| Summary: | qtbase5 version detection of mysql broken with MariaDB 10.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Aurelian R <arusanu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | andrewsfarm, asura, curtis_mageia, dan, davidwhodgins, fri, geiger.david68210, j.biernacki+mga, neue_chance, office, sysadmin-bugs, thomas.bigot, tim, yvesbrungard |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-32-OK MGA8-64-OK | ||
| Source RPM: | qtbase5-5.15.2-4.5.mga8.src.rpm | CVE: | CVE-2022-25255 CVE-2023-24607 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 31545 | ||
| Attachments: |
QtBase5 patch
spec file |
||
|
Description
Aurelian R
2021-08-11 21:06:51 CEST
Thank you for the detailed report and all its references; and this:
> Attached is the patch mentioned in the above link adapted
> against qtbase5-5.15.2-10.mga9.src.rpm that fixes the issue.
Assigning to NicolasL (registered maintainer); CC'ing DavidG who has also done recent patches.CC:
(none) =>
geiger.david68210
Curtis Hildebrand
2021-08-16 21:51:01 CEST
CC:
(none) =>
curtis_mageia
Cristian Pîrîu
2021-08-17 12:34:28 CEST
CC:
(none) =>
office This annoying bug is still present.
Thomas Bigot
2021-09-09 17:00:01 CEST
CC:
(none) =>
thomas.bigot At the risk of becoming annoying, can someone solve this bug, please. thank you, i will take a look to this. Bug is still present with qtbase5 5.15.2-11.mga9 version. Created attachment 12938 [details] spec file (In reply to Cristian Pîrîu from comment #5) > Bug is still present with qtbase5 5.15.2-11.mga9 version. If you like to apply the patch for your system I attached the spec file for this package. To generate the rpm packages you need rpmbuild installed, the source package ( https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/SRPMS/core/release/qtbase5-5.15.2-11.mga9.src.rpm ) and the files attached to this thread(qtbase-QTBUG-95071.patch, qtbase5.spec). For a default rpmbuild setup (https://wiki.mageia.org/en/Packaging_for_beginners), the steps to build are: # rpm -i qtbase5-5.15.2-11.mga9.src.rpm # cp qtbase-QTBUG-95071.patch ~/rpmbuild/SOURCES # cp qtbase5.spec ~/rpmbuild/SPECS # cd ~/rpmbuild # sudo urpmi --buildrequires SPECS/qtbase5.spec # rpmbuild -ba SPECS/qtbase5.spec From all the rpm packages generated in ~/rpmbuild/RPMS, on my system, I needed to install these: sudo urpmi qtbase5-common-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-ibase-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-mysql-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-odbc-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-pgsql-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-sqlite-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5-database-plugin-tds-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5dbus5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5eglfskmssupport5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5gui5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5network5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5opengl5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5printsupport5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5sql5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5widgets5-5.15.2-11.mga9X.x86_64.rpm \ lib64qt5xml5-5.15.2-11.mga9X.x86_64.rpm This is a hack as I see it, hence *mga9X*, (mageia's devs will see it as such too :) ), so it may have unintended consequences thou my system doesn't seem to, just thread carefully. P.S. One can almost always easily revert to official rpms ( urpmi --downgrade qtbase5-common-5.15.2-11.mga9 ) Regards patch just added into cauldron. Will be available in some hours. Installed the latest qtbase5 rpms( in fact I had to replace my rpms and to reboot the system). $ rpm -qa --last lib64qt5xml5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5widgets5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5sql5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5printsupport5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5opengl5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5network5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5gui5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5eglfskmssupport5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5dbus5-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-tds-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-sqlite-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-pgsql-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-odbc-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-mysql-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST lib64qt5-database-plugin-ibase-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:54:45 PM EEST qtbase5-common-5.15.2-12.mga9.x86_64 Mon 04 Oct 2021 08:47:13 PM EEST Successfully tested Kmail to send/receive emails using imap.gmail.com. From my side this bug should be closed as resolved. Best regards. I can confirm that everything is working as expected, thank you. Hello, Is Mageia 8 affected by this bug? CC:
(none) =>
yves.brungard_mageia >Is Mageia 8 affected by this bug?
