From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ODxbDQltXGCN8wAAgWs5BA (envelope-from ) for ; Thu, 25 Mar 2021 11:59:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id kFH3CAltXGDSVAAAB5/wlQ (envelope-from ) for ; Thu, 25 Mar 2021 10:59:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5240D1A867 for ; Thu, 25 Mar 2021 11:59:20 +0100 (CET) Received: from localhost ([::1]:46490 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPNht-0001DN-Te for larch@yhetil.org; Thu, 25 Mar 2021 06:59:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54788) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPNhf-0001Ch-Os for bug-guix@gnu.org; Thu, 25 Mar 2021 06:59:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53969) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPNhf-0004xt-Hb for bug-guix@gnu.org; Thu, 25 Mar 2021 06:59:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPNhf-0001I5-Hl for bug-guix@gnu.org; Thu, 25 Mar 2021 06:59:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47257: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928. References: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> In-Reply-To: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 10:59:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47257 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47257@debbugs.gnu.org Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47257-submit@debbugs.gnu.org id=B47257.16166699144877 (code B ref 47257); Thu, 25 Mar 2021 10:59:03 +0000 Received: (at 47257) by debbugs.gnu.org; 25 Mar 2021 10:58:34 +0000 Received: from localhost ([127.0.0.1]:37275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPNh7-0001GU-BP for submit@debbugs.gnu.org; Thu, 25 Mar 2021 06:58:34 -0400 Received: from mail.zaclys.net ([178.33.93.72]:35669) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPNh3-0001Fz-Th for 47257@debbugs.gnu.org; Thu, 25 Mar 2021 06:58:27 -0400 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12PAwIX7034420 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 25 Mar 2021 11:58:18 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12PAwIX7034420 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616669898; bh=yxUcncO+fmYI14fVdQjW+TqCSJPjqakzQOgQX+06dsk=; h=From:To:Cc:Subject:Date:From; b=hZF8z5h/3BgkyKQoyM7kjNUIOgrWAVOuG0U0aTgTU0v/uZozY7iBu+XH9P6FDSJ17 KdIOs2GFzg3m5BAHVqEZYhZkiSvnxNS7V82kVmOVboTiK6nB1ZldqC6xnILY2LX6yi /kJ8TXyMp6dKwxD/1oJyrxxRcXyWp6tAJx6CHNcE= Date: Thu, 25 Mar 2021 11:58:15 +0100 Message-Id: <20210325105815.5411-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616669960; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=yxUcncO+fmYI14fVdQjW+TqCSJPjqakzQOgQX+06dsk=; b=lVPsfdVSCTYMCfTajitocjOv6zRF4xAyfcegUrQUBk62y5NSWpktU6pN4Nod1kNwcma76t VrPxF4wl/TT94yWQLlAHr8JRfrqoqmA50oAeX7OgriI/5/JOrF5Yqxmbf+LbzTHTf5INd2 8Ez4/Oiuk/xocuQZ/j1hj8ftX4TGuXsQ2dXI8XVDXNQgpA0tNewkSdE2zKB7usqlH7DbYv jbJgbmnA6a+s46iyhpLbUHOx1tGXYREBKi7qvPZ0UWoR0G/BRff7MwIyEp1RK3xvPmrunT wUCqSPHo70ZN3APShosVLCz64pjzdKDxxiSDKCfpRcFd3gURaNsYrIiM67WOGg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616669960; a=rsa-sha256; cv=none; b=H28JdS1br18XbgrBGGiyFncYmf1PzS7a17vtXdtTA9SmXVZJEKEc6m1s3YQA35V44fCzy4 vD5B/Co9qN93VNNJs2b3O23HQO6gSPk85G9anzMP/OgBWxVnyT6LRd0WEDDQP882RyTkj+ 6/7Wh1yEEy8f/eZeK7KjLFKYazuqlZVxapPf13z5KtcS9Uk7wQEJYx6Rhw7lO3/5bThR8P bSk6utMRgvCtCQqu7zG3RBwSR8ZmH9HRprV8GPQ3+Wexa3SOa809npuJlMayWbuT9ntPmH WeVh18IMfpMEudpyQcdAWXXVUiamBEAsnBgNdxhffM4V1isT6tbo2khypPidgA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="hZF8z5h/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 0.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="hZF8z5h/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 5240D1A867 X-Spam-Score: 0.