Received: (at 47257) by debbugs.gnu.org; 29 Mar 2021 21:34:35 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 29 17:34:35 2021
Received: from localhost ([127.0.0.1]:49770 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
id 1lQzWs-0006iS-OF
for submit@debbugs.gnu.org; Mon, 29 Mar 2021 17:34:35 -0400
Received: from mail-qt1-f174.google.com ([209.85.160.174]:34479)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <zimon.toutoune@gmail.com>) id 1lQzWq-0006iF-Rz
for 47257@debbugs.gnu.org; Mon, 29 Mar 2021 17:34:33 -0400
Received: by mail-qt1-f174.google.com with SMTP id c6so10490847qtc.1
for <47257@debbugs.gnu.org>; Mon, 29 Mar 2021 14:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=gr6UvQJsDoAZW0vfUqNsf8x1ICP/dawscfbk/BfRgnM=;
b=fRgIb0zbTWQLlLJWqg9oQ12UVYEu132uAH8DPyXYvMpT4J1LJBOBEKyW+4I+fIvaIl
FQGOTgsG9Z8EczgBfAnri1hlxq/AOvN4uLHcqUmvl2h2ntCPGfknkQ/C4C2d7xLgF/21
Pe6LaLokjr+W58ucXSYvNmHek+4BQdcyuzp3zptL6xgj5fNZ9NsHJouml6k9QXww5Or2
