GNU bug report logs

#47257 mariadb is vulnerable to CVE-2021-27928 (RCE)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 10:26:02 GMT) (full text, mbox, link).


Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 19 Mar 2021 10:26:02 GMT) (full text, mbox, link).


Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Subject: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Fri, 19 Mar 2021 11:25:31 +0100
[Message part 1 (text/plain, inline)]
CVE-2021-27928	04:15
A remote code execution issue was discovered in MariaDB 10.2 before
10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
2021-03-03 for MySQL. An untrusted search path leads to eval injection,
in which a database SUPER user can execute OS commands after modifying
wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
Oracle product.

From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
fixes it for us since we package 10.5.8 currently.

However:

$ ./pre-inst-env guix refresh -l mariadb
Building the following 552 packages would ensure 1047 dependent
packages are rebuilt:
[..]

Is it possible to graft mariadb you think? I am thinking this issue
doesnt need updating of the "lib" output which is what's causing the
high number of dependents AIUI. I am not sure we could actually update
individual outputs right now though. Might be a good idea to split the
packages for the future.

Léo
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Fri, 19 Mar 2021 10:31:02 GMT) (full text, mbox, link).


Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 11:16:02 GMT) (full text, mbox, link).


Message #10 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>
To: Léo Le Bouter <lle-bout@zaclys.net>, Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>, 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Fri, 19 Mar 2021 07:15:33 -0400
[Message part 1 (text/plain, inline)]
You need to graft: when building a package, the output hash depends on the inputs, sources and instructions, so even if the content of the lib output does not change, its store path does, leading to a rebuild.

Le 19 mars 2021 06:25:31 GMT-04:00, "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org> a écrit :
>CVE-2021-27928	04:15
>A remote code execution issue was discovered in MariaDB 10.2 before
>10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
>10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
>2021-03-03 for MySQL. An untrusted search path leads to eval injection,
>in which a database SUPER user can execute OS commands after modifying
>wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
>Oracle product.
>
>From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
>fixes it for us since we package 10.5.8 currently.
>
>However:
>
>$ ./pre-inst-env guix refresh -l mariadb
>Building the following 552 packages would ensure 1047 dependent
>packages are rebuilt:
>[..]
>
>Is it possible to graft mariadb you think? I am thinking this issue
>doesnt need updating of the "lib" output which is what's causing the
>high number of dependents AIUI. I am not sure we could actually update
>individual outputs right now though. Might be a good idea to split the
>packages for the future.
>
>Léo
[Message part 2 (text/html, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 11:16:02 GMT) (full text, mbox, link).


Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 11:37:01 GMT) (full text, mbox, link).


Message #16 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47257@debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout@zaclys.net>
Subject: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
Date: Fri, 19 Mar 2021 12:35:37 +0100
* gnu/packages/databases.scm (mariadb/fixed): New variable.
(mariadb)[replacement]: Graft.
---
 gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 8be83f5cbe..6fdb22d7fb 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
                             (append (find-files "extra/wolfssl")
                                     (find-files "zlib")))
                   #t))))
+    (replacement mariadb/fixed)
     (build-system cmake-build-system)
     (outputs '("out" "lib" "dev"))
     (arguments
@@ -969,6 +970,38 @@ Language.")
 as a drop-in replacement of MySQL.")
     (license license:gpl2)))
 
+(define mariadb/fixed
+  (package/inherit mariadb
+    (version "10.5.9")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://downloads.mariadb.com/MariaDB"
+                                  "/mariadb-" version "/source/mariadb-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "1kv8226ydyh4nyfx432dxqdkbry92c92bwlc33f1y56yp2p1kas0"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Delete bundled snappy and xz.
+                  (delete-file-recursively "storage/tokudb/PerconaFT/third_party")
+                  (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
+                    ;; This file checks that the bundled sources are present and
+                    ;; declares build procedures for them.
+                    (("^include\\(TokuThirdParty\\)") ""))
+                  (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
+                    ;; Don't attempt to use the procedures we just removed.
+                    ((" build_lzma build_snappy") ""))
+
+                  ;; Preserve CMakeLists.txt for these.
+                  (for-each (lambda (file)
+                              (unless (string-suffix? "CMakeLists.txt" file)
+                                (delete-file file)))
+                            (append (find-files "extra/wolfssl")
+                                    (find-files "zlib")))
+                  #t))))))
+
 (define-public mariadb-connector-c
   (package
     (name "mariadb-connector-c")
-- 
2.31.0





Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 11:37:02 GMT) (full text, mbox, link).


Message #19 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47257@debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout@zaclys.net>
Subject: [PATCH 0/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
Date: Fri, 19 Mar 2021 12:35:36 +0100
I made a patch, please review and push if you think that's OK, I will otherwise
push it myself after some time.

The patch produces some test error, not sure if deterministic, looks related to
networking disabled in build sandboxes, log:

The servers were restarted 778 times
Spent 6689.041 of 234 seconds executing testcases

Failure: Failed 1/2711 tests, 99.96% were successful.

Failing test(s): main.system_mysql_db

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

969 tests were skipped, 161 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 687.
        mtr_report::mtr_error("there were failing test cases") called at lib/mtr_report.pm line 556
        mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x19d75d0), ARRAY(0x1420d08)) called at /tmp/guix-build-mariadb-10.5.9.drv-0/mariadb-10.5.9/mysql-test/mysql-test-run.pl line 586
        main::main() called at /tmp/guix-build-mariadb-10.5.9.drv-0/mariadb-10.5.9/mysql-test/mysql-test-run.pl line 387
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel" "48" "--skip-rpl" "--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed with exit code 1
@ build-failed /gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv - 1 builder for `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed with exit code 1
derivation '/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' offloaded to 'www.proxmox-2.schmilblick.org' failed: build of `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed
build of /gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv failed
View build log at '/var/log/guix/drvs/hk/1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv.bz2'.
guix build: error: build of `/gnu/store/hk1awalxmnd7a7qz4v8r5h7bpxc4ig5b-mariadb-10.5.9.drv' failed

Léo Le Bouter (1):
  gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].

 gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

-- 
2.31.0





Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 19 Mar 2021 11:41:02 GMT) (full text, mbox, link).