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: 36WoB3G3p4hL * gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch. (mariadb)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/databases.scm | 34 + .../patches/mariadb-CVE-2021-27928.patch | 629 ++++++++++++++++++ 3 files changed, 664 insertions(+) create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch diff --git a/gnu/local.mk b/gnu/local.mk index 14d228cfa4..40956598db 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1380,6 +1380,7 @@ dist_patch_DATA = \ %D%/packages/patches/lvm2-static-link.patch \ %D%/packages/patches/mailutils-fix-uninitialized-variable.patch \ %D%/packages/patches/make-impure-dirs.patch \ + %D%/packages/patches/mariadb-CVE-2021-27928.patch \ %D%/packages/patches/mars-install.patch \ %D%/packages/patches/mars-sfml-2.3.patch \ %D%/packages/patches/maxima-defsystem-mkdir.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 83b6a13892..75edf3fd08 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -734,6 +734,7 @@ Language.") (append (find-files "extra/wolfssl") (find-files "zlib"))) #t)))) + (replacement mariadb/fixed) (build-system cmake-build-system) (outputs '("out" "lib" "dev")) (arguments @@ -969,6 +970,39 @@ Language.") as a drop-in replacement of MySQL.") (license license:gpl2))) +(define-public mariadb/fixed + (package + (inherit mariadb) + (source (origin + (method url-fetch) + (uri (string-append "https://downloads.mariadb.com/MariaDB" + "/mariadb-" version "/source/mariadb-" + version ".tar.gz")) + (sha256 + (base32 + "1s3vfm73911cddjhgpcbkya6nz7ag2zygg56qqzwscn5ybv28j7b")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Delete bundled snappy and xz. + (delete-file-recursively "storage/tokudb/PerconaFT/third_party") + (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt" + ;; This file checks that the bundled sources are present and + ;; declares build procedures for them. + (("^include\\(TokuThirdParty\\)") "")) + (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt" + ;; Don't attempt to use the procedures we just removed. + ((" build_lzma build_snappy") "")) + + ;; Preserve CMakeLists.txt for these. + (for-each (lambda (file) + (unless (string-suffix? "CMakeLists.txt" file) + (delete-file file))) + (append (find-files "extra/wolfssl") + (find-files "zlib"))) + #t)) + (patches (search-patches "mariadb-CVE-2021-27928.patch")))))) + (define-public mariadb-connector-c (package (name "mariadb-connector-c") diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch new file mode 100644 index 0000000000..eea18431cf --- /dev/null +++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch @@ -0,0 +1,629 @@ +From ce3a2a688db556d8d077a409fd9bf5cc013d13dd Mon Sep 17 00:00:00 2001 +From: Sergei Golubchik +Date: Thu, 18 Feb 2021 14:20:48 +0100 +Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only + +this should simplify run-time cluster management +--- + mysql-test/suite/galera/disabled.def | 2 + + .../galera/include/galera_load_provider.inc | 1 - + .../galera/include/galera_unload_provider.inc | 3 +- + .../suite/galera/r/galera_ist_rsync.result | 2 +- + .../galera/r/galera_sst_mysqldump.result | 2 +- + .../suite/galera/r/mysql-wsrep#33.result | 2 +- + .../suite/sys_vars/r/sysvars_wsrep.result | 4 +- + .../sys_vars/r/wsrep_notify_cmd_basic.result | 47 ----------------- + .../sys_vars/r/wsrep_provider_basic.result | 40 --------------- + .../r/wsrep_provider_options_basic.result | 49 ------------------ + .../sys_vars/t/wsrep_notify_cmd_basic.test | 43 ---------------- + .../sys_vars/t/wsrep_provider_basic.test | 39 -------------- + .../t/wsrep_provider_options_basic.test | 51 ------------------- + mysql-test/suite/wsrep/disabled.def | 2 + + mysql-test/suite/wsrep/r/variables.result | 12 ++--- + mysql-test/suite/wsrep/t/variables.test | 34 +++---------- + sql/sys_vars.cc | 4 +- + 17 files changed, 24 insertions(+), 313 deletions(-) + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test + +diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def +index 7fe03a9422013..a063e17d46533 100644 +--- a/mysql-test/suite/galera/disabled.def ++++ b/mysql-test/suite/galera/disabled.def +@@ -30,3 +30,5 @@ partition : MDEV-19958 Galera test failure on galera.partition + query_cache: MDEV-15805 Test failure on galera.query_cache + sql_log_bin : MDEV-21491 galera.sql_log_bin + versioning_trx_id: MDEV-18590: galera.versioning_trx_id: Test failure: mysqltest: Result content mismatch ++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons ++pxc-421: wsrep_provider is read-only for security reasons +diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc +index aeab7e6ea199f..e6ce6411193c2 100644 +--- a/mysql-test/suite/galera/include/galera_load_provider.inc ++++ b/mysql-test/suite/galera/include/galera_load_provider.inc +@@ -1,7 +1,6 @@ + --echo Loading wsrep provider ... + + --disable_query_log +---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig'; + --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig'; + --enable_query_log + +diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc +index edc7eb31e0e21..83438a947f03e 100644 +--- a/mysql-test/suite/galera/include/galera_unload_provider.inc ++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc +@@ -1,7 +1,6 @@ + --echo Unloading wsrep provider ... + + --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address` +---let $wsrep_provider_orig = `SELECT @@wsrep_provider` + --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options` + +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; +diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result +index 8a7c02ab1b6d9..80a28d349baed 100644 +--- a/mysql-test/suite/galera/r/galera_ist_rsync.result ++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result +@@ -21,7 +21,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result +index 5c530c32ce695..6bdc933a9fca7 100644 +--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result ++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result +@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result +index 6a5251204b9bb..4cc49c0cf0790 100644 +--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result ++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result +@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result +index e54afd2d64a24..67e1540531311 100644 +--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result ++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result +@@ -349,7 +349,7 @@ NUMERIC_MIN_VALUE NULL + NUMERIC_MAX_VALUE NULL + NUMERIC_BLOCK_SIZE NULL + ENUM_VALUE_LIST NULL +-READ_ONLY NO ++READ_ONLY YES + COMMAND_LINE_ARGUMENT REQUIRED + VARIABLE_NAME WSREP_ON + SESSION_VALUE OFF +@@ -405,7 +405,7 @@ NUMERIC_MIN_VALUE NULL + NUMERIC_MAX_VALUE NULL + NUMERIC_BLOCK_SIZE NULL + ENUM_VALUE_LIST NULL +-READ_ONLY NO ++READ_ONLY YES + COMMAND_LINE_ARGUMENT REQUIRED + VARIABLE_NAME WSREP_PROVIDER_OPTIONS + SESSION_VALUE NULL +diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result +deleted file mode 100644 +index 056ff8c817b0f..0000000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result ++++ /dev/null +@@ -1,47 +0,0 @@ +-# +-# wsrep_notify_cmd +-# +-call mtr.add_suppression("WSREP: Failed to get provider options"); +-# save the initial value +-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd; +-# default +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +- +- +-# scope +-SELECT @@session.wsrep_notify_cmd; +-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable +-SET @@global.wsrep_notify_cmd='notify_cmd'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-notify_cmd +- +-# valid values +-SET @@global.wsrep_notify_cmd='command'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-command +-SET @@global.wsrep_notify_cmd='hyphenated-command'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-hyphenated-command +-SET @@global.wsrep_notify_cmd=default; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +- +-SET @@global.wsrep_notify_cmd=NULL; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-NULL +- +-# invalid values +-SET @@global.wsrep_notify_cmd=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd' +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-NULL +- +-# restore the initial value +-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved; +-# End of test +diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result +deleted file mode 100644 +index 3e4ac8ca88362..0000000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result ++++ /dev/null +@@ -1,40 +0,0 @@ +-# +-# wsrep_provider +-# +-# save the