Bug 20728 - mysql-workbench new security issues CVE-2016-2176, CVE-2017-3469, and CVE-2016-6303
Summary: mysql-workbench new security issues CVE-2016-2176, CVE-2017-3469, and CVE-201...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-23 18:43 CEST by David Walser
Modified: 2017-12-30 20:18 CET (History)
5 users (show)

See Also:
Source RPM: mysql-workbench-6.3.6-2.mga6.src.rpm
CVE: CVE-2016-2176, CVE-2017-3469, and CVE-2016-6303
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-23 18:43:44 CEST 
The April 2017 Oracle CPU includes security issues in MySQL Workbench:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

The issues are fixed upstream in 6.3.9.

Mageia 5 is likely also affected.
Comment 1 Marja Van Waes 2017-04-24 10:17:27 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2017-04-28 18:33:43 CEST 
fixed in cauldron

CC: (none) => mageia
Status: NEW => RESOLVED
Resolution: (none) => FIXED
CVE: (none) => CVE-2016-2176, CVE-2017-3469, and CVE-2016-6303

Comment 3 David Walser 2017-04-28 18:38:11 CEST 
Build failed in Cauldron.  Are you sure Mageia 5 isn't affected?

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Nicolas Lécureuil 2017-04-29 08:42:21 CEST 
new version pushed in updates_testing

src.rpm:  mysql-workbench-6.3.9-1.mga5

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs

Comment 5 Nicolas Lécureuil 2017-04-29 09:10:55 CEST 
when it will build :)
Nicolas Lécureuil 2017-04-29 09:17:46 CEST

Assignee: qa-bugs => mageia

Comment 6 Vincent Coen 2017-05-27 22:54:53 CEST 
Hopefully this will also fix bug 17192 . . 


but I am not holding my breath :(

CC: (none) => vbcoen

Comment 7 David Walser 2017-12-30 01:56:39 CET 
Build error:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20171229232127.luigiwalser.duvel.34556/log/mysql-workbench-6.3.9-1.mga5/build.0.20171229232213.log

In file included from /home/iurt/rpmbuild/BUILD/mysql-workbench-community-6.3.9-src/library/base/boost_fix.cpp:21:0:
/usr/include/boost/system/error_code.hpp:516:54: fatal error: boost/../libs/system/src/error_code.cpp: No such file or directory
 #   include <boost/../libs/system/src/error_code.cpp>

So it looks like it needs to be patched to build against the old boost in mga5.
Comment 8 David Walser 2017-12-30 02:46:58 CET 
Looking at:
https://kea.isc.org/ticket/4009?cversion=0&cnum_hist=15

it sounds like this issue is with Boost 1.55 (which we have in Mageia 5) but Boost 1.56 fixed it.
Comment 9 Mike Rambo 2017-12-30 16:27:36 CET 
I attempted to build Boost 1.56 on my mga5 machine just to see if mysql-workbench would build afterward but Boost itself won't build due to the following error. I don't know how to go about fixing this. It looks like there are a lot of things which use Boost so I don't know if this was a good idea anyway but I thought it would be useful to know if it fixed mysql-workbench.

The Boost C++ Libraries were successfully built!

The following directory should be added to compiler include paths:

    /home/mrambo/mageia_dev/dev5/boost/BUILD/boost_1_56_0

The following directory should be added to linker library paths:

    /home/mrambo/mageia_dev/dev5/boost/BUILD/boost_1_56_0/stage/lib

+ echo ============================= build Boost.Build ==================
============================= build Boost.Build ==================
+ cd tools/build/v2
+ ./bootstrap.sh --with-toolset=gcc
/home/mrambo/mageia_dev/dev5/boost/BUILDROOT/rpm-tmp.t7ynWE: line 46: ./bootstrap.sh: No such file or directory
error: Bad exit status from /home/mrambo/mageia_dev/dev5/boost/BUILDROOT/rpm-tmp.t7ynWE (%build)


RPM build errors:
    Bad exit status from /home/mrambo/mageia_dev/dev5/boost/BUILDROOT/rpm-tmp.t7ynWE (%build)
error: failed!

CC: (none) => mrambo

Comment 10 David Walser 2017-12-30 16:32:28 CET 
We wouldn't be able to update boost, but it would be interesting to confirm that it builds against 1.56.  It's too bad we skipped that version in Cauldron (probably due to the mga5 freeze cycle).  Maybe the changes made to the SPEC for 1.58 would help you get it to build?
http://svnweb.mageia.org/packages?view=revision&revision=858953

As for mysql-workbench, I wonder if there's some way to make sure it builds with BOOST_ERROR_CODE_HEADER_ONLY undefined.
Comment 11 Thomas Backlund 2017-12-30 16:58:06 CET 
IIRC the reason for skipping boost 1.56 was because of known issues with it, so it would have caused us more grief than gain...

CC: (none) => tmb

Comment 12 Mike Rambo 2017-12-30 18:13:06 CET 
Looks like BOOST_ERROR_CODE_HEADER_ONLY is already undefined (commented out) in .../library/base/boost_fix.cpp. But it also doesn't look like it matters much because there is a BR for mysql-connector-c++-devel >= 1.1.8 which isn't available for mga5 anyway. Looks like neoclust tried to build it some months back but it isn't on any of the mirrors I checked. There is a src.rpm in updates_testing but no binary package. I'm surprised the -workbench build didn't fail on the missing dependency before it ever got to boost.

Looks to me like this is not fixable for 5.
Comment 13 David Walser 2017-12-30 18:20:29 CET 
Are you sure?  # is not a comment in C/C++, it's a macro.

Anyway, yeah probably not fixable.

Status: REOPENED => RESOLVED
Resolution: (none) => OLD

Comment 14 Mike Rambo 2017-12-30 20:18:04 CET 
Documenting that we tried to add -UBOOST_ERROR_CODE_HEADER_ONLY to CXXFLAGS to fix the build problem but it made no difference. Same missing file error.
Note You need to log in before you can comment on or make changes to this bug.