Message #22 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>, 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Fri, 19 Mar 2021 12:35:11 +0100
Hi,

On Fri, 19 Mar 2021 at 11:25, Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

> Is it possible to graft mariadb you think? I am thinking this issue
> doesnt need updating of the "lib" output which is what's causing the
> high number of dependents AIUI. I am not sure we could actually update
> individual outputs right now though. Might be a good idea to split the
> packages for the future.

Instead of grafting, I would fix first check the compatibility between
mariadb  and zstd.  Because mariadb@10.5.8 does not build with
zstd@1.4.9, at least on my machine.

Other said, I seem better to do this fix as a whole on core-updates
without any graft.  Instead of grafting here and there; and not
necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from 10.5.8
to 10.5.8).

All the best,
simon




Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Sat, 20 Mar 2021 00:30:02 GMT) (full text, mbox, link).


Message #25 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Mark H Weaver <mhw@netris.org>
To: Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>, 47257@debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout@zaclys.net>
Subject: Re: bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
Date: Fri, 19 Mar 2021 20:28:04 -0400
Hi Léo,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> * gnu/packages/databases.scm (mariadb/fixed): New variable.
> (mariadb)[replacement]: Graft.
> ---
>  gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
>  1 file changed, 33 insertions(+)
>
> diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
> index 8be83f5cbe..6fdb22d7fb 100644
> --- a/gnu/packages/databases.scm
> +++ b/gnu/packages/databases.scm
> @@ -734,6 +734,7 @@ Language.")
>                              (append (find-files "extra/wolfssl")
>                                      (find-files "zlib")))
>                    #t))))
> +    (replacement mariadb/fixed)
>      (build-system cmake-build-system)
>      (outputs '("out" "lib" "dev"))
>      (arguments
> @@ -969,6 +970,38 @@ Language.")
>  as a drop-in replacement of MySQL.")
>      (license license:gpl2)))
>  
> +(define mariadb/fixed
> +  (package/inherit mariadb

Please don't use 'package/inherit' when the package you're defining is a
replacement to the package you're inheriting from.  It creates a package
object with an infinite chain of grafts.  I guess that the infinite
chain gets truncated somewhere in the grafting machinery, but I seem to
recall that this kind of thing has caused real problems in the past.

'package/inherit' is usually the right thing when defining other kinds
of package variants, however.

Thanks again for all of your recent work on improving our security.  It
is a great help.

      Regards,
        Mark




Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Sat, 20 Mar 2021 00:30:03 GMT) (full text, mbox, link).


Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Sat, 20 Mar 2021 00:45:01 GMT) (full text, mbox, link).


Message #31 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Mark H Weaver <mhw@netris.org>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47257@debbugs.gnu.org
Subject: Re: bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes CVE-2021-27928].
Date: Fri, 19 Mar 2021 20:42:33 -0400
Mark H Weaver <mhw@netris.org> writes:
> 'package/inherit' is usually the right thing when defining other kinds
> of package variants, however.

One addendum to this guideline: if the package variant you're defining
overrides the 'source' field[*], it's probably pointless to use
'package/inherit', because the fixes embodied in the original package's
replacement would most likely be lost anyway.

[*] One exception is if the overridden 'source' field merely adds some
additional patches to the original package, while taking care to
preserve any existing patches -- that last part is important, even if
the original package doesn't including any patches at the time you look.
In that case, 'package/inherit' might well be helpful.

More generally, when inheriting from another package, it's useful to ask
yourself what should happen if the package you're inheriting from is
later grafted, and to try to arrange for that to happen automatically.

     Thanks,
       Mark




Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Thu, 25 Mar 2021 10:59:03 GMT) (full text, mbox, link).


Message #34 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47257@debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout@zaclys.net>
Subject: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928.
Date: Thu, 25 Mar 2021 11:58:15 +0100
* gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch.
(mariadb)[replacement]: Graft.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/databases.scm                    |  34 +
 .../patches/mariadb-CVE-2021-27928.patch      | 629 ++++++++++++++++++
 3 files changed, 664 insertions(+)
 create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 14d228cfa4..40956598db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1380,6 +1380,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/lvm2-static-link.patch			\
   %D%/packages/patches/mailutils-fix-uninitialized-variable.patch	\
   %D%/packages/patches/make-impure-dirs.patch			\
+  %D%/packages/patches/mariadb-CVE-2021-27928.patch		\
   %D%/packages/patches/mars-install.patch			\
   %D%/packages/patches/mars-sfml-2.3.patch			\
   %D%/packages/patches/maxima-defsystem-mkdir.patch		\
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 83b6a13892..75edf3fd08 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
                             (append (find-files "extra/wolfssl")
                                     (find-files "zlib")))
                   #t))))
+    (replacement mariadb/fixed)
     (build-system cmake-build-system)
     (outputs '("out" "lib" "dev"))
     (arguments
@@ -969,6 +970,39 @@ Language.")
 as a drop-in replacement of MySQL.")
     (license license:gpl2)))
 