initial value +-SET @wsrep_provider_global_saved = @@global.wsrep_provider; +-# default +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# scope +-SELECT @@session.wsrep_provider; +-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# valid values +-SET @@global.wsrep_provider=default; +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# invalid values +-SET @@global.wsrep_provider='/invalid/libgalera_smm.so'; +-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so' +-SET @@global.wsrep_provider=NULL; +-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL' +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +-SET @@global.wsrep_provider=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_provider' +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# restore the initial value +-SET @@global.wsrep_provider = @wsrep_provider_global_saved; +-# End of test +diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result +deleted file mode 100644 +index b2e07c55b38cf..0000000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result ++++ /dev/null +@@ -1,49 +0,0 @@ +-# +-# wsrep_provider_options +-# +-call mtr.add_suppression("WSREP: Failed to get provider options"); +-SET @@global.wsrep_provider = @@global.wsrep_provider; +-# save the initial value +-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options; +-# default +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +- +-# scope +-SELECT @@session.wsrep_provider_options; +-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable +-SET @@global.wsrep_provider_options='option1'; +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +-option1 +- +-# valid values +-SET @@global.wsrep_provider_options='name1=value1;name2=value2'; +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +-name1=value1;name2=value2 +-SET @@global.wsrep_provider_options='hyphenated-name:value'; +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +-hyphenated-name:value +-SET @@global.wsrep_provider_options=default; +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +- +-# invalid values +-SET @@global.wsrep_provider_options=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options' +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +-SET @@global.wsrep_provider_options=NULL; +-Got one of the listed errors +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +-NULL +- +-# restore the initial value +-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved; +-# End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test +deleted file mode 100644 +index 6d1535ba1482d..0000000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test ++++ /dev/null +@@ -1,43 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_notify_cmd +---echo # +- +-call mtr.add_suppression("WSREP: Failed to get provider options"); +- +---echo # save the initial value +-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd; +- +---echo # default +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd='notify_cmd'; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # valid values +-SET @@global.wsrep_notify_cmd='command'; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd='hyphenated-command'; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd=default; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd=NULL; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # invalid values +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_notify_cmd=1; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # restore the initial value +-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved; +- +---echo # End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test +deleted file mode 100644 +index 1190ab41bb053..0000000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test ++++ /dev/null +@@ -1,39 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_provider +---echo # +- +---echo # save the initial value +-SET @wsrep_provider_global_saved = @@global.wsrep_provider; +- +---echo # default +-SELECT @@global.wsrep_provider; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_provider; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # valid