Bug 20730 - mariadb possible new security issues
Summary: mariadb possible new security issues
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: AL13N
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-23 18:55 CEST by David Walser
Modified: 2017-07-06 22:31 CEST (History)
1 user (show)

See Also:
Source RPM: mariadb-10.1.22-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-23 18:55:50 CEST 
The April 2017 Oracle CPU includes security issues in MySQL:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

It lists the following CVEs that MariaDB hasn't listed as being fixed there:
CVE-2017-3305
CVE-2017-3329
CVE-2017-3331
CVE-2017-3450
CVE-2017-3452
CVE-2017-3454
CVE-2017-3455
CVE-2017-3457
CVE-2017-3458
CVE-2017-3459
CVE-2017-3460
CVE-2017-3461
CVE-2017-3462
CVE-2017-3463
CVE-2017-3465
CVE-2017-3467
CVE-2017-3468
CVE-2017-3599

Some of those are likely not relevant for MariaDB, but some of them likely are.  Hopefully they will all be fixed in the next MariaDB releases.
David Walser 2017-04-23 18:56:00 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-24 10:16:42 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => alien
CC: (none) => marja11

Comment 2 David Walser 2017-05-04 12:24:30 CEST 
10.1.23 fixes the following:
    CVE-2017-3302
    CVE-2017-3313
    CVE-2017-3308
    CVE-2017-3309
    CVE-2017-3453
    CVE-2017-3456
    CVE-2017-3464 

which strangely enough fits right around but doesn't overlap Oracle's list of CVEs.

https://mariadb.com/kb/en/mariadb/mariadb-10123-release-notes/

A new 10.0.x release with the fixes hasn't been announced yet.
Comment 4 David Walser 2017-05-17 11:37:38 CEST 
Comment from AL13N via IRC:
it seems like either a library is missing
it only gets built with "-lpthread -llz4 -llzo2 -llzma -lbz2 -laio"
probably the configure part said a missing part too, so maybe just adding a build-requires does the trick
Comment 5 David Walser 2017-05-18 12:07:30 CEST 
Added BR libarchiv-devel and a patch from Oden:
https://jira.mariadb.org/browse/MDEV-12810

Hopefully that will work.
Comment 6 David Walser 2017-05-18 19:34:19 CEST 
OK it worked and built but there's unpackaged files:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170518163131.akien.duvel.37667/log/mariadb-10.1.23-1.mga6/build.0.20170518163404.log

   /usr/bin/mariabackup
   /usr/bin/mbstream
   /usr/bin/wsrep_sst_mariabackup
   /usr/share/man/man1/galera_new_cluster.1.xz
   /usr/share/man/man1/galera_recovery.1.xz
   /usr/share/man/man1/mariadb-service-convert.1.xz
   /usr/share/man/man1/my_safe_process.1.xz
   /usr/share/man/man1/mysqld_safe_helper.1.xz
   /usr/share/man/man1/tokuft_logdump.1.xz
   /usr/share/man/man1/tokuftdump.1.xz
   /usr/share/man/man1/wsrep_sst_common.1.xz
   /usr/share/man/man1/wsrep_sst_mysqldump.1.xz
   /usr/share/man/man1/wsrep_sst_rsync.1.xz
   /usr/share/man/man1/wsrep_sst_xtrabackup-v2.1.xz
   /usr/share/man/man1/wsrep_sst_xtrabackup.1.xz

I think Fedora updated it so I'll have to check where those files go and fix this later.
Comment 7 David Walser 2017-05-20 21:55:52 CEST 
mariadb files list fixed with the help of Oden's spec:
https://nux.se/repo/mariadb.spec
Comment 8 David Walser 2017-05-24 01:20:34 CEST 
MariaDB 10.0.31 is also out, and I pushed it to QA in Bug 20917.

It doesn't currently list any security issues as fixed, but maybe it will later.
Comment 9 David Walser 2017-07-06 22:31:02 CEST 
I think these issues have probably been fixed as much as they're going to be.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.