From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SANeJLaEXGBoKQEAgWs5BA (envelope-from ) for ; Thu, 25 Mar 2021 13:40:22 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QMn0H7aEXGAdBwAAbx9fmQ (envelope-from ) for ; Thu, 25 Mar 2021 12:40:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C3431CEB5 for ; Thu, 25 Mar 2021 13:40:21 +0100 (CET) Received: from localhost ([::1]:34636 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPPHg-0005Ff-9s for larch@yhetil.org; Thu, 25 Mar 2021 08:40:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49308) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPPHO-0005C5-Ro for bug-guix@gnu.org; Thu, 25 Mar 2021 08:40:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54091) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPPHO-0004xp-J2 for bug-guix@gnu.org; Thu, 25 Mar 2021 08:40:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPPHO-0005xp-EU for bug-guix@gnu.org; Thu, 25 Mar 2021 08:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928. References: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> In-Reply-To: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47257 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47257@debbugs.gnu.org Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47257-submit@debbugs.gnu.org id=B47257.161667597722890 (code B ref 47257); Thu, 25 Mar 2021 12:40:02 +0000 Received: (at 47257) by debbugs.gnu.org; 25 Mar 2021 12:39:37 +0000 Received: from localhost ([127.0.0.1]:37404 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPPGv-0005x5-Qj for submit@debbugs.gnu.org; Thu, 25 Mar 2021 08:39:37 -0400 Received: from mail.zaclys.net ([178.33.93.72]:40253) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPPGs-0005wo-CN for 47257@debbugs.gnu.org; Thu, 25 Mar 2021 08:39:32 -0400 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12PCdMku043190 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 25 Mar 2021 13:39:22 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12PCdMku043190 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616675962; bh=1+QWUVT7TluJnUB46VE8dIukleWP9rkQWYTod73fZxE=; h=From:To:Cc:Subject:Date:From; b=VJqbY/QLw/VmQ2G+5DduXguPnQbQeDoFKEpXozD4FB0mxatWNMTHxB2MohDyaj/W3 SwGsDcFI4Ae6kJH0xzRwaAMKI6I4UK8X/9T1kE4u9urbza9DrIgE8Dd+hyXaZNxYqg Sl8Du6Y0ReWvqTKw+D07oW88UhLSCUGNM6UdpiLY= Date: Thu, 25 Mar 2021 13:39:21 +0100 Message-Id: <20210325123921.9800-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616676022; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=1+QWUVT7TluJnUB46VE8dIukleWP9rkQWYTod73fZxE=; b=a/OhnMXJs6/YrSkpTD7fm1DxLgPSEAovM+u8/Txek9TNwLl2CGeOqft6Q0vGAM+D47/DRx dfQMGTB8mrZDRWru8G+9TxVuL4/hJn4N8YuqgQHGfPIC9+LzzBu/sNA/zdcz7kH1K2TBAp LdNmZHieRtR4vERWptAJXQ24Sm1SPPJOfvtZZecKDs+viqYIABBOecsulAbXu74LOdN01I 0BwTpu1PgZl8giUWSjD89b46Ej3X4tsb3pLS31JdHyXzg/ADhUSFHTIzTuJhUF4+E5U3Yj OwE2/Xm5NC/HzMKAjMM2rbsgzQUYVEk9iVeqjt3wkLCe7qxyG0M4LxmO5y5x7w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616676022; a=rsa-sha256; cv=none; b=C3utVe7QXn+Xh8morVGM7JtgudsFtqh9WpLpqdaZBZMDgLjkfrP4BLRr7DwFE9zNI9vrvd FhVvbfolQG2aIOp76tdYJNpCmON9XVjhkZN0GIo//TzdCQs5X7QcckTKxRdLLPRJ07O44K ajxGtLxO8rmtN5Xc4sQJba+S5lPcjN+ZnHVCwihCtkQVsKzOXehdblfdWWQ9f5n9Q9coG0 Xum6M6HTDo1iRzpK5hSCozoK5WAoQ/8b1mitji2KFtpD7V8IBiFFsAvqurw8wnCEmsF5rY 9As25fJ2Xg2p6R2NJantWr41JIQSY52TVQqszQP1wT5oJj5P7UhqDIFLqWD2cQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="VJqbY/QL"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 1.08 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b="VJqbY/QL"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: C3431CEB5 X-Spam-Score: 1.08 X-Migadu-Scanner: scn0.migadu.com X-TUID: nh9bY3vJ62E4 * gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch. (mariadb)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/databases.scm | 8 + .../patches/mariadb-CVE-2021-27928.patch | 642 ++++++++++++++++++ 3 files changed, 651 insertions(+) create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch diff --git a/gnu/local.mk b/gnu/local.mk index 14d228cfa4..40956598db 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1380,6 +1380,7 @@ dist_patch_DATA = \ %D%/packages/patches/lvm2-static-link.patch \ %D%/packages/patches/mailutils-fix-uninitialized-variable.patch \ %D%/packages/patches/make-impure-dirs.patch \ + %D%/packages/patches/mariadb-CVE-2021-27928.patch \ %D%/packages/patches/mars-install.patch \ %D%/packages/patches/mars-sfml-2.3.patch \ %D%/packages/patches/maxima-defsystem-mkdir.