GNU bug report logs

#47257 mariadb is vulnerable to CVE-2021-27928 (RCE)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 19 Mar 2021 10:25:46 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 19 06:25:46 2021
Received: from localhost ([127.0.0.1]:48871 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lNCKA-0004mC-FZ
	for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:25:46 -0400
Received: from lists.gnu.org ([209.51.188.17]:50662)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lNCK8-0004m5-In
 for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:25:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50446)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lNCK7-0006hu-3x
 for bug-guix@gnu.org; Fri, 19 Mar 2021 06:25:44 -0400
Received: from mail.zaclys.net ([178.33.93.72]:34781)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lNCK4-000792-3T
 for bug-guix@gnu.org; Fri, 19 Mar 2021 06:25:42 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAPZPw023317
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Fri, 19 Mar 2021 11:25:36 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAPZPw023317
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616149536;
 bh=1puOrrZCiHA8ILuIcfUwMaf9bq1QdKgqIlxQQejx6NY=;
 h=Subject:From:To:Date:From;
 b=mX5vzP0e61HvujFj+Nksb+9o1VHfMGQY93ggIkKs5ajMgo7Q5H786X0dZf4fC6UIg
 cltCEoGVKs+90YkO0jOYI6JZi2wijckltqLQCRSM9bz9q5eiN07gkKm6TescRpwD1n
 zhF5JIgqY/D3xTEPA9YmBZBcpSXf9fhCTefrni54=
Message-ID: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net>
Subject: mariadb is vulnerable to CVE-2021-27928 (RCE)
From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Fri, 19 Mar 2021 11:25:31 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-HV4jQBhGNbmjzWfMKcxr"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
CVE-2021-27928	04:15
A remote code execution issue was discovered in MariaDB 10.2 before
10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
2021-03-03 for MySQL. An untrusted search path leads to eval injection,
in which a database SUPER user can execute OS commands after modifying
wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
Oracle product.

From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
fixes it for us since we package 10.5.8 currently.

However:

$ ./pre-inst-env guix refresh -l mariadb
Building the following 552 packages would ensure 1047 dependent
packages are rebuilt:
[..]

Is it possible to graft mariadb you think? I am thinking this issue
doesnt need updating of the "lib" output which is what's causing the
high number of dependents AIUI. I am not sure we could actually update
individual outputs right now though. Might be a good idea to split the
packages for the future.

Léo

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:11:40 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.