values +-SET @@global.wsrep_provider=default; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # invalid values +---error ER_WRONG_VALUE_FOR_VAR +-SET @@global.wsrep_provider='/invalid/libgalera_smm.so'; +---error ER_WRONG_VALUE_FOR_VAR +-SET @@global.wsrep_provider=NULL; +-SELECT @@global.wsrep_provider; +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_provider=1; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # restore the initial value +-SET @@global.wsrep_provider = @wsrep_provider_global_saved; +- +---echo # End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test +deleted file mode 100644 +index d2ea32a063786..0000000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test ++++ /dev/null +@@ -1,51 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_provider_options +---echo # +- +-call mtr.add_suppression("WSREP: Failed to get provider options"); +- +-SET @@global.wsrep_provider = @@global.wsrep_provider; +- +---echo # save the initial value +-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options; +- +---echo # default +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_provider_options; +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='option1'; +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # valid values +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='name1=value1;name2=value2'; +-SELECT @@global.wsrep_provider_options; +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='hyphenated-name:value'; +-SELECT @@global.wsrep_provider_options; +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options=default; +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # invalid values +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_provider_options=1; +-SELECT @@global.wsrep_provider_options; +---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options=NULL; +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # restore the initial value +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved; +- +---echo # End of test +diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def +index 11577bfe8b007..3d204db694580 100644 +--- a/mysql-test/suite/wsrep/disabled.def ++++ b/mysql-test/suite/wsrep/disabled.def +@@ -10,3 +10,5 @@ + # + ############################################################################## + ++ ++mdev_6832: wsrep_provider is read-only for security reasons +diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result +index 9ef1b3290afd6..8bb0b426380a1 100644 +--- a/mysql-test/suite/wsrep/r/variables.result ++++ b/mysql-test/suite/wsrep/r/variables.result +@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON; + ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL + SET GLOBAL wsrep_replicate_myisam= ON; + SET GLOBAL wsrep_replicate_myisam= OFF; +-SET GLOBAL wsrep_provider=none; + # + # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of + # variables when using "_" +@@ -26,7 +25,6 @@ wsrep_local_state_comment # + # Should show nothing. + SHOW STATUS LIKE 'x'; + Variable_name Value +-SET GLOBAL wsrep_provider=none; + + SHOW STATUS LIKE 'wsrep_local_state_uuid'; + Variable_name Value +@@ -35,7 +33,6 @@ wsrep_local_state_uuid # + SHOW STATUS LIKE 'wsrep_last_committed'; + Variable_name Value + wsrep_last_committed # +-SET GLOBAL wsrep_provider=none; + + # + # MDEV#6206: wsrep_slave_threads subtracts from max_connections +@@ -49,7 +46,7 @@ SELECT @@global.wsrep_slave_threads; + 1 + SELECT @@global.wsrep_cluster_address; + @@global.wsrep_cluster_address +- ++gcomm:// + SELECT @@global.wsrep_on; + @@global.wsrep_on + 1 +@@ -58,14 +55,14 @@ Variable_name Value + Threads_connected 1 + SHOW STATUS LIKE 'wsrep_thread_count'; + Variable_name Value +-wsrep_thread_count 0 ++wsrep_thread_count 2 + + SELECT @@global.wsrep_provider; + @@global.wsrep_provider + libgalera_smm.so + SELECT @@global.wsrep_cluster_address; + @@global.wsrep_cluster_address +- ++gcomm:// + SELECT @@global.wsrep_on; + @@global.wsrep_on + 1 +@@ -74,11 +71,10 @@ Variable_name Value + Threads_connected 1 + SHOW STATUS LIKE 'wsrep_thread_count'; + Variable_name