Bug 8247 - mariadb bugfix update
: mariadb bugfix update
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528001/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-29 22:50 CET by AL13N
Modified: 2013-02-08 16:12 CET (History)
5 users (show)

See Also:
Source RPM: mariadb
CVE:


Attachments
sql/sql_acl.cc.rej (771 bytes, patch)
2013-01-31 23:04 CET, David Walser
Details | Diff
sql/sql_acl.cc (292.43 KB, text/x-c++src)
2013-01-31 23:06 CET, David Walser
Details

Description AL13N 2012-11-29 22:50:42 CET
mariadb-5.5.25-2.4.mga2 has been submitted
mysql-5.5.23-1.3.mga1 also (backported patch)

i would ask to validate & release, but to hold off posting the (admittedly short and vague) SA to the public maillist.

Security Advisory:
------------------

This fixes (at the time of writing undisclosed) CVE-2012-5579. More information will become available at https://mariadb.atlassian.net/browse/MDEV-3884 .
Comment 1 Dave Hodgins 2012-11-30 01:25:05 CET
Testing complete on Mageia 2 i586 and x86-64.

Just testing that a database and a table can be added using phpmyadmin.

Will test Mageia 1 once the mirror has synced.
Comment 2 Dave Hodgins 2012-11-30 03:43:05 CET
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
mariadb-5.5.25-2.4.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
mysql-5.5.23-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: This fixes (at the time of writing undisclosed) CVE-2012-5579.
More information will become available at
https://mariadb.atlassian.net/browse/MDEV-3884

https://bugs.mageia.org/show_bug.cgi?id=8247
Comment 3 Thomas Backlund 2012-11-30 23:25:45 CET
Update pushed, advisory postponed, MGASA-2012-0349 reserved.
Comment 4 AL13N 2012-12-04 15:15:01 CET
New Security Advisory (can be announced):

This fixes CVE-2012-5611 (originally CVE-2012-5579).
More information is available at
https://mariadb.atlassian.net/browse/MDEV-3884

MySQL bug 13889741 (CVE-2012-3163) was, apparently, not completely fixed. A similar test case finds a new and more dangerous buffer overflow.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

https://bugs.mageia.org/show_bug.cgi?id=8247
Comment 5 David Walser 2012-12-04 19:26:05 CET
Debian has issued an advisory for this today (December 4):
http://www.debian.org/security/2012/dsa-2581

Therefore, it's also hit LWN, of course.
Comment 6 claire robinson 2012-12-04 19:59:28 CET
Thomas, could you issue the advisory for this update now please.

See comment 4 on.

Thanks!
Comment 7 AL13N 2012-12-04 20:14:04 CET
guys, i'm sure he'll get to it when he has the time... it's not superimportant...
Comment 8 claire robinson 2012-12-04 22:59:07 CET
It is normal for us to ask sysadmin to push things etc AL13N. The bug is assigned to qa-bugs so sysadmin (Thomas) will be looking for comments from QA.

Nobody is demanding immediate attention, I think you are reading it wrong.
Comment 9 AL13N 2012-12-04 23:29:04 CET
i guess you're right.

allthough it looks to me that it's been said now 3 times in various direct/indirect ways and he was in CC for all of them...

it looked like overkill to me.

but then, i guess this is also communication and it's issues...
Comment 10 Thomas Backlund 2012-12-07 13:05:38 CET
Advisory pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0349
Comment 11 David Walser 2013-01-29 02:25:09 CET
So in the update we issued for Mageia 1 for this (the last update before EOL), the patch to fix this wasn't actually applied!

I have fixed that in SVN, but unfortunately, the patch doesn't fully apply successfully, as the last hunk fails.

I have also added the patch in Mageia 1 SVN for CVE-2012-5612 which we recently fixed in Mageia 2.  That patch applies just fine.

I know Mageia 1 has reached EOL, but since we actually issued a false advisory claiming we fixed this, shouldn't we do something about it?
Comment 12 AL13N 2013-01-29 09:14:22 CET
WDYM it wasn't applied? didn't i apply it back in november?

and, what could we do? we can't issue updates for something that's been EOL and closed...
Comment 13 AL13N 2013-01-29 09:22:39 CET
i notice in revision 323176:

fix CVE-2012-5579 ...


i don't see the problem here...
Comment 14 AL13N 2013-01-29 09:24:22 CET
ah, nvm, i see the problem now...

mysql doesn't have %apply_patches like mariadb does... so it never got fixed... :-(
Comment 15 David Walser 2013-01-31 23:04:45 CET
Created attachment 3464 [details]
sql/sql_acl.cc.rej
Comment 16 David Walser 2013-01-31 23:06:14 CET
Created attachment 3465 [details]
sql/sql_acl.cc
Comment 17 David Walser 2013-02-01 02:38:55 CET
This is fixed now in SVN.  AL13N fixed the patch.

Thomas, should we at least do something to inform people that this wasn't fixed for MySQL in the update at the end of November?
Comment 18 Thomas Backlund 2013-02-08 16:12:51 CET
(In reply to comment #14)
> ah, nvm, i see the problem now...
> 
> mysql doesn't have %apply_patches like mariadb does... so it never got fixed...
> :-(

Assumptions are bad when doing security updates...

(In reply to comment #17)
> This is fixed now in SVN.  AL13N fixed the patch.
> 
> Thomas, should we at least do something to inform people that this wasn't fixed
> for MySQL in the update at the end of November?

I dont think it's needed... we are ~2 months since we dropped mga1 support, so  even if they got that fix, mysql is still vulnerable to other problems now, so they either need to build updates by themselves or switch to a supported mga2

Note You need to log in before you can comment on or make changes to this bug.