From: zimoun <zimon.toutoune@gmail.com>
To: "Léo Le Bouter" <lle-bout@zaclys.net>
Cc: 47257@debbugs.gnu.org
Subject: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Mon, 29 Mar 2021 23:34:15 +0200 [thread overview]
Message-ID: <CAJ3okZ1jNE7_uSifHdoKHM5XgPwFe4OjnyhmbhJiwiLPq8C=zQ@mail.gmail.com> (raw)
In-Reply-To: <b9a61cca0f95239cb0b38fc4ef0988bd11b7777e.camel@zaclys.net>
On Thu, 25 Mar 2021 at 12:28, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> > Instead of grafting, I would fix first check the compatibility
> > between
> > mariadb and zstd. Because mariadb@10.5.8 does not build with
> > zstd@1.4.9, at least on my machine.
>
> Can you post build logs and repro scenario? mariadb@10.5.8 built fine
> for me on core-updates which has zstd@1.4.9.
On core-updates, I get this:
--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && ./pre-inst-env guix build mariadb
b20b45c6ce (HEAD -> core-updates, origin/core-updates) gnu: gd: Patch
away recent pkg-config files change that breaks php build.
[...]
Only 2061 of 5666 completed.
--------------------------------------------------------------------------
The servers were restarted 258 times
Spent 10782.523 of 607 seconds executing testcases
Failure: Failed 1/427 tests, 99.77% were successful.
Failing test(s): innodb.check_ibd_filesize
The log files in var/log may give you some hint of what went wrong.
If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html
798 tests were skipped, 39 by the test itself.
mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 683.
mtr_report::mtr_error("there were failing test cases") called at
lib/mtr_report.pm line 552
mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x1ae0180),
ARRAY(0xd3cb68)) called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 586
main::main() called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 387
error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "./mtr" arguments: ("--verbose"
"--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel"
"64" "--skip-rpl" "--skip-test-list=unstable-tests") exit-status: 1
term-signal: #f stop-signal: #f>
phase `check' failed after 606.9 seconds
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40"
"--suite-timeout=600" "--parallel" "64" "--skip-rpl"
"--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed with exit code 1
build of /gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv failed
View build log at
'/var/log/guix/drvs/33/9560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv.bz2'.
guix build: error: build of
`/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---
Maybe, I am not doing something wrong. Then on master, it "works"
except after the ungraft. Well, it seems coherent with what I get
from core-updates. So if I am doing wrong, I do not know where.
--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
a801c7379a (HEAD) gnu: Remove QT 4.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 6%] LOAD gnu/packages/compression.scm
[ 12%] LOAD gnu/packages/databases.scm
[ 19%] LOAD gnu/packages/engineering.scm
[ 25%] LOAD gnu/packages/messaging.scm
[ 31%] LOAD gnu/packages/password-utils.scm
[ 38%] LOAD gnu/packages/pdf.scm
[ 44%] LOAD gnu/packages/qt.scm
[ 50%] LOAD gnu/packages/sqlite.scm
[ 56%] GUILEC gnu/packages/compression.go
[ 62%] GUILEC gnu/packages/databases.go
[ 69%] GUILEC gnu/packages/engineering.go
[ 75%] GUILEC gnu/packages/messaging.go
[ 81%] GUILEC gnu/packages/password-utils.go
[ 88%] GUILEC gnu/packages/pdf.go
[ 94%] GUILEC gnu/packages/qt.go
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/231bip1j7j3prx4q6mr44f3hdn8sl9nh-mariadb-10.5.8-dev
/gnu/store/43sbv46pn6a31722savgbqcrryyn513h-mariadb-10.5.8-lib
/gnu/store/68az8ch2l6x0ldjnjhqsmpn19ns9srjp-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
52c8d07a4f (HEAD) gnu: mariadb: Fix CVE-2021-27928.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/databases.scm
[100%] GUILEC gnu/packages/databases.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
6e7ba45357 (HEAD) gnu: sqlite: Update to 3.32.3 [security fixes].
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/sqlite.scm
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
692f1e5217 (HEAD) DRAFT: gnu: zstd: Fix test suite.
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/q33xvan4j71f4kil0lg4h2yk549al1rv-zstd-1.4.9-lib
/gnu/store/rixmvq9497dwqxr7apa4n70gmhb50lc7-zstd-1.4.9
/gnu/store/2ym2nn0rmzgigagj7zrx4s6gidk94pqg-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
93fee48ada (HEAD -> fix-zstd) DRAFT: gnu: zstd: Update to 1.4.9 (ungraft).
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/mmsp9ym0d3zcc0g1rr2gwmxb5pcq1wkm-zstd-1.4.9-lib
/gnu/store/6bi9kvsj0si590ra99yzb8dchikzlxb1-zstd-1.4.9
/gnu/store/1cnbqm29rc0gp30h18x7hs785c55fl0m-zstd-1.4.9-static
guix build: error: build of
`/gnu/store/5927s1x3hpfv4v9rsc9y06kycx93zqvh-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---
I could be wrong... and I have not investigated more. As I said
elsewhere, grafting zstd from 1.4.4 to 1.4.9 seems totally *wrong*.
There is ~1.5 years and 4 releases between these 2 releases.
BTW, note that:
$ guix graph --path mariadb zstd
guix graph: error: no path from 'mariadb@10.5.8' to 'zstd@1.4.9'
Grafting MariaDB makes sense here. The culprit is zstd, IMHO.
> > Other said, I seem better to do this fix as a whole on core-updates
> > without any graft. Instead of grafting here and there; and not
> > necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> > 10.5.8
> > to 10.5.8).
>
> We can't patch security issues through core-updates, especially this
> RCE.
I will not comment because I am bored by all that.
Last, you have been prompted to commit a major update and disable the
test-suite for zstd, and I am still waiting that you are prompt again
to fix it; especially when a proposal fix is done here:
<https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00295.html>
Best regards,
simon
next prev parent reply other threads:[~2021-03-29 21:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 10:25 bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE) Léo Le Bouter via Bug reports for GNU Guix
2021-03-19 11:15 ` Julien Lepiller
2021-03-19 11:35 ` zimoun
2021-03-25 11:28 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-29 21:34 ` zimoun [this message]
2021-03-30 0:26 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-30 8:29 ` zimoun
2021-03-19 11:35 ` bug#47257: [PATCH 0/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928] Léo Le Bouter via Bug reports for GNU Guix
2021-03-19 11:35 ` bug#47257: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-20 0:28 ` Mark H Weaver
2021-03-20 0:42 ` Mark H Weaver
2021-03-25 10:58 ` bug#47257: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928 Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 11:06 ` Julien Lepiller
2021-03-25 12:39 ` bug#47257: [PATCH v3] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 12:48 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 1:16 ` Mark H Weaver
2021-03-26 1:23 ` Léo Le Bouter via Bug reports for GNU Guix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ3okZ1jNE7_uSifHdoKHM5XgPwFe4OjnyhmbhJiwiLPq8C=zQ@mail.gmail.com' \
--to=zimon.toutoune@gmail.com \
--cc=47257@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).