+(define-public mariadb/fixed
+  (package
+    (inherit mariadb)
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://downloads.mariadb.com/MariaDB"
+                                  "/mariadb-" version "/source/mariadb-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "1s3vfm73911cddjhgpcbkya6nz7ag2zygg56qqzwscn5ybv28j7b"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Delete bundled snappy and xz.
+                  (delete-file-recursively "storage/tokudb/PerconaFT/third_party")
+                  (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
+                    ;; This file checks that the bundled sources are present and
+                    ;; declares build procedures for them.
+                    (("^include\\(TokuThirdParty\\)") ""))
+                  (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
+                    ;; Don't attempt to use the procedures we just removed.
+                    ((" build_lzma build_snappy") ""))
+
+                  ;; Preserve CMakeLists.txt for these.
+                  (for-each (lambda (file)
+                              (unless (string-suffix? "CMakeLists.txt" file)
+                                (delete-file file)))
+                            (append (find-files "extra/wolfssl")
+                                    (find-files "zlib")))
+                  #t))
+              (patches (search-patches "mariadb-CVE-2021-27928.patch"))))))
+
 (define-public mariadb-connector-c
   (package
     (name "mariadb-connector-c")
diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
new file mode 100644
index 0000000000..eea18431cf
--- /dev/null
+++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
@@ -0,0 +1,629 @@
+From ce3a2a688db556d8d077a409fd9bf5cc013d13dd Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 18 Feb 2021 14:20:48 +0100
+Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only
+
+this should simplify run-time cluster management
+---
+ mysql-test/suite/galera/disabled.def          |  2 +
+ .../galera/include/galera_load_provider.inc   |  1 -
+ .../galera/include/galera_unload_provider.inc |  3 +-
+ .../suite/galera/r/galera_ist_rsync.result    |  2 +-
+ .../galera/r/galera_sst_mysqldump.result      |  2 +-
+ .../suite/galera/r/mysql-wsrep#33.result      |  2 +-
+ .../suite/sys_vars/r/sysvars_wsrep.result     |  4 +-
+ .../sys_vars/r/wsrep_notify_cmd_basic.result  | 47 -----------------
+ .../sys_vars/r/wsrep_provider_basic.result    | 40 ---------------
+ .../r/wsrep_provider_options_basic.result     | 49 ------------------
+ .../sys_vars/t/wsrep_notify_cmd_basic.test    | 43 ----------------
+ .../sys_vars/t/wsrep_provider_basic.test      | 39 --------------
+ .../t/wsrep_provider_options_basic.test       | 51 -------------------
+ mysql-test/suite/wsrep/disabled.def           |  2 +
+ mysql-test/suite/wsrep/r/variables.result     | 12 ++---
+ mysql-test/suite/wsrep/t/variables.test       | 34 +++----------
+ sql/sys_vars.cc                               |  4 +-
+ 17 files changed, 24 insertions(+), 313 deletions(-)
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+
+diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def
+index 7fe03a9422013..a063e17d46533 100644
+--- a/mysql-test/suite/galera/disabled.def
++++ b/mysql-test/suite/galera/disabled.def
+@@ -30,3 +30,5 @@ partition : MDEV-19958 Galera test failure on galera.partition
+ query_cache: MDEV-15805 Test failure on galera.query_cache
+ sql_log_bin : MDEV-21491 galera.sql_log_bin
+ versioning_trx_id: MDEV-18590: galera.versioning_trx_id: Test failure: mysqltest: Result content mismatch
++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons
++pxc-421: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc
+index aeab7e6ea199f..e6ce6411193c2 100644
+--- a/mysql-test/suite/galera/include/galera_load_provider.inc
++++ b/mysql-test/suite/galera/include/galera_load_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Loading wsrep provider ...
+ 
+ --disable_query_log
+---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig';
+ --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig';
+ --enable_query_log
+ 
+diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc
+index edc7eb31e0e21..83438a947f03e 100644
+--- a/mysql-test/suite/galera/include/galera_unload_provider.inc
++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Unloading wsrep provider ...
+ 
+ --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address`
+---let $wsrep_provider_orig = `SELECT @@wsrep_provider`
+ --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options`
+ 
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result
+index 8a7c02ab1b6d9..80a28d349baed 100644
+--- a/mysql-test/suite/galera/r/galera_ist_rsync.result
++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result
+@@ -21,7 +21,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+index 5c530c32ce695..6bdc933a9fca7 100644
+--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result
++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+index 6a5251204b9bb..4cc49c0cf0790 100644
+--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result
++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+index e54afd2d64a24..67e1540531311 100644
+--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+@@ -349,7 +349,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ VARIABLE_NAME	WSREP_ON
+ SESSION_VALUE	OFF
+@@ -405,7 +405,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ VARIABLE_NAME	WSREP_PROVIDER_OPTIONS
+ SESSION_VALUE	NULL
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+deleted file mode 100644
+index 056ff8c817b0f..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
++++ /dev/null
+@@ -1,47 +0,0 @@
+-#
+-# wsrep_notify_cmd
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-# default
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-
+-# scope
+-SELECT @@session.wsrep_notify_cmd;
+-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-notify_cmd
+-
+-# valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-command
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-hyphenated-command
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# invalid values
+-SET @@global.wsrep_notify_cmd=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd'
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+deleted file mode 100644
+index 3e4ac8ca88362..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
++++ /dev/null
+@@ -1,40 +0,0 @@
+-#
+-# wsrep_provider
+-#
+-# save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-# default
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# scope
+-SELECT @@session.wsrep_provider;
+-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# invalid values
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so'
+-SET @@global.wsrep_provider=NULL;
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-SET @@global.wsrep_provider=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+deleted file mode 100644
+index b2e07c55b38cf..0000000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
++++ /dev/null
+@@ -1,49 +0,0 @@
+-#
+-# wsrep_provider_options
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-SET @@global.wsrep_provider =  @@global.wsrep_provider;
+-# save the initial value
+-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options;
+-# default
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# scope
+-SELECT @@session.wsrep_provider_options;
+-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-option1
+-
+-# valid values