I presume that no, because Mageia 8 has Mariadb 10.5
i think it can't hurt to add the patch, because if we update mariadb version ( which can happen ) we will hit this bug wdyt ? MariaDB has been updated to 10.6 and this bug exploded in Mageia 8. I applied the fix in Updates testing. New rpm are : qtbase5-examples-5.15.2-4.6.mga8 lib64qt5linuxaccessibilitysupport-static-devel-5.15.2-4.6.mga8 lib64qt5themesupport-static-devel-5.15.2-4.6.mga8 lib64qt5inputsupport-static-devel-5.15.2-4.6.mga8 lib64qt5gui5-5.15.2-4.6.mga8 qtbase5-common-devel-5.15.2-4.6.mga8 lib64qt5widgets5-5.15.2-4.6.mga8 lib64qt5fbsupport-static-devel-5.15.2-4.6.mga8 lib64qt5gui-devel-5.15.2-4.6.mga8 lib64qt5fontdatabasesupport-static-devel-5.15.2-4.6.mga8 lib64qt5core5-5.15.2-4.6.mga8 lib64qt5core-devel-5.15.2-4.6.mga8 lib64qt5opengl-devel-5.15.2-4.6.mga8 lib64qt5kmssupport-static-devel-5.15.2-4.6.mga8 lib64qt5eglsupport-static-devel-5.15.2-4.6.mga8 lib64qt5eventdispatchersupport-static-devel-5.15.2-4.6.mga8 lib64qt5platformcompositorsupport-static-devel-5.15.2-4.6.mga8 lib64qt5vulkansupport-static-devel-5.15.2-4.6.mga8 lib64qt5widgets-devel-5.15.2-4.6.mga8 lib64qt5devicediscoverysupport-static-devel-5.15.2-4.6.mga8 lib64qt5xkbcommonsupport-static-devel-5.15.2-4.6.mga8 lib64qt5servicesupport-static-devel-5.15.2-4.6.mga8 lib64qt5xcbqpa5-5.15.2-4.6.mga8 qtbase5-common-5.15.2-4.6.mga8 lib64qt5network5-5.15.2-4.6.mga8 lib64qt5edid-devel-5.15.2-4.6.mga8 lib64qt5eglfsdeviceintegration5-5.15.2-4.6.mga8 lib64qt5accessibilitysupport-static-devel-5.15.2-4.6.mga8 lib64qt5test-devel-5.15.2-4.6.mga8 lib64qt5dbus5-5.15.2-4.6.mga8 lib64qt5glxsupport-static-devel-5.15.2-4.6.mga8 lib64qt5printsupport5-5.15.2-4.6.mga8 lib64qt5network-devel-5.15.2-4.6.mga8 lib64qt5opengl5-5.15.2-4.6.mga8 lib64qt5sql5-5.15.2-4.6.mga8 lib64qt5xml5-5.15.2-4.6.mga8 lib64qt5test5-5.15.2-4.6.mga8 lib64qt5-database-plugin-odbc-5.15.2-4.6.mga8 lib64qt5eglfskmssupport5-5.15.2-4.6.mga8 lib64qt5dbus-devel-5.15.2-4.6.mga8 lib64qt5-database-plugin-ibase-5.15.2-4.6.mga8 lib64qt5printsupport-devel-5.15.2-4.6.mga8 lib64qt5-database-plugin-pgsql-5.15.2-4.6.mga8 lib64qt5sql-devel-5.15.2-4.6.mga8 lib64qt5concurrent-devel-5.15.2-4.6.mga8 lib64qt5xml-devel-5.15.2-4.6.mga8 lib64qt5eglfsdeviceintegration-devel-5.15.2-4.6.mga8 lib64qt5platformsupport-devel-5.15.2-4.6.mga8 lib64qt5-database-plugin-tds-5.15.2-4.6.mga8 lib64qt5-database-plugin-sqlite-5.15.2-4.6.mga8 lib64qt5-database-plugin-mysql-5.15.2-4.6.mga8 lib64qt5base5-devel-5.15.2-4.6.mga8 lib64qt5eglfskmssupport-devel-5.15.2-4.6.mga8 lib64qt5xcbqpa-devel-5.15.2-4.6.mga8 lib64qt5concurrent5-5.15.2-4.6.mga8 lib64qt5bootstrap-static-devel-5.15.2-4.6.mga8 qtbase5-doc-5.15.2-4.6.mga8.noarch.rpm For info, the patch applied is: https://codereview.qt-project.org/c/qt/qtbase/+/363883 Priority:
Normal =>
