8247 – mariadb bugfix update

Bug 8247 - mariadb bugfix update

Summary: mariadb bugfix update

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	2
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/528001/
Whiteboard:	MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-11-29 22:50 CET by AL13N
Modified:	2013-02-08 16:12 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	mariadb
CVE:
Status comment:

Attachments
sql/sql_acl.cc.rej (771 bytes, patch) 2013-01-31 23:04 CET, David Walser	Details \| Diff
sql/sql_acl.cc (292.43 KB, text/x-c++src) 2013-01-31 23:06 CET, David Walser	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description AL13N 2012-11-29 22:50:42 CET

mariadb-5.5.25-2.4.mga2 has been submitted
mysql-5.5.23-1.3.mga1 also (backported patch)

i would ask to validate & release, but to hold off posting the (admittedly short and vague) SA to the public maillist.

Security Advisory:
------------------

This fixes (at the time of writing undisclosed) CVE-2012-5579. More information will become available at https://mariadb.atlassian.net/browse/MDEV-3884 .

AL13N 2012-11-30 01:12:25 CET

QA Contact: (none) => qa-bugs

AL13N 2012-11-30 01:16:47 CET

Assignee: bugsquad => qa-bugs
QA Contact: qa-bugs => (none)

Dave Hodgins 2012-11-30 01:17:54 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => mga1too

Dave Hodgins 2012-11-30 01:19:02 CET

Whiteboard: mga1too => MGA1TOO

Comment 1 Dave Hodgins 2012-11-30 01:25:05 CET

Testing complete on Mageia 2 i586 and x86-64.

Just testing that a database and a table can be added using phpmyadmin.

Will test Mageia 1 once the mirror has synced.

Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK

Comment 2 Dave Hodgins 2012-11-30 03:43:05 CET

Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
mariadb-5.5.25-2.4.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
mysql-5.5.23-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: This fixes (at the time of writing undisclosed) CVE-2012-5579.
More information will become available at
https://mariadb.atlassian.net/browse/MDEV-3884

https://bugs.mageia.org/show_bug.cgi?id=8247

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 3 Thomas Backlund 2012-11-30 23:25:45 CET

Update pushed, advisory postponed, MGASA-2012-0349 reserved.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 4 AL13N 2012-12-04 15:15:01 CET

New Security Advisory (can be announced):

This fixes CVE-2012-5611 (originally CVE-2012-5579).
More information is available at
https://mariadb.atlassian.net/browse/MDEV-3884

MySQL bug 13889741 (CVE-2012-3163) was, apparently, not completely fixed. A similar test case finds a new and more dangerous buffer overflow.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

https://bugs.mageia.org/show_bug.cgi?id=8247

Comment 5 David Walser 2012-12-04 19:26:05 CET

Debian has issued an advisory for this today (December 4):
http://www.debian.org/security/2012/dsa-2581

Therefore, it's also hit LWN, of course.

URL: (none) => http://lwn.net/Vulnerabilities/528001/
CC: (none) => luigiwalser

Comment 6 claire robinson 2012-12-04 19:59:28 CET

Thomas, could you issue the advisory for this update now please.

See comment 4 on.

Thanks!

Comment 7 AL13N 2012-12-04 20:14:04 CET

guys, i'm sure he'll get to it when he has the time... it's not superimportant...

Comment 8 claire robinson 2012-12-04 22:59:07 CET

It is normal for us to ask sysadmin to push things etc AL13N. The bug is assigned to qa-bugs so sysadmin (Thomas) will be looking for comments from QA.

Nobody is demanding immediate attention, I think you are reading it wrong.

Comment 9 AL13N 2012-12-04 23:29:04 CET

i guess you're right.

allthough it looks to me that it's been said now 3 times in various direct/indirect ways and he was in CC for all of them...

it looked like overkill to me.

but then, i guess this is also communication and it's issues...

Comment 10 Thomas Backlund 2012-12-07 13:05:38 CET

Advisory pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0349

Comment 11 David Walser 2013-01-29 02:25:09 CET

So in the update we issued for Mageia 1 for this (the last update before EOL), the patch to fix this wasn't actually applied!

I have fixed that in SVN, but unfortunately, the patch doesn't fully apply successfully, as the last hunk fails.

I have also added the patch in Mageia 1 SVN for CVE-2012-5612 which we recently fixed in Mageia 2.  That patch applies just fine.

I know Mageia 1 has reached EOL, but since we actually issued a false advisory claiming we fixed this, shouldn't we do something about it?

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 12 AL13N 2013-01-29 09:14:22 CET

WDYM it wasn't applied? didn't i apply it back in november?

and, what could we do? we can't issue updates for something that's been EOL and closed...

Comment 13 AL13N 2013-01-29 09:22:39 CET

i notice in revision 323176:

fix CVE-2012-5579 ...


i don't see the problem here...

Comment 14 AL13N 2013-01-29 09:24:22 CET

ah, nvm, i see the problem now...

mysql doesn't have %apply_patches like mariadb does... so it never got fixed... :-(

Comment 15 David Walser 2013-01-31 23:04:45 CET

Created attachment 3464 [details]
sql/sql_acl.cc.rej

Comment 16 David Walser 2013-01-31 23:06:14 CET

Created attachment 3465 [details]
sql/sql_acl.cc

Comment 17 David Walser 2013-02-01 02:38:55 CET

This is fixed now in SVN.  AL13N fixed the patch.

Thomas, should we at least do something to inform people that this wasn't fixed for MySQL in the update at the end of November?

AL13N 2013-02-07 23:17:57 CET

CC: (none) => alien

Comment 18 Thomas Backlund 2013-02-08 16:12:51 CET

(In reply to comment #14)
> ah, nvm, i see the problem now...
> 
> mysql doesn't have %apply_patches like mariadb does... so it never got fixed...
> :-(

Assumptions are bad when doing security updates...

(In reply to comment #17)
> This is fixed now in SVN.  AL13N fixed the patch.
> 
> Thomas, should we at least do something to inform people that this wasn't fixed
> for MySQL in the update at the end of November?

I dont think it's needed... we are ~2 months since we dropped mga1 support, so  even if they got that fix, mysql is still vulnerable to other problems now, so they either need to build updates by themselves or switch to a supported mga2

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.