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-name1=value1;name2=value2
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-hyphenated-name:value
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# invalid values
+-SET @@global.wsrep_provider_options=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options'
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=NULL;
+-Got one of the listed errors
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+deleted file mode 100644
+index 6d1535ba1482d..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
++++ /dev/null
+@@ -1,43 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_notify_cmd
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-
+---echo # default
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_notify_cmd=1;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+deleted file mode 100644
+index 1190ab41bb053..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
++++ /dev/null
+@@ -1,39 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider
+---echo #
+-
+---echo # save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-
+---echo # default
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider=NULL;
+-SELECT @@global.wsrep_provider;
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider=1;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+deleted file mode 100644
+index d2ea32a063786..0000000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
++++ /dev/null
+@@ -1,51 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider_options
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+-SET @@global.wsrep_provider =  @@global.wsrep_provider;
+-
+---echo # save the initial value
+-SET @wsrep_provider_options_global_saved = @@global.wsrep_provider_options;
+-
+---echo # default
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # valid values
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider_options=1;
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=NULL;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # restore the initial value
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options = @wsrep_provider_options_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def
+index 11577bfe8b007..3d204db694580 100644
+--- a/mysql-test/suite/wsrep/disabled.def
++++ b/mysql-test/suite/wsrep/disabled.def
+@@ -10,3 +10,5 @@
+ #
+ ##############################################################################
+ 
++
++mdev_6832: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result
+index 9ef1b3290afd6..8bb0b426380a1 100644
+--- a/mysql-test/suite/wsrep/r/variables.result
++++ b/mysql-test/suite/wsrep/r/variables.result
+@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON;
+ ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL
+ SET GLOBAL wsrep_replicate_myisam= ON;
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
+ #
+ # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+ # variables when using "_"
+@@ -26,7 +25,6 @@ wsrep_local_state_comment	#
+ # Should show nothing.
+ SHOW STATUS LIKE 'x';
+ Variable_name	Value
+-SET GLOBAL wsrep_provider=none;
+ 
+ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ Variable_name	Value
+@@ -35,7 +33,6 @@ wsrep_local_state_uuid	#
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ Variable_name	Value
+ wsrep_last_committed	#
+-SET GLOBAL wsrep_provider=none;
+ 
+ #
+ # MDEV#6206: wsrep_slave_threads subtracts from max_connections
+@@ -49,7 +46,7 @@ SELECT @@global.wsrep_slave_threads;
+ 1
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -58,14 +55,14 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ SELECT @@global.wsrep_provider;
+ @@global.wsrep_provider
+ libgalera_smm.so
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -74,11 +71,10 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ # Setting wsrep_cluster_address triggers the creation of
+ # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ # Wait for applier thread to get created 1.
+ # Wait for applier thread to get created 2.
+ SELECT VARIABLE_VALUE AS EXPECT_1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count';
+diff --git a/mysql-test/suite/wsrep/t/variables.test b/mysql-test/suite/wsrep/t/variables.test
+index 5ab0eb68505a7..1a3bd62b16489 100644
+--- a/mysql-test/suite/wsrep/t/variables.test
++++ b/mysql-test/suite/wsrep/t/variables.test
+@@ -22,7 +22,7 @@ SET GLOBAL wsrep_replicate_myisam= ON;
+ 
+ # Reset it back.
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo #
+ --echo # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+@@ -31,13 +31,9 @@ SET GLOBAL wsrep_provider=none;
+ 
+ CALL mtr.add_suppression("WSREP: Could not open saved state file for reading.*");
+ 
+---disable_result_log
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ --let $galera_version=25.3.24
+ source include/check_galera_version.inc;
+---enable_result_log
+---enable_query_log
+ 
+ --replace_column 2 #
+ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';
+@@ -46,11 +42,9 @@ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';
+ SHOW STATUS LIKE 'x';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ # The following 2 variables are used by mariabackup
+ # SST.
+@@ -62,7 +56,7 @@ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo
+ --echo #
+@@ -70,9 +64,7 @@ SET GLOBAL wsrep_provider=none;
+ --echo #
+ call mtr.add_suppression("WSREP: Failed to get provider options");
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -83,9 +75,7 @@ SHOW STATUS LIKE 'threads_connected';
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ --echo
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -97,7 +87,7 @@ SHOW STATUS LIKE 'wsrep_thread_count';
+ 
+ --echo # Setting wsrep_cluster_address triggers the creation of
+ --echo # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
++#SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ 
+ --echo # Wait for applier thread to get created 1.
+ --let $wait_timeout=600
+@@ -159,14 +149,6 @@ SET @@global.wsrep_sst_auth= NULL;
+ SELECT @@global.wsrep_sst_auth;
+ SET @@global.wsrep_sst_auth= @wsrep_sst_auth_saved;
+ 
+-# Reset (for mtr internal checks)
+---disable_query_log
+-SET GLOBAL wsrep_slave_threads= @wsrep_slave_threads_saved;
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+-SET GLOBAL wsrep_cluster_address= @wsrep_cluster_address_saved;
+-SET GLOBAL wsrep_provider_options= @wsrep_provider_options_saved;
+---enable_query_log
+-
+ --source include/galera_wait_ready.inc
+ 
+ --echo # End of test.
+diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
+index baf27a7d0af92..e4de3d8d0aa1a 100644
+--- a/sql/sys_vars.cc
++++ b/sql/sys_vars.cc
+@@ -4958,7 +4958,7 @@ static Sys_var_tz Sys_time_zone(
+ 
+ static Sys_var_charptr Sys_wsrep_provider(
+        "wsrep_provider", "Path to replication provider library",
+-       PREALLOCATED GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
++       PREALLOCATED READ_ONLY GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
+        IN_FS_CHARSET, DEFAULT(WSREP_NONE),
+        NO_MUTEX_GUARD, NOT_IN_BINLOG,
+        ON_CHECK(wsrep_provider_check), ON_UPDATE(wsrep_provider_update));
+@@ -5171,7 +5171,7 @@ static Sys_var_ulong Sys_wsrep_max_ws_rows (
+ 
+ static Sys_var_charptr Sys_wsrep_notify_cmd(
+        "wsrep_notify_cmd", "",
+-       GLOBAL_VAR(wsrep_notify_cmd),CMD_LINE(REQUIRED_ARG),
++       READ_ONLY GLOBAL_VAR(wsrep_notify_cmd), CMD_LINE(REQUIRED_ARG),
+        IN_SYSTEM_CHARSET, DEFAULT(""));
+ 
+ static Sys_var_mybool Sys_wsrep_certify_nonPK(
-- 
2.31.0





Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Thu, 25 Mar 2021 11:07:02 GMT) (full text, mbox, link).


Message #37 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>
To: Léo Le Bouter <lle-bout@zaclys.net>, 47257@debbugs.gnu.org
Subject: Re: bug#47257: [PATCH v2] gnu: mariadb: Fix CVE-2021-27928.
Date: Thu, 25 Mar 2021 07:06:09 -0400
[Message part 1 (text/plain, inline)]
I think you can simplify the patch a bit by inheriting the source too:

(source
  (origin
    (inherit (package-source mariadb))
    (patches …)))

Otherwise, untested but looks good.
[Message part 2 (text/html, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Thu, 25 Mar 2021 11:29:02 GMT) (full text, mbox, link).


Message #40 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: zimoun <zimon.toutoune@gmail.com>, 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Thu, 25 Mar 2021 12:28:15 +0100
[Message part 1 (text/plain, inline)]
On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> Instead of grafting, I would fix first check the compatibility
> between
> mariadb  and zstd.  Because mariadb@10.5.8 does not build with
> zstd@1.4.9, at least on my machine.

Can you post build logs and repro scenario? mariadb@10.5.8 built fine
for me on core-updates which has zstd@1.4.9.

> Other said, I seem better to do this fix as a whole on core-updates
> without any graft.  Instead of grafting here and there; and not
> necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> 10.5.8
> to 10.5.8).

We can't patch security issues through core-updates, especially this
RCE.

> All the best,
> simon

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Thu, 25 Mar 2021 12:40:02 GMT) (full text, mbox, link).


Message #43 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47257@debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout@zaclys.net>
Subject: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
Date: Thu, 25 Mar 2021 13:39:21 +0100
* gnu/packages/patches/mariadb-CVE-2021-27928.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/databases.scm (mariadb/fixed): New variable. Apply patch.
(mariadb)[replacement]: Graft.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/databases.scm                    |   8 +
 .../patches/mariadb-CVE-2021-27928.patch      | 642 ++++++++++++++++++
 3 files changed, 651 insertions(+)
 create mode 100644 gnu/packages/patches/mariadb-CVE-2021-27928.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 14d228cfa4..40956598db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1380,6 +1380,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/lvm2-static-link.patch			\
   %D%/packages/patches/mailutils-fix-uninitialized-variable.patch	\
   %D%/packages/patches/make-impure-dirs.patch			\
+  %D%/packages/patches/mariadb-CVE-2021-27928.patch		\
   %D%/packages/patches/mars-install.patch			\
   %D%/packages/patches/mars-sfml-2.3.patch			\
   %D%/packages/patches/maxima-defsystem-mkdir.patch		\
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 83b6a13892..20069f9383 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -734,6 +734,7 @@ Language.")
                             (append (find-files "extra/wolfssl")
                                     (find-files "zlib")))
                   #t))))
+    (replacement mariadb/fixed)
     (build-system cmake-build-system)
     (outputs '("out" "lib" "dev"))
     (arguments
@@ -969,6 +970,13 @@ Language.")
 as a drop-in replacement of MySQL.")
     (license license:gpl2)))
 