High mga8 -64 Plasma I have not noticed problems before, but I don't use Kmail (nor akonadi) Clean update, reboot, and have not noticed any problems since (just an hour normal use of LibreOffice, Thunderbird...) Updated the 18 relevant packages this system had, to: - lib64qt5-database-plugin-ibase-5.15.2-4.6.mga8.x86_64 - lib64qt5-database-plugin-mysql-5.15.2-4.6.mga8.x86_64 - lib64qt5-database-plugin-sqlite-5.15.2-4.6.mga8.x86_64 - lib64qt5concurrent5-5.15.2-4.6.mga8.x86_64 - lib64qt5core5-5.15.2-4.6.mga8.x86_64 - lib64qt5dbus5-5.15.2-4.6.mga8.x86_64 - lib64qt5eglfsdeviceintegration5-5.15.2-4.6.mga8.x86_64 - lib64qt5eglfskmssupport5-5.15.2-4.6.mga8.x86_64 - lib64qt5gui5-5.15.2-4.6.mga8.x86_64 - lib64qt5network5-5.15.2-4.6.mga8.x86_64 - lib64qt5opengl5-5.15.2-4.6.mga8.x86_64 - lib64qt5printsupport5-5.15.2-4.6.mga8.x86_64 - lib64qt5sql5-5.15.2-4.6.mga8.x86_64 - lib64qt5test5-5.15.2-4.6.mga8.x86_64 - lib64qt5widgets5-5.15.2-4.6.mga8.x86_64 - lib64qt5xcbqpa5-5.15.2-4.6.mga8.x86_64 - lib64qt5xml5-5.15.2-4.6.mga8.x86_64 - qtbase5-common-5.15.2-4.6.mga8.x86_64 CC:
(none) =>
fri Hello, after updating: > urpmi --nokeep --downgrade --media "Core Updates Testing" lib64qt5sql5-5.15.2-4.6.mga8 lib64qt5-database-plugin-mysql-5.15.2-4.6.mga8 I manage to send and receive my sent email on qa-discuss mailing list. > https://ml.mageia.org/l/arc/qa-discuss/2023-02/msg00257.html Can be pushed to Core Updates CC:
(none) =>
j.biernacki+mga I just update the whole list except doc, session still reboots. Clarification for others: Jybz have earlier updated by other methods, therefore the downgrade. (In reply to Jybz from comment #16) > I just update the whole list except doc, session still reboots. I hope you mean that after reboot it works correctly? - Or does it crash-reboot?
David Walser
2023-02-17 15:28:20 CET
Blocks:
(none) =>
31545 Sorry ! Tired... Session still re-opens. things are working. I also did a reboot because just leave and reenter in plasma reset my "touch-pad slap behavior". But after a real powercycle of the machine, everything is correct. papoteur just added a patch for CVE-2023-24607. Can you please also fix CVE-2022-25255 (Bug 29977) for qtbase5? (In reply to David Walser from comment #20) > papoteur just added a patch for CVE-2023-24607. Can you please also fix > CVE-2022-25255 (Bug 29977) for qtbase5? David Geiger has fixed that in qtbase5-5.15.2-4.8.mga8 which is building now. Component:
RPM Packages =>
Security I have used testing to update the two rpms: lib64qt5sql5-5.15.2-4.6.mga8 lib64qt5-database-plugin-mysql-5.15.2-4.6.mga8 and the problem I had with missing emails: https://ml.mageia.org/l/arc/discuss/2023-02/msg00046.html has gone away! bascule CC:
(none) =>
asura Like comment 14 - now updated cleanly to -4.8, rebooted, keep using it OK. New rpm are : qtbase5-examples-5.15.2-4.8.mga8 lib64qt5linuxaccessibilitysupport-static-devel-5.15.2-4.8.mga8 lib64qt5themesupport-static-devel-5.15.2-4.8.mga8 lib64qt5inputsupport-static-devel-5.15.2-4.8.mga8 lib64qt5gui5-5.15.2-4.8.mga8 qtbase5-common-devel-5.15.2-4.8.mga8 lib64qt5widgets5-5.15.2-4.8.mga8 lib64qt5fbsupport-static-devel-5.15.2-4.8.mga8 lib64qt5gui-devel-5.15.2-4.8.mga8 lib64qt5fontdatabasesupport-static-devel-5.15.2-4.8.mga8 lib64qt5core5-5.15.2-4.8.mga8 