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 83b6a13892..20069f9383 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -734,6 +734,7 @@ Language.") (append (find-files "extra/wolfssl") (find-files "zlib"))) #t)))) + (replacement mariadb/fixed) (build-system cmake-build-system) (outputs '("out" "lib" "dev")) (arguments @@ -969,6 +970,13 @@ Language.") as a drop-in replacement of MySQL.") (license license:gpl2))) +(define mariadb/fixed + (package + (inherit mariadb) + (source (origin + (inherit (package-source mariadb)) + (patches (search-patches "mariadb-CVE-2021-27928.patch")))))) + (define-public mariadb-connector-c (package (name "mariadb-connector-c") diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch new file mode 100644 index 0000000000..39a023c159 --- /dev/null +++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch @@ -0,0 +1,642 @@ +From 7580701e6279900fec40822952a3b874732289cf Mon Sep 17 00:00:00 2001 +From: Sergei Golubchik +Date: Thu, 18 Feb 2021 14:20:48 +0100 +Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only + +this should simplify run-time cluster management +--- + mysql-test/suite/galera/disabled.def | 2 + + .../galera/include/galera_load_provider.inc | 19 -------- + .../galera/include/galera_unload_provider.inc | 3 +- + .../suite/galera/r/galera_ist_rsync.result | 2 +- + .../galera/r/galera_sst_mysqldump.result | 2 +- + .../suite/galera/r/mysql-wsrep#33.result | 2 +- + .../suite/sys_vars/r/sysvars_wsrep.result | 4 +- + .../sys_vars/r/wsrep_notify_cmd_basic.result | 47 ------------------- + .../sys_vars/r/wsrep_provider_basic.result | 40 ---------------- + .../r/wsrep_provider_options_basic.result | 46 ------------------ + .../sys_vars/t/wsrep_notify_cmd_basic.test | 43 ----------------- + .../sys_vars/t/wsrep_provider_basic.test | 39 --------------- + .../t/wsrep_provider_options_basic.test | 41 ---------------- + mysql-test/suite/wsrep/disabled.def | 2 + + mysql-test/suite/wsrep/r/variables.result | 12 ++--- + mysql-test/suite/wsrep/t/variables.test | 32 +++---------- + sql/sys_vars.cc | 8 ++-- + 17 files changed, 25 insertions(+), 319 deletions(-) + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result + delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test + delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test + +diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def +index d940c702d54..83f26e81636 100644 +--- a/mysql-test/suite/galera/disabled.def ++++ b/mysql-test/suite/galera/disabled.def +@@ -49,3 +49,5 @@ partition : MDEV-19958 Galera test failure on galera.partition + query_cache: MDEV-15805 Test failure on galera.query_cache + sql_log_bin : MDEV-21491 galera.sql_log_bin + versioning_trx_id : MDEV-18590 galera.versioning_trx_id ++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons ++pxc-421: wsrep_provider is read-only for security reasons +diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc +index 0f843597d9c..28010cc5b71 100644 +--- a/mysql-test/suite/galera/include/galera_load_provider.inc ++++ b/mysql-test/suite/galera/include/galera_load_provider.inc +@@ -1,25 +1,6 @@ + --echo Loading wsrep provider ... + + --disable_query_log +---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig'; +- +-# +-# count occurences of successful node starts in error log +-# +-perl; +- use strict; +- my $test_log=$ENV{'LOG_FILE'} or die "LOG_FILE not set"; +- my $test_log_copy=$test_log . '.copy'; +- if (-e $test_log_copy) { +- unlink $test_log_copy; +- } +- +-EOF +---copy_file $LOG_FILE $LOG_FILE.copy +- +-# +-# now join to the cluster +-# + --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig'; + + --enable_query_log +diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc +index cd841f51fbc..ed7e9bc41f0 100644 +--- a/mysql-test/suite/galera/include/galera_unload_provider.inc ++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc +@@ -1,7 +1,6 @@ + --echo Unloading wsrep provider ... + + --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address` +---let $wsrep_provider_orig = `SELECT @@wsrep_provider` + --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options` + --let $wsrep_error_log_orig = `SELECT @@log_error` + if(!