+(define mariadb/fixed
+  (package
+    (inherit mariadb)
+    (source (origin
+              (inherit (package-source mariadb))
+              (patches (search-patches "mariadb-CVE-2021-27928.patch"))))))
+
 (define-public mariadb-connector-c
   (package
     (name "mariadb-connector-c")
diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
new file mode 100644
index 0000000000..39a023c159
--- /dev/null
+++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
@@ -0,0 +1,642 @@
+From 7580701e6279900fec40822952a3b874732289cf Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 18 Feb 2021 14:20:48 +0100
+Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only
+
+this should simplify run-time cluster management
+---
+ mysql-test/suite/galera/disabled.def          |  2 +
+ .../galera/include/galera_load_provider.inc   | 19 --------
+ .../galera/include/galera_unload_provider.inc |  3 +-
+ .../suite/galera/r/galera_ist_rsync.result    |  2 +-
+ .../galera/r/galera_sst_mysqldump.result      |  2 +-
+ .../suite/galera/r/mysql-wsrep#33.result      |  2 +-
+ .../suite/sys_vars/r/sysvars_wsrep.result     |  4 +-
+ .../sys_vars/r/wsrep_notify_cmd_basic.result  | 47 -------------------
+ .../sys_vars/r/wsrep_provider_basic.result    | 40 ----------------
+ .../r/wsrep_provider_options_basic.result     | 46 ------------------
+ .../sys_vars/t/wsrep_notify_cmd_basic.test    | 43 -----------------
+ .../sys_vars/t/wsrep_provider_basic.test      | 39 ---------------
+ .../t/wsrep_provider_options_basic.test       | 41 ----------------
+ mysql-test/suite/wsrep/disabled.def           |  2 +
+ mysql-test/suite/wsrep/r/variables.result     | 12 ++---
+ mysql-test/suite/wsrep/t/variables.test       | 32 +++----------
+ sql/sys_vars.cc                               |  8 ++--
+ 17 files changed, 25 insertions(+), 319 deletions(-)
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+
+diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def
+index d940c702d54..83f26e81636 100644
+--- a/mysql-test/suite/galera/disabled.def
++++ b/mysql-test/suite/galera/disabled.def
+@@ -49,3 +49,5 @@ partition : MDEV-19958 Galera test failure on galera.partition
+ query_cache: MDEV-15805 Test failure on galera.query_cache
+ sql_log_bin : MDEV-21491 galera.sql_log_bin
+ versioning_trx_id : MDEV-18590 galera.versioning_trx_id
++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons
++pxc-421: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc
+index 0f843597d9c..28010cc5b71 100644
+--- a/mysql-test/suite/galera/include/galera_load_provider.inc
++++ b/mysql-test/suite/galera/include/galera_load_provider.inc
+@@ -1,25 +1,6 @@
+ --echo Loading wsrep provider ...
+ 
+ --disable_query_log
+---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig';
+-
+-#
+-# count occurences of successful node starts in error log
+-#
+-perl;
+-  use strict;
+-   my $test_log=$ENV{'LOG_FILE'} or die "LOG_FILE not set";
+-   my $test_log_copy=$test_log . '.copy';
+-   if (-e $test_log_copy) {
+-      unlink $test_log_copy;
+-   }
+-
+-EOF
+---copy_file $LOG_FILE $LOG_FILE.copy
+-
+-#
+-#  now join to the cluster
+-#
+ --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig';
+ 
+ --enable_query_log
+diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc
+index cd841f51fbc..ed7e9bc41f0 100644
+--- a/mysql-test/suite/galera/include/galera_unload_provider.inc
++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Unloading wsrep provider ...
+ 
+ --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address`
+---let $wsrep_provider_orig = `SELECT @@wsrep_provider`
+ --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options`
+ --let $wsrep_error_log_orig = `SELECT @@log_error`
+ if(!$wsrep_log_error_orig)
+@@ -12,4 +11,4 @@ if(!$wsrep_log_error_orig)
+ }
+ --let LOG_FILE= $wsrep_log_error_orig
+ 
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result
+index 13f7d898a59..70a87c73df7 100644
+--- a/mysql-test/suite/galera/r/galera_ist_rsync.result
++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result
+@@ -23,7 +23,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+index 4ed679ba477..145b3a94775 100644
+--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result
++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+index fb0b593cc96..45c6a3f660a 100644
+--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result
++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+@@ -32,7 +32,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+index 4b6abf85434..f73bfbd13e7 100644
+--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+@@ -403,7 +403,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ GLOBAL_VALUE_PATH	NULL
+ VARIABLE_NAME	WSREP_ON
+@@ -463,7 +463,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ GLOBAL_VALUE_PATH	NULL
+ VARIABLE_NAME	WSREP_PROVIDER_OPTIONS
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+deleted file mode 100644
+index 056ff8c817b..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
++++ /dev/null
+@@ -1,47 +0,0 @@
+-#
+-# wsrep_notify_cmd
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-# default
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-
+-# scope
+-SELECT @@session.wsrep_notify_cmd;
+-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-notify_cmd
+-
+-# valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-command
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-hyphenated-command
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# invalid values
+-SET @@global.wsrep_notify_cmd=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd'
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+deleted file mode 100644
+index 3e4ac8ca883..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
++++ /dev/null
+@@ -1,40 +0,0 @@
+-#
+-# wsrep_provider
+-#
+-# save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-# default
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# scope
+-SELECT @@session.wsrep_provider;
+-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# invalid values
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so'
+-SET @@global.wsrep_provider=NULL;
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-SET @@global.wsrep_provider=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+deleted file mode 100644
+index 15949a14e39..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
++++ /dev/null
+@@ -1,46 +0,0 @@
+-#
+-# wsrep_provider_options
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# default
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# scope
+-SELECT @@session.wsrep_provider_options;
+-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# valid values
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=default;
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# invalid values
+-SET @@global.wsrep_provider_options=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options'
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=NULL;
+-Got one of the listed errors
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+deleted file mode 100644
+index 6d1535ba148..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
++++ /dev/null
+@@ -1,43 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_notify_cmd
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-
+---echo # default
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_notify_cmd=1;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+deleted file mode 100644
+index 1190ab41bb0..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
++++ /dev/null
+@@ -1,39 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider
+---echo #
+-
+---echo # save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-
+---echo # default
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider=NULL;
+-SELECT @@global.wsrep_provider;
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider=1;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+deleted file mode 100644
+index 6eb3a94b6a4..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
++++ /dev/null
+@@ -1,41 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider_options
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # default
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # valid values
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider_options=1;
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=NULL;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def
+index 11577bfe8b0..3d204db6945 100644
+--- a/mysql-test/suite/wsrep/disabled.def
++++ b/mysql-test/suite/wsrep/disabled.def
+@@ -10,3 +10,5 @@
+ #
+ ##############################################################################
+ 
++
++mdev_6832: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result
+index a9988fd1628..e57440125ee 100644
+--- a/mysql-test/suite/wsrep/r/variables.result
++++ b/mysql-test/suite/wsrep/r/variables.result
+@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON;
+ ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL
+ SET GLOBAL wsrep_replicate_myisam= ON;
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
+ #
+ # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+ # variables when using "_"
+@@ -151,7 +150,6 @@ wsrep_local_state_comment	#
+ # Should show nothing.
+ SHOW STATUS LIKE 'x';
+ Variable_name	Value
+-SET GLOBAL wsrep_provider=none;
+ 
+ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ Variable_name	Value
+@@ -160,7 +158,6 @@ wsrep_local_state_uuid	#
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ Variable_name	Value
+ wsrep_last_committed	#
+-SET GLOBAL wsrep_provider=none;
+ 
+ #
+ # MDEV#6206: wsrep_slave_threads subtracts from max_connections
+@@ -174,7 +171,7 @@ SELECT @@global.wsrep_slave_threads;
+ 1
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -183,14 +180,14 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ SELECT @@global.wsrep_provider;
+ @@global.wsrep_provider
+ libgalera_smm.so
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -199,11 +196,10 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ # Setting wsrep_cluster_address triggers the creation of
+ # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ # Wait for applier thread to get created 1.
+ # Wait for applier thread to get created 2.
+ SELECT VARIABLE_VALUE AS EXPECT_1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count';
+diff --git a/mysql-test/suite/wsrep/t/variables.test b/mysql-test/suite/wsrep/t/variables.test
+index f2c3a0a3b78..fd352b61a3a 100644
+--- a/mysql-test/suite/wsrep/t/variables.test
++++ b/mysql-test/suite/wsrep/t/variables.test
+@@ -23,7 +23,7 @@ SET GLOBAL wsrep_replicate_myisam= ON;
+ 
+ # Reset it back.
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo #
+ --echo # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+@@ -32,9 +32,6 @@ SET GLOBAL wsrep_provider=none;
+ 
+ CALL mtr.add_suppression("WSREP: Could not open saved state file for reading.*");
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
+ 
+ --replace_column 2 #
+ SHOW GLOBAL STATUS LIKE 'wsrep%';
+@@ -50,11 +47,9 @@ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';
+ SHOW STATUS LIKE 'x';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ # The following 2 variables are used by mariabackup
+ # SST.
+@@ -66,7 +61,7 @@ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo
+ --echo #
+@@ -74,9 +69,7 @@ SET GLOBAL wsrep_provider=none;
+ --echo #
+ call mtr.add_suppression("WSREP: Failed to get provider options");
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -87,9 +80,7 @@ SHOW STATUS LIKE 'threads_connected';
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ --echo
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -101,7 +92,7 @@ SHOW STATUS LIKE 'wsrep_thread_count';
+ 
+ --echo # Setting wsrep_cluster_address triggers the creation of
+ --echo # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
++#SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ 
+ --echo # Wait for applier thread to get created 1.
+ --let $wait_condition = SELECT VARIABLE_VALUE = 1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count';
+@@ -162,15 +153,6 @@ SET @@global.wsrep_sst_auth= NULL;
+ SELECT @@global.wsrep_sst_auth;
+ SET @@global.wsrep_sst_auth= @wsrep_sst_auth_saved;
+ 
+-# Reset (for mtr internal checks)
+-
+---disable_query_log
+-SET GLOBAL wsrep_slave_threads= @wsrep_slave_threads_saved;
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+-SET GLOBAL wsrep_cluster_address= @wsrep_cluster_address_saved;
+-SET GLOBAL wsrep_provider_options= @wsrep_provider_options_saved;
+---enable_query_log
+-
+ --source include/galera_wait_ready.inc
+ 
+ --echo # End of test.
+diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
+index 64040243df0..8c67a4d432a 100644
+--- a/sql/sys_vars.cc
++++ b/sql/sys_vars.cc
+@@ -5669,8 +5669,8 @@ static Sys_var_tz Sys_time_zone(
+ 
+ static Sys_var_charptr_fscs Sys_wsrep_provider(
+        "wsrep_provider", "Path to replication provider library",
+-       PREALLOCATED GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
+-       DEFAULT(WSREP_NONE),
++       PREALLOCATED READ_ONLY GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
++       DEFAULT(WSREP_NONE),
+        NO_MUTEX_GUARD, NOT_IN_BINLOG,
+        ON_CHECK(wsrep_provider_check), ON_UPDATE(wsrep_provider_update));
+ 
+@@ -5886,8 +5886,8 @@ static Sys_var_ulong Sys_wsrep_max_ws_rows (
+ 
+ static Sys_var_charptr Sys_wsrep_notify_cmd(
+        "wsrep_notify_cmd", "",
+-       GLOBAL_VAR(wsrep_notify_cmd),CMD_LINE(REQUIRED_ARG),
+-       DEFAULT(""));
++       READ_ONLY GLOBAL_VAR(wsrep_notify_cmd), CMD_LINE(REQUIRED_ARG),
++       DEFAULT(""));
+ 
+ static Sys_var_mybool Sys_wsrep_certify_nonPK(
+        "wsrep_certify_nonPK", "Certify tables with no primary key",
+-- 
+2.31.0
+
-- 
2.31.0





Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Thu, 25 Mar 2021 12:49:02 GMT) (full text, mbox, link).


Message #46 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47257@debbugs.gnu.org
Subject: Re: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
Date: Thu, 25 Mar 2021 13:48:41 +0100
[Message part 1 (text/plain, inline)]
v3 tested and builds fine:

$ ./pre-inst-env guix build mariadb
/gnu/store/f70jymwyfcnsghy4jg8caibci59p8rgq-mariadb-10.5.8-dev
/gnu/store/cj3qym1x1jjh02m2g23cqpbhchrbmn6c-mariadb-10.5.8-lib
/gnu/store/mpb5bdf1vkwazqfmmwcvskdm50g191bg-mariadb-10.5.8

Since we don't have PoC, I can't verify the rebased patch actually
fixes the security issue but it should. That's what we get when
manually rebasing stuff to earlier versions. Test suite passes but not
sure it actually tests this security issue being fixed.

Please review, then I will push, it's been 7 days so, let's get this
in.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Fri, 26 Mar 2021 01:19:02 GMT) (full text, mbox, link).


Message #49 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Mark H Weaver <mhw@netris.org>
To: Léo Le Bouter <lle-bout@zaclys.net>, 47257@debbugs.gnu.org
Subject: Re: bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
Date: Thu, 25 Mar 2021 21:16:59 -0400
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> v3 tested and builds fine:
>
> $ ./pre-inst-env guix build mariadb
> /gnu/store/f70jymwyfcnsghy4jg8caibci59p8rgq-mariadb-10.5.8-dev
> /gnu/store/cj3qym1x1jjh02m2g23cqpbhchrbmn6c-mariadb-10.5.8-lib
> /gnu/store/mpb5bdf1vkwazqfmmwcvskdm50g191bg-mariadb-10.5.8
>
> Since we don't have PoC, I can't verify the rebased patch actually
> fixes the security issue but it should. That's what we get when
> manually rebasing stuff to earlier versions. Test suite passes but not
> sure it actually tests this security issue being fixed.
>
> Please review, then I will push, it's been 7 days so, let's get this
> in.

Looks good to me.  Please push.  Thank you!

     Mark




Reply sent to Léo Le Bouter <lle-bout@zaclys.net>:
You have taken responsibility. (Fri, 26 Mar 2021 01:24:02 GMT) (full text, mbox, link).


Notification sent to Léo Le Bouter <lle-bout@zaclys.net>:
bug acknowledged by developer. (Fri, 26 Mar 2021 01:24:02 GMT) (full text, mbox, link).


Message #54 received at 47257-done@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: Mark H Weaver <mhw@netris.org>, 47257-done@debbugs.gnu.org
Subject: Re: bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
Date: Fri, 26 Mar 2021 02:23:47 +0100
[Message part 1 (text/plain, inline)]
On Thu, 2021-03-25 at 21:16 -0400, Mark H Weaver wrote:
> 
> Looks good to me.  Please push.  Thank you!
> 
>      Mark

Thank you for the review, pushed as
52c8d07a4f7033534a71ac7efeec21a65d35c125.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Mon, 29 Mar 2021 21:35:01 GMT) (full text, mbox, link).


Message #57 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Mon, 29 Mar 2021 23:34:15 +0200
On Thu, 25 Mar 2021 at 12:28, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> > Instead of grafting, I would fix first check the compatibility
> > between
> > mariadb  and zstd.  Because mariadb@10.5.8 does not build with
> > zstd@1.4.9, at least on my machine.
>
> Can you post build logs and repro scenario? mariadb@10.5.8 built fine
> for me on core-updates which has zstd@1.4.9.

On core-updates, I get this:

--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && ./pre-inst-env guix build mariadb
b20b45c6ce (HEAD -> core-updates, origin/core-updates) gnu: gd: Patch
away recent pkg-config files change that breaks php build.

[...]

Only  2061  of 5666 completed.
--------------------------------------------------------------------------
The servers were restarted 258 times
Spent 10782.523 of 607 seconds executing testcases

Failure: Failed 1/427 tests, 99.77% were successful.

Failing test(s): innodb.check_ibd_filesize

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

798 tests were skipped, 39 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 683.
    mtr_report::mtr_error("there were failing test cases") called at
lib/mtr_report.pm line 552
    mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x1ae0180),
ARRAY(0xd3cb68)) called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 586
    main::main() called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 387
error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "./mtr" arguments: ("--verbose"
"--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel"
"64" "--skip-rpl" "--skip-test-list=unstable-tests") exit-status: 1
term-signal: #f stop-signal: #f>
phase `check' failed after 606.9 seconds
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40"
"--suite-timeout=600" "--parallel" "64" "--skip-rpl"
"--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed with exit code 1
build of /gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv failed
View build log at
'/var/log/guix/drvs/33/9560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv.bz2'.
guix build: error: build of
`/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---

Maybe, I am not doing something wrong.  Then on master, it "works"
except after the ungraft.   Well, it seems coherent with what I get
from core-updates.  So if I am doing wrong, I do not know where.