lib64qt5core-devel-5.15.2-4.8.mga8 lib64qt5opengl-devel-5.15.2-4.8.mga8 lib64qt5kmssupport-static-devel-5.15.2-4.8.mga8 lib64qt5eglsupport-static-devel-5.15.2-4.8.mga8 lib64qt5eventdispatchersupport-static-devel-5.15.2-4.8.mga8 lib64qt5platformcompositorsupport-static-devel-5.15.2-4.8.mga8 lib64qt5vulkansupport-static-devel-5.15.2-4.8.mga8 lib64qt5widgets-devel-5.15.2-4.8.mga8 lib64qt5devicediscoverysupport-static-devel-5.15.2-4.8.mga8 lib64qt5xkbcommonsupport-static-devel-5.15.2-4.8.mga8 lib64qt5servicesupport-static-devel-5.15.2-4.8.mga8 lib64qt5xcbqpa5-5.15.2-4.8.mga8 qtbase5-common-5.15.2-4.8.mga8 lib64qt5network5-5.15.2-4.8.mga8 lib64qt5edid-devel-5.15.2-4.8.mga8 lib64qt5eglfsdeviceintegration5-5.15.2-4.8.mga8 lib64qt5accessibilitysupport-static-devel-5.15.2-4.8.mga8 lib64qt5test-devel-5.15.2-4.8.mga8 lib64qt5dbus5-5.15.2-4.8.mga8 lib64qt5glxsupport-static-devel-5.15.2-4.8.mga8 lib64qt5printsupport5-5.15.2-4.8.mga8 lib64qt5network-devel-5.15.2-4.8.mga8 lib64qt5opengl5-5.15.2-4.8.mga8 lib64qt5sql5-5.15.2-4.8.mga8 lib64qt5xml5-5.15.2-4.8.mga8 lib64qt5test5-5.15.2-4.8.mga8 lib64qt5-database-plugin-odbc-5.15.2-4.8.mga8 lib64qt5eglfskmssupport5-5.15.2-4.8.mga8 lib64qt5dbus-devel-5.15.2-4.8.mga8 lib64qt5-database-plugin-ibase-5.15.2-4.8.mga8 lib64qt5printsupport-devel-5.15.2-4.8.mga8 lib64qt5-database-plugin-pgsql-5.15.2-4.8.mga8 lib64qt5sql-devel-5.15.2-4.8.mga8 lib64qt5concurrent-devel-5.15.2-4.8.mga8 lib64qt5xml-devel-5.15.2-4.8.mga8 lib64qt5eglfsdeviceintegration-devel-5.15.2-4.8.mga8 lib64qt5platformsupport-devel-5.15.2-4.8.mga8 lib64qt5-database-plugin-tds-5.15.2-4.8.mga8 lib64qt5-database-plugin-sqlite-5.15.2-4.8.mga8 lib64qt5-database-plugin-mysql-5.15.2-4.8.mga8 lib64qt5base5-devel-5.15.2-4.8.mga8 lib64qt5eglfskmssupport-devel-5.15.2-4.8.mga8 lib64qt5xcbqpa-devel-5.15.2-4.8.mga8 lib64qt5concurrent5-5.15.2-4.8.mga8 lib64qt5bootstrap-static-devel-5.15.2-4.8.mga8 qtbase5-doc-5.15.2-4.8.mga8.noarch.rpm This add patches for bug 31545 and bug 29977 Installed lib64qt5test-devel-5.15.2-4.8.mga8.x86_64 lib64qt5test5-5.15.2-4.8.mga8.x86_64 lib64qt5base5-devel-5.15.2-4.8.mga8.x86_64 lib64qt5xml-devel-5.15.2-4.8.mga8.x86_64 lib64qt5xml5-5.15.2-4.8.mga8.x86_64 lib64qt5widgets-devel-5.15.2-4.8.mga8.x86_64 lib64qt5sql-devel-5.15.2-4.8.mga8.x86_64 lib64qt5sql5-5.15.2-4.8.mga8.x86_64 lib64qt5printsupport-devel-5.15.2-4.8.mga8.x86_64 lib64qt5printsupport5-5.15.2-4.8.mga8.x86_64 lib64qt5opengl-devel-5.15.2-4.8.mga8.x86_64 lib64qt5opengl5-5.15.2-4.8.mga8.x86_64 lib64qt5network-devel-5.15.2-4.8.mga8.x86_64 lib64qt5gui-devel-5.15.2-4.8.mga8.x86_64 lib64qt5eglfskmssupport-devel-5.15.2-4.8.mga8.x86_64 lib64qt5eglfsdeviceintegration-devel-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-tds-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-sqlite-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-pgsql-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-odbc-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-mysql-5.15.2-4.8.mga8.x86_64 lib64qt5-database-plugin-ibase-5.15.2-4.8.mga8.x86_64 