., Julien Lepiller, 2021/03/25
- bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928., Léo Le Bouter, 2021/03/25
  - bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928., Léo Le Bouter, 2021/03/25
    - bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928., Mark H Weaver, 2021/03/25
    - bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928., Léo Le Bouter, 2021/03/25

Prev by Date: bug#47479: inkscape retains a reference to imagemagick, even though it is in native-inputs
Next by Date: bug#47398: generic-html updater does not work for exiv2 package
Previous by thread: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Next by thread: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Index(es):
- Date
- Thread