$wsrep_log_error_orig) +@@ -12,4 +11,4 @@ if(!$wsrep_log_error_orig) + } + --let LOG_FILE= $wsrep_log_error_orig + +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; +diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result +index 13f7d898a59..70a87c73df7 100644 +--- a/mysql-test/suite/galera/r/galera_ist_rsync.result ++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result +@@ -23,7 +23,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result +index 4ed679ba477..145b3a94775 100644 +--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result ++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result +@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result +index fb0b593cc96..45c6a3f660a 100644 +--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result ++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result +@@ -32,7 +32,7 @@ INSERT INTO t1 VALUES ('node2_committed_before'); + INSERT INTO t1 VALUES ('node2_committed_before'); + COMMIT; + Unloading wsrep provider ... +-SET GLOBAL wsrep_provider = 'none'; ++SET GLOBAL wsrep_cluster_address = ''; + connection node_1; + SET AUTOCOMMIT=OFF; + START TRANSACTION; +diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result +index 4b6abf85434..f73bfbd13e7 100644 +--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result ++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result +@@ -403,7 +403,7 @@ NUMERIC_MIN_VALUE NULL + NUMERIC_MAX_VALUE NULL + NUMERIC_BLOCK_SIZE NULL + ENUM_VALUE_LIST NULL +-READ_ONLY NO ++READ_ONLY YES + COMMAND_LINE_ARGUMENT REQUIRED + GLOBAL_VALUE_PATH NULL + VARIABLE_NAME WSREP_ON +@@ -463,7 +463,7 @@ NUMERIC_MIN_VALUE NULL + NUMERIC_MAX_VALUE NULL + NUMERIC_BLOCK_SIZE NULL + ENUM_VALUE_LIST NULL +-READ_ONLY NO ++READ_ONLY YES + COMMAND_LINE_ARGUMENT REQUIRED + GLOBAL_VALUE_PATH NULL + VARIABLE_NAME WSREP_PROVIDER_OPTIONS +diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result +deleted file mode 100644 +index 056ff8c817b..00000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result ++++ /dev/null +@@ -1,47 +0,0 @@ +-# +-# wsrep_notify_cmd +-# +-call mtr.add_suppression("WSREP: Failed to get provider options"); +-# save the initial value +-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd; +-# default +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +- +- +-# scope +-SELECT @@session.wsrep_notify_cmd; +-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable +-SET @@global.wsrep_notify_cmd='notify_cmd'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-notify_cmd +- +-# valid values +-SET @@global.wsrep_notify_cmd='command'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-command +-SET @@global.wsrep_notify_cmd='hyphenated-command'; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-hyphenated-command +-SET @@global.wsrep_notify_cmd=default; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +- +-SET @@global.wsrep_notify_cmd=NULL; +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-NULL +- +-# invalid values +-SET @@global.wsrep_notify_cmd=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd' +-SELECT @@global.wsrep_notify_cmd; +-@@global.wsrep_notify_cmd +-NULL +- +-# restore the initial value +-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved; +-# End of test +diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result +deleted file mode 100644 +index 3e4ac8ca883..00000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result ++++ /dev/null +@@ -1,40 +0,0 @@ +-# +-# wsrep_provider +-# +-# save the initial value +-SET @wsrep_provider_global_saved = @@global.wsrep_provider; +-# default +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# scope +-SELECT @@session.wsrep_provider; +-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# valid values +-SET @@global.wsrep_provider=default; +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# invalid values +-SET @@global.wsrep_provider='/invalid/libgalera_smm.so'; +-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so' +-SET @@global.wsrep_provider=NULL; +-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL' +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +-SET @@global.wsrep_provider=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_provider' +-SELECT @@global.wsrep_provider; +-@@global.wsrep_provider +-none +- +-# restore the initial value +-SET @@global.wsrep_provider = @wsrep_provider_global_saved; +-# End of test +diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result +deleted file mode 100644 +index 15949a14e39..00000000000 +--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result ++++ /dev/null +@@ -1,46 +0,0 @@ +-# +-# wsrep_provider_options +-# +-call mtr.add_suppression("WSREP: Failed to get provider options"); +-# default +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +- +-# scope +-SELECT @@session.wsrep_provider_options; +-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable +-SET @@global.wsrep_provider_options='option1'; +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +- +-# valid values +-SET @@global.wsrep_provider_options='name1=value1;name2=value2'; +-ERROR HY000: WSREP (galera) not started +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +-SET @@global.wsrep_provider_options='hyphenated-name:value'; +-ERROR HY000: WSREP (galera) not started +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +-SET @@global.wsrep_provider_options=default; +-ERROR HY000: WSREP (galera) not started +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +- +-# invalid values +-SET @@global.wsrep_provider_options=1; +-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options' +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +-SET @@global.wsrep_provider_options=NULL; +-Got one of the listed errors +-SELECT @@global.wsrep_provider_options; +-@@global.wsrep_provider_options +- +-# End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test +deleted file mode 100644 +index 6d1535ba148..00000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test ++++ /dev/null +@@ -1,43 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_notify_cmd +---echo # +- +-call mtr.add_suppression("WSREP: Failed to get provider options"); +- +---echo # save the initial value +-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd; +- +---echo # default +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd='notify_cmd'; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # valid values +-SET @@global.wsrep_notify_cmd='command'; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd='hyphenated-command'; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd=default; +-SELECT @@global.wsrep_notify_cmd; +-SET @@global.wsrep_notify_cmd=NULL; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # invalid values +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_notify_cmd=1; +-SELECT @@global.wsrep_notify_cmd; +- +---echo +---echo # restore the initial value +-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved; +- +---echo # End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test +deleted file mode 100644 +index 1190ab41bb0..00000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test ++++ /dev/null +@@ -1,39 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_provider +---echo # +- +---echo # save the initial value +-SET @wsrep_provider_global_saved = @@global.wsrep_provider; +- +---echo # default +-SELECT @@global.wsrep_provider; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_provider; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # valid values +-SET @@global.wsrep_provider=default; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # invalid