Value +-wsrep_thread_count 0 ++wsrep_thread_count 2 + + # Setting wsrep_cluster_address triggers the creation of + # applier/rollbacker threads. +-SET GLOBAL wsrep_cluster_address= 'gcomm://'; + # Wait for applier thread to get created 1. + # Wait for applier thread to get created 2. + SELECT VARIABLE_VALUE AS EXPECT_1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count'; +diff --git a/mysql-test/suite/wsrep/t/variables.test b/mysql-test/suite/wsrep/t/variables.test +index 5ab0eb68505a7..1a3bd62b16489 100644 +--- a/mysql-test/suite/wsrep/t/variables.test ++++ b/mysql-test/suite/wsrep/t/variables.test +@@ -22,7 +22,7 @@ SET GLOBAL wsrep_replicate_myisam= ON; + + # Reset it back. + SET GLOBAL wsrep_replicate_myisam= OFF; +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + + --echo # + --echo # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of +@@ -31,13 +31,9 @@ SET GLOBAL wsrep_provider=none; + + CALL mtr.add_suppression("WSREP: Could not open saved state file for reading.*"); + +---disable_result_log +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + --let $galera_version=25.3.24 + source include/check_galera_version.inc; +---enable_result_log +---enable_query_log + + --replace_column 2 # + SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment'; +@@ -46,11 +42,9 @@ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment'; + SHOW STATUS LIKE 'x'; + + # Reset it back. +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + # The following 2 variables are used by mariabackup + # SST. +@@ -62,7 +56,7 @@ SHOW STATUS LIKE 'wsrep_local_state_uuid'; + SHOW STATUS LIKE 'wsrep_last_committed'; + + # Reset it back. +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + + --echo + --echo # +@@ -70,9 +64,7 @@ SET GLOBAL wsrep_provider=none; + --echo # + call mtr.add_suppression("WSREP: Failed to get provider options"); + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + --replace_regex /.*libgalera_smm.*/libgalera_smm.so/ + SELECT @@global.wsrep_provider; +@@ -83,9 +75,7 @@ SHOW STATUS LIKE 'threads_connected'; + SHOW STATUS LIKE 'wsrep_thread_count'; + --echo + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + --replace_regex /.*libgalera_smm.*/libgalera_smm.so/ + SELECT @@global.wsrep_provider; +@@ -97,7 +87,7 @@ SHOW STATUS LIKE 'wsrep_thread_count'; + + --echo # Setting wsrep_cluster_address triggers the creation of + --echo # applier/rollbacker threads. +-SET GLOBAL wsrep_cluster_address= 'gcomm://'; ++#SET GLOBAL wsrep_cluster_address= 'gcomm://'; + + --echo # Wait for applier thread to get created 1. + --let $wait_timeout=600 +@@ -159,14 +149,6 @@ SET @@global.wsrep_sst_auth= NULL; + SELECT @@global.wsrep_sst_auth; + SET @@global.wsrep_sst_auth= @wsrep_sst_auth_saved; + +-# Reset (for mtr internal checks) +---disable_query_log +-SET GLOBAL wsrep_slave_threads= @wsrep_slave_threads_saved; +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +-SET GLOBAL wsrep_cluster_address= @wsrep_cluster_address_saved; +-SET GLOBAL wsrep_provider_options= @wsrep_provider_options_saved; +---enable_query_log +- + --source include/galera_wait_ready.inc + + --echo # End of test. +diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc +index baf27a7d0af92..e4de3d8d0aa1a 100644 +--- a/sql/sys_vars.cc ++++ b/sql/sys_vars.cc +@@ -4958,7 +4958,7 @@ static Sys_var_tz Sys_time_zone( + + static Sys_var_charptr Sys_wsrep_provider( + "wsrep_provider", "Path to replication provider library", +- PREALLOCATED GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG), ++ PREALLOCATED READ_ONLY GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG), + IN_FS_CHARSET, DEFAULT(WSREP_NONE), + NO_MUTEX_GUARD, NOT_IN_BINLOG, + ON_CHECK(wsrep_provider_check), ON_UPDATE(wsrep_provider_update)); +@@ -5171,7 +5171,7 @@ static Sys_var_ulong Sys_wsrep_max_ws_rows ( + + static Sys_var_charptr Sys_wsrep_notify_cmd( + "wsrep_notify_cmd", "", +- GLOBAL_VAR(wsrep_notify_cmd),CMD_LINE(REQUIRED_ARG), ++ READ_ONLY GLOBAL_VAR(wsrep_notify_cmd), CMD_LINE(REQUIRED_ARG), + IN_SYSTEM_CHARSET, DEFAULT("")); + + static Sys_var_mybool Sys_wsrep_certify_nonPK( -- 2.31.0