--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
a801c7379a (HEAD) gnu: Remove QT 4.
 cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
 cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
  GEN      scripts/guix
Compiling Scheme modules...
[  6%] LOAD     gnu/packages/compression.scm
[ 12%] LOAD     gnu/packages/databases.scm
[ 19%] LOAD     gnu/packages/engineering.scm
[ 25%] LOAD     gnu/packages/messaging.scm
[ 31%] LOAD     gnu/packages/password-utils.scm
[ 38%] LOAD     gnu/packages/pdf.scm
[ 44%] LOAD     gnu/packages/qt.scm
[ 50%] LOAD     gnu/packages/sqlite.scm
[ 56%] GUILEC   gnu/packages/compression.go
[ 62%] GUILEC   gnu/packages/databases.go
[ 69%] GUILEC   gnu/packages/engineering.go
[ 75%] GUILEC   gnu/packages/messaging.go
[ 81%] GUILEC   gnu/packages/password-utils.go
[ 88%] GUILEC   gnu/packages/pdf.go
[ 94%] GUILEC   gnu/packages/qt.go
[100%] GUILEC   gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/231bip1j7j3prx4q6mr44f3hdn8sl9nh-mariadb-10.5.8-dev
/gnu/store/43sbv46pn6a31722savgbqcrryyn513h-mariadb-10.5.8-lib
/gnu/store/68az8ch2l6x0ldjnjhqsmpn19ns9srjp-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
52c8d07a4f (HEAD) gnu: mariadb: Fix CVE-2021-27928.
 cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
 cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
  GEN      scripts/guix
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/databases.scm
[100%] GUILEC   gnu/packages/databases.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
6e7ba45357 (HEAD) gnu: sqlite: Update to 3.32.3 [security fixes].
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/sqlite.scm
[100%] GUILEC   gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
692f1e5217 (HEAD) DRAFT: gnu: zstd: Fix test suite.
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/compression.scm
[100%] GUILEC   gnu/packages/compression.go
/gnu/store/q33xvan4j71f4kil0lg4h2yk549al1rv-zstd-1.4.9-lib
/gnu/store/rixmvq9497dwqxr7apa4n70gmhb50lc7-zstd-1.4.9
/gnu/store/2ym2nn0rmzgigagj7zrx4s6gidk94pqg-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8

$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q           && \
> ./pre-inst-env guix build mariadb -q
93fee48ada (HEAD -> fix-zstd) DRAFT: gnu: zstd: Update to 1.4.9 (ungraft).
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD     gnu/packages/compression.scm
[100%] GUILEC   gnu/packages/compression.go
/gnu/store/mmsp9ym0d3zcc0g1rr2gwmxb5pcq1wkm-zstd-1.4.9-lib
/gnu/store/6bi9kvsj0si590ra99yzb8dchikzlxb1-zstd-1.4.9
/gnu/store/1cnbqm29rc0gp30h18x7hs785c55fl0m-zstd-1.4.9-static
guix build: error: build of
`/gnu/store/5927s1x3hpfv4v9rsc9y06kycx93zqvh-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---

I could be wrong... and I have not investigated more.  As I said
elsewhere, grafting zstd from 1.4.4 to 1.4.9 seems totally *wrong*.
There is ~1.5 years and 4 releases between these 2 releases.

BTW, note that:

   $ guix graph --path mariadb zstd
   guix graph: error: no path from 'mariadb@10.5.8' to 'zstd@1.4.9'

Grafting MariaDB makes sense here.  The culprit is zstd, IMHO.

> > Other said, I seem better to do this fix as a whole on core-updates
> > without any graft.  Instead of grafting here and there; and not
> > necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> > 10.5.8
> > to 10.5.8).
>
> We can't patch security issues through core-updates, especially this
> RCE.

I will not comment because I am bored by all that.


Last, you have been prompted to commit a major update and disable the
test-suite for zstd, and I am still waiting that you are prompt again
to fix it; especially when a proposal fix is done here:

<https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00295.html>


Best regards,
simon




Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Tue, 30 Mar 2021 00:27:01 GMT) (full text, mbox, link).


Message #60 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: zimoun <zimon.toutoune@gmail.com>
Cc: 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Tue, 30 Mar 2021 02:26:30 +0200
[Message part 1 (text/plain, inline)]
Hello!

Simon,

I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
patch. Thank you for it. Let's watch for upstream zstd fix also.

I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.

Ubuntu released a patch in the mean time, so while we couldnt make such
patch in a timely manner because the backport was non-trivial and
security-sensitive also didnt want to risk failing to fix the flaw
because I don't have much expertise on it, Ubuntu now has done that
work and we can just use it.

Léo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47257; Package guix. (Tue, 30 Mar 2021 08:30:02 GMT) (full text, mbox, link).


Message #63 received at 47257@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47257@debbugs.gnu.org
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Tue, 30 Mar 2021 10:29:20 +0200
Hi Léo,

On Tue, 30 Mar 2021 at 02:26, Léo Le Bouter <lle-bout@zaclys.net> wrote:

> I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
> patch. Thank you for it. Let's watch for upstream zstd fix also.

Thanks.  It mitigates zstd, even if it does not solve MariaDB.  One
foot, then another. :-)

> I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.

Cool!  LTGM.

> Ubuntu released a patch in the mean time, so while we couldnt make such
> patch in a timely manner because the backport was non-trivial and
> security-sensitive also didnt want to risk failing to fix the flaw
> because I don't have much expertise on it, Ubuntu now has done that
> work and we can just use it.

Thanks for taking care.  And do not consider my concerns as a slowdown
but instead as a way to reach something better.  For instance
9feef62b73 seems The Right Thing (AFAIU), whereas 6f873731a0 and
2bcfb944bd are not (AFAIK).  On one hand, I agree that ~3 weeks
appears long through the lens of security vulnerabilities.  On the
other hand, it is usually worth to take the time; as here. :-)
Examine the various options and so the best move always takes time.

Well, thanks for pushing forward with security.

All the best,
simon




bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 27 Apr 2021 11:24:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:05:06 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.