values +---error ER_WRONG_VALUE_FOR_VAR +-SET @@global.wsrep_provider='/invalid/libgalera_smm.so'; +---error ER_WRONG_VALUE_FOR_VAR +-SET @@global.wsrep_provider=NULL; +-SELECT @@global.wsrep_provider; +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_provider=1; +-SELECT @@global.wsrep_provider; +- +---echo +---echo # restore the initial value +-SET @@global.wsrep_provider = @wsrep_provider_global_saved; +- +---echo # End of test +diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test +deleted file mode 100644 +index 6eb3a94b6a4..00000000000 +--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test ++++ /dev/null +@@ -1,41 +0,0 @@ +---source include/have_wsrep.inc +- +---echo # +---echo # wsrep_provider_options +---echo # +- +-call mtr.add_suppression("WSREP: Failed to get provider options"); +- +---echo # default +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # scope +---error ER_INCORRECT_GLOBAL_LOCAL_VAR +-SELECT @@session.wsrep_provider_options; +---error 0,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='option1'; +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # valid values +---error ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='name1=value1;name2=value2'; +-SELECT @@global.wsrep_provider_options; +---error ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options='hyphenated-name:value'; +-SELECT @@global.wsrep_provider_options; +---error ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options=default; +-SELECT @@global.wsrep_provider_options; +- +---echo +---echo # invalid values +---error ER_WRONG_TYPE_FOR_VAR +-SET @@global.wsrep_provider_options=1; +-SELECT @@global.wsrep_provider_options; +---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS +-SET @@global.wsrep_provider_options=NULL; +-SELECT @@global.wsrep_provider_options; +- +---echo # End of test +diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def +index 11577bfe8b0..3d204db6945 100644 +--- a/mysql-test/suite/wsrep/disabled.def ++++ b/mysql-test/suite/wsrep/disabled.def +@@ -10,3 +10,5 @@ + # + ############################################################################## + ++ ++mdev_6832: wsrep_provider is read-only for security reasons +diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result +index a9988fd1628..e57440125ee 100644 +--- a/mysql-test/suite/wsrep/r/variables.result ++++ b/mysql-test/suite/wsrep/r/variables.result +@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON; + ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL + SET GLOBAL wsrep_replicate_myisam= ON; + SET GLOBAL wsrep_replicate_myisam= OFF; +-SET GLOBAL wsrep_provider=none; + # + # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of + # variables when using "_" +@@ -151,7 +150,6 @@ wsrep_local_state_comment # + # Should show nothing. + SHOW STATUS LIKE 'x'; + Variable_name Value +-SET GLOBAL wsrep_provider=none; + + SHOW STATUS LIKE 'wsrep_local_state_uuid'; + Variable_name Value +@@ -160,7 +158,6 @@ wsrep_local_state_uuid # + SHOW STATUS LIKE 'wsrep_last_committed'; + Variable_name Value + wsrep_last_committed # +-SET GLOBAL wsrep_provider=none; + + # + # MDEV#6206: wsrep_slave_threads subtracts from max_connections +@@ -174,7 +171,7 @@ SELECT @@global.wsrep_slave_threads; + 1 + SELECT @@global.wsrep_cluster_address; + @@global.wsrep_cluster_address +- ++gcomm:// + SELECT @@global.wsrep_on; + @@global.wsrep_on + 1 +@@ -183,14 +180,14 @@ Variable_name Value + Threads_connected 1 + SHOW STATUS LIKE 'wsrep_thread_count'; + Variable_name Value +-wsrep_thread_count 0 ++wsrep_thread_count 2 + + SELECT @@global.wsrep_provider; + @@global.wsrep_provider + libgalera_smm.so + SELECT @@global.wsrep_cluster_address; + @@global.wsrep_cluster_address +- ++gcomm:// + SELECT @@global.wsrep_on; + @@global.wsrep_on + 1 +@@ -199,11 +196,10 @@ Variable_name Value + Threads_connected 1 + SHOW STATUS LIKE 'wsrep_thread_count'; + Variable_name Value +-wsrep_thread_count 0 ++wsrep_thread_count 2 + + # Setting wsrep_cluster_address triggers the creation of + # applier/rollbacker threads. +-SET GLOBAL