Bug 20730

Summary:	mariadb possible new security issues
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	AL13N <alien>
Status:	RESOLVED INVALID	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	marja11
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA5TOO
Source RPM:	mariadb-10.1.22-2.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2017-04-23 18:55:50 CEST

The April 2017 Oracle CPU includes security issues in MySQL:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

It lists the following CVEs that MariaDB hasn't listed as being fixed there:
CVE-2017-3305
CVE-2017-3329
CVE-2017-3331
CVE-2017-3450
CVE-2017-3452
CVE-2017-3454
CVE-2017-3455
CVE-2017-3457
CVE-2017-3458
CVE-2017-3459
CVE-2017-3460
CVE-2017-3461
CVE-2017-3462
CVE-2017-3463
CVE-2017-3465
CVE-2017-3467
CVE-2017-3468
CVE-2017-3599

Some of those are likely not relevant for MariaDB, but some of them likely are.  Hopefully they will all be fixed in the next MariaDB releases.

David Walser 2017-04-23 18:56:00 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-24 10:16:42 CEST

Assigning to the registered maintainer.

Assignee: bugsquad => alien
CC: (none) => marja11

Comment 2 David Walser 2017-05-04 12:24:30 CEST

10.1.23 fixes the following:
    CVE-2017-3302
    CVE-2017-3313
    CVE-2017-3308
    CVE-2017-3309
    CVE-2017-3453
    CVE-2017-3456
    CVE-2017-3464 

which strangely enough fits right around but doesn't overlap Oracle's list of CVEs.

https://mariadb.com/kb/en/mariadb/mariadb-10123-release-notes/

A new 10.0.x release with the fixes hasn't been announced yet.

Comment 3 David Walser 2017-05-16 23:38:59 CEST

We need to update to 10.1.23, but it doesn't build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170516212937.akien.duvel.34804/log/mariadb-10.1.23-1.mga6/build.0.20170516213004.log

Comment 4 David Walser 2017-05-17 11:37:38 CEST

Comment from AL13N via IRC:
it seems like either a library is missing
it only gets built with "-lpthread -llz4 -llzo2 -llzma -lbz2 -laio"
probably the configure part said a missing part too, so maybe just adding a build-requires does the trick

Comment 5 David Walser 2017-05-18 12:07:30 CEST

Added BR libarchiv-devel and a patch from Oden:
https://jira.mariadb.org/browse/MDEV-12810

Hopefully that will work.

Comment 6 David Walser 2017-05-18 19:34:19 CEST

OK it worked and built but there's unpackaged files:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170518163131.akien.duvel.37667/log/mariadb-10.1.23-1.mga6/build.0.20170518163404.log

   /usr/bin/mariabackup
   /usr/bin/mbstream
   /usr/bin/wsrep_sst_mariabackup
   /usr/share/man/man1/galera_new_cluster.1.xz
   /usr/share/man/man1/galera_recovery.1.xz
   /usr/share/man/man1/mariadb-service-convert.1.xz
   /usr/share/man/man1/my_safe_process.1.xz
   /usr/share/man/man1/mysqld_safe_helper.1.xz
   /usr/share/man/man1/tokuft_logdump.1.xz
   /usr/share/man/man1/tokuftdump.1.xz
   /usr/share/man/man1/wsrep_sst_common.1.xz
   /usr/share/man/man1/wsrep_sst_mysqldump.1.xz
   /usr/share/man/man1/wsrep_sst_rsync.1.xz
   /usr/share/man/man1/wsrep_sst_xtrabackup-v2.1.xz
   /usr/share/man/man1/wsrep_sst_xtrabackup.1.xz

I think Fedora updated it so I'll have to check where those files go and fix this later.

Comment 7 David Walser 2017-05-20 21:55:52 CEST

mariadb files list fixed with the help of Oden's spec:
https://nux.se/repo/mariadb.spec

Comment 8 David Walser 2017-05-24 01:20:34 CEST

MariaDB 10.0.31 is also out, and I pushed it to QA in Bug 20917.

It doesn't currently list any security issues as fixed, but maybe it will later.

Comment 9 David Walser 2017-07-06 22:31:02 CEST

I think these issues have probably been fixed as much as they're going to be.

Status: NEW => RESOLVED
Resolution: (none) => INVALID