lib64qt5concurrent-devel-5.15.2-4.8.mga8.x86_64 lib64qt5concurrent5-5.15.2-4.8.mga8.x86_64 qtbase5-common-devel-5.15.2-4.8.mga8.x86_64 lib64qt5xcbqpa-devel-5.15.2-4.8.mga8.x86_64 lib64qt5widgets5-5.15.2-4.8.mga8.x86_64 lib64qt5gui5-5.15.2-4.8.mga8.x86_64 lib64qt5eglfskmssupport5-5.15.2-4.8.mga8.x86_64 lib64qt5eglfsdeviceintegration5-5.15.2-4.8.mga8.x86_64 lib64qt5dbus-devel-5.15.2-4.8.mga8.x86_64 lib64qt5core-devel-5.15.2-4.8.mga8.x86_64 qtbase5-common-5.15.2-4.8.mga8.x86_64 lib64qt5xcbqpa5-5.15.2-4.8.mga8.x86_64 lib64qt5network5-5.15.2-4.8.mga8.x86_64 lib64qt5dbus5-5.15.2-4.8.mga8.x86_64 lib64qt5core5-5.15.2-4.8.mga8.x86_64 Restarted the computer Launched some applications, including korganizer All seems OK. For this important package it would be good to test on 32 bit also I think. Please someone write an advisory proposal so it is ready to be used quickly. Whiteboard:
(none) =>
MGA8-64-OK Advisory =================== Qt had a test of mariadb to adapt its instructions accordingly However, since MariaDB 10.6, the version reported is no more what is expected. Akonadi fails to update the data for kmail (mga#29359) Fix for CVE-2023-24607: Fix a possible DOS involving the Qt SQL ODBC driver plugin. Fix for CVE-2022-23853 / CVE-2022-25255 Avoid unintentionally using binaries from CWD =================== Tested on Foolishness, my Dell Inspiron 5100, real 32-bit hardware, running mga8 Xfce with the desktop kernel. I expected qtbase5 packages on Plasma systems, but was surprised to see a number of them already installed on my Xfce system. So, I used qarepo to update them, with no issues, and rebooted. Then I used "urpmq --whatrequires-recursive qtbase5-common" and found out why these packages were there. I saw where, among other things, it's used with Gimp, gutenprint-gimp2, hplip-gui, vlc, and others. While I don't use kmail, I do use those. I had been going to try installing my HP Envy Photo 7800 series all-in-one as a wireless device for a while, so I tried that. The printer shows up in the HP Device Manager, and Gimp can access the scanner, as well as print with either the hplip or Gutenprint drivers. VLC had no problems with playing video files, either. While I didn't exercise any of these applications to their fullest, nothing crashed with what I DID try, and I saw no new problems with anything else. I'm giving this a 32-bit OK, and validating. Advisory in Comment 27. Whiteboard:
MGA8-64-OK =>
MGA8-32-OK MGA8-64-OK This validated bugfix is important to ship ASAP as i.e Kmail is unusable without it Advisory proposal in comment 27 CC:
(none) =>
davidwhodgins Today I only updated the lib64qt5-database-plugin-mysql package from the "Core Updates Testing" medium to version 5.15.2-4.8.mga8.x86_64. It installed itself. There were no missing dependencies. To my surprise and delight, Akonadi is working again. All modules in Kontact ran without error messages. CC:
(none) =>
neue_chance
Dave Hodgins
2023-02-20 20:37:23 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0051.html Resolution:
(none) =>
FIXED |