wsrep_cluster_address= 'gcomm://'; + # Wait for applier thread to get created 1. + # Wait for applier thread to get created 2. + SELECT VARIABLE_VALUE AS EXPECT_1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count'; +diff --git a/mysql-test/suite/wsrep/t/variables.test b/mysql-test/suite/wsrep/t/variables.test +index f2c3a0a3b78..fd352b61a3a 100644 +--- a/mysql-test/suite/wsrep/t/variables.test ++++ b/mysql-test/suite/wsrep/t/variables.test +@@ -23,7 +23,7 @@ SET GLOBAL wsrep_replicate_myisam= ON; + + # Reset it back. + SET GLOBAL wsrep_replicate_myisam= OFF; +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + + --echo # + --echo # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of +@@ -32,9 +32,6 @@ SET GLOBAL wsrep_provider=none; + + CALL mtr.add_suppression("WSREP: Could not open saved state file for reading.*"); + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log + + --replace_column 2 # + SHOW GLOBAL STATUS LIKE 'wsrep%'; +@@ -50,11 +47,9 @@ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment'; + SHOW STATUS LIKE 'x'; + + # Reset it back. +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + # The following 2 variables are used by mariabackup + # SST. +@@ -66,7 +61,7 @@ SHOW STATUS LIKE 'wsrep_local_state_uuid'; + SHOW STATUS LIKE 'wsrep_last_committed'; + + # Reset it back. +-SET GLOBAL wsrep_provider=none; ++#SET GLOBAL wsrep_provider=none; + + --echo + --echo # +@@ -74,9 +69,7 @@ SET GLOBAL wsrep_provider=none; + --echo # + call mtr.add_suppression("WSREP: Failed to get provider options"); + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + --replace_regex /.*libgalera_smm.*/libgalera_smm.so/ + SELECT @@global.wsrep_provider; +@@ -87,9 +80,7 @@ SHOW STATUS LIKE 'threads_connected'; + SHOW STATUS LIKE 'wsrep_thread_count'; + --echo + +---disable_query_log +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +---enable_query_log ++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; + + --replace_regex /.*libgalera_smm.*/libgalera_smm.so/ + SELECT @@global.wsrep_provider; +@@ -101,7 +92,7 @@ SHOW STATUS LIKE 'wsrep_thread_count'; + + --echo # Setting wsrep_cluster_address triggers the creation of + --echo # applier/rollbacker threads. +-SET GLOBAL wsrep_cluster_address= 'gcomm://'; ++#SET GLOBAL wsrep_cluster_address= 'gcomm://'; + + --echo # Wait for applier thread to get created 1. + --let $wait_condition = SELECT VARIABLE_VALUE = 1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count'; +@@ -162,15 +153,6 @@ SET @@global.wsrep_sst_auth= NULL; + SELECT @@global.wsrep_sst_auth; + SET @@global.wsrep_sst_auth= @wsrep_sst_auth_saved; + +-# Reset (for mtr internal checks) +- +---disable_query_log +-SET GLOBAL wsrep_slave_threads= @wsrep_slave_threads_saved; +-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER'; +-SET GLOBAL wsrep_cluster_address= @wsrep_cluster_address_saved; +-SET GLOBAL wsrep_provider_options= @wsrep_provider_options_saved; +---enable_query_log +- + --source include/galera_wait_ready.inc + + --echo # End of test. +diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc +index 64040243df0..8c67a4d432a 100644 +--- a/sql/sys_vars.cc ++++ b/sql/sys_vars.cc +@@ -5669,8 +5669,8 @@ static Sys_var_tz Sys_time_zone( + + static Sys_var_charptr_fscs Sys_wsrep_provider( + "wsrep_provider", "Path to replication provider library", +- PREALLOCATED GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG), +- DEFAULT(WSREP_NONE), ++ PREALLOCATED READ_ONLY GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG), ++ DEFAULT(WSREP_NONE), + NO_MUTEX_GUARD, NOT_IN_BINLOG, + ON_CHECK(wsrep_provider_check), ON_UPDATE(wsrep_provider_update)); + +@@ -5886,8 +5886,8 @@ static Sys_var_ulong Sys_wsrep_max_ws_rows ( + + static Sys_var_charptr Sys_wsrep_notify_cmd( + "wsrep_notify_cmd", "", +- GLOBAL_VAR(wsrep_notify_cmd),CMD_LINE(REQUIRED_ARG), +- DEFAULT("")); ++ READ_ONLY GLOBAL_VAR(wsrep_notify_cmd), CMD_LINE(REQUIRED_ARG), ++ DEFAULT("")); + + static Sys_var_mybool Sys_wsrep_certify_nonPK( + "wsrep_certify_nonPK", "Certify tables with no primary key", +-- +2.31.0 + -- 2.31.0