Bug 32129 - mysql-connector-c++ possible new security issue CVE-2022-4899
Summary: mysql-connector-c++ possible new security issue CVE-2022-4899
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-21 20:42 CEST by David Walser
Modified: 2023-08-01 00:06 CEST (History)
1 user (show)

See Also:
Source RPM: mysql-connector-c++-8.0.32-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-07-21 20:42:28 CEST 
July 2023 Oracle CPU:
https://www.oracle.com/security-alerts/cpujul2023.html#AppendixMSQL

Issue was fixed in zstd package in Bug 31740.

It doesn't look like mysql-connector-c++ is linked to the system zstd, so it could be using bundled code.
Comment 1 Lewis Smith 2023-07-26 08:27:12 CEST 
Unable to pin down the package, only similar:
mysql-connector-java
mysql-connector-net
mysql-connector-net-devel
python3-mysql-connector

If the solution is embedded zstd,
 https://dev.mysql.com/downloads/connector/cpp/
shows current version is 8.1.0, but cannot see what it offers/fixes.

DavidG
If you do not want this, please re-assign it.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2023-07-26 22:46:10 CEST 
(In reply to Lewis Smith from comment #1)
> Unable to pin down the package, only similar:
> mysql-connector-java
> mysql-connector-net
> mysql-connector-net-devel
> python3-mysql-connector

The SRPM is mysql-connector-c++.  RPMS from it in Mageia 8 are:
lib64mysqlcppconn-devel
lib64mysqlcppconn7
lib64mysqlcppconn8-devel
lib64mysqlcppconn8_2
lib64mysqlcppconn9
Comment 3 David GEIGER 2023-07-27 06:32:11 CEST 
Our mysql-connector-c++ is already linked to system zstd in lib64mysqlcppconn8_2 package:

In our spec file there is as cmake build option:

  -DBUNDLE_DEPENDENCIES=OFF \
  -DWITH_PROTOBUF=system \
  -DWITH_LZ4=system \
  -DWITH_SSL=system \
  -DWITH_ZLIB=system \
  -DWITH_ZSTD=system \


$ urpmq --whatrequires lib64zstd1 |grep mysql
lib64mysqlcppconn8_2
Comment 4 David Walser 2023-07-27 06:59:45 CEST 
Ahh, I see that in Mageia 8 too.  But lib64mysqlcppconn9 doesn't require lib64zstd1?
Comment 5 Dave Hodgins 2023-07-27 07:43:51 CEST 
Doesn't need it. lib64zstd1 is required by systemd, so is present in every
install.

CC: (none) => davidwhodgins

Comment 6 David GEIGER 2023-07-27 15:47:10 CEST 
lib64mysqlcppconn8_2-8.0.32-1.mga8.x86_64.rpm in 8/Core/Updates repo requires it.
Comment 7 Dave Hodgins 2023-07-27 18:17:04 CEST 
$ urpmq --requires-recursive basesystem-minimal|grep zstd
lib64zstd1
zstd

As it's already required, that's redundant but does no harm.
Comment 8 David Walser 2023-07-28 00:48:32 CEST 
Dave, I don't see the point you're trying to make.  I just thought it weird that this SRPM produces the library with two different major numbers, but only one of them uses system zstd.
Comment 9 Dave Hodgins 2023-07-28 03:57:09 CEST 
Ah. Sorry. I was responding to comment 4 after reading it in the bugs ml.
Didn't notice the mention of the bundled copy.
Comment 10 David GEIGER 2023-07-31 09:35:44 CEST 
It is only lib64mysqlcppconn8_2 which uses zstd future not lib64mysqlcppconn9!
Comment 11 David Walser 2023-08-01 00:06:42 CEST 
Ok, thanks for the clarification.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.