GNU bug report logs

#47257 mariadb is vulnerable to CVE-2021-27928 (RCE)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 19 Mar 2021 11:15:51 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 19 07:15:51 2021
Received: from localhost ([127.0.0.1]:48929 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lND6c-0001vA-NU
	for submit@debbugs.gnu.org; Fri, 19 Mar 2021 07:15:51 -0400
Received: from lists.gnu.org ([209.51.188.17]:40364)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1lND6b-0001v3-5u
 for submit@debbugs.gnu.org; Fri, 19 Mar 2021 07:15:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33026)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1lND6a-0005d3-W1
 for bug-guix@gnu.org; Fri, 19 Mar 2021 07:15:49 -0400
Received: from lepiller.eu ([2a00:5884:8208::1]:34516)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1lND6U-0003d3-IW
 for bug-guix@gnu.org; Fri, 19 Mar 2021 07:15:48 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id c171f411;
 Fri, 19 Mar 2021 11:15:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:to:from:message-id; s=dkim;
 bh=UEkuNXvWY+NBDKGWwtvOVBR9H4b/uNeOMOM2tEH/BMI=; b=jNSjfo+ddq8R
 VHA60W9eFVMvqxzYklbXNP2WeA85ZtLR3dc45MKLBPdWzUgIjPlhIfIEllB5yfKA
 dVIm4Zc2tNLXZwlvqNi9fSITz3JBBI82qU/dVXilA+M7WYiwGjZQ5t7tz7zm6f7a
 fb2mMwvjHt/C79IWqLHuAsbH3rmPRTO3+CtUuoBGuG2JOvjqpaTBFvYX3aOODE4h
 Jihuot+DRxWAwzJFNDB+Btm61fdn+xs74wWtAv5DRFdfVzE7TzYpEe5rwxQZr7/6
 Hwag0ucxJzXFhM8toKtqM1AaKul8got6Vv6sf3Yaxo0l2vhTX0pcAlL4vAaMmfl9
 3rr0KQ5Oiw==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 730a576c
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Fri, 19 Mar 2021 11:15:40 +0000 (UTC)
Date: Fri, 19 Mar 2021 07:15:33 -0400
User-Agent: K-9 Mail for Android
In-Reply-To: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net>
References: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----0KPKK8BP7CZ2R9OXF7YPO8PA9298CQ"
Content-Transfer-Encoding: 7bit
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
To: Léo Le Bouter <lle-bout@zaclys.net>,
 Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix@gnu.org>, 47257@debbugs.gnu.org
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <65A2F9EE-030F-4174-95B0-4A862188EA3D@lepiller.eu>
Received-SPF: pass client-ip=2a00:5884:8208::1;
 envelope-from=julien@lepiller.eu; helo=lepiller.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
You need to graft: when building a package, the output hash depends on the inputs, sources and instructions, so even if the content of the lib output does not change, its store path does, leading to a rebuild.

Le 19 mars 2021 06:25:31 GMT-04:00, "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org> a écrit :
>CVE-2021-27928	04:15
>A remote code execution issue was discovered in MariaDB 10.2 before
>10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
>10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
>2021-03-03 for MySQL. An untrusted search path leads to eval injection,
>in which a database SUPER user can execute OS commands after modifying
>wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
>Oracle product.
>
>From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
>fixes it for us since we package 10.5.8 currently.
>
>However:
>
>$ ./pre-inst-env guix refresh -l mariadb
>Building the following 552 packages would ensure 1047 dependent
>packages are rebuilt:
>[..]
>
>Is it possible to graft mariadb you think? I am thinking this issue
>doesnt need updating of the "lib" output which is what's causing the
>high number of dependents AIUI. I am not sure we could actually update
>individual outputs right now though. Might be a good idea to split the
>packages for the future.
>
>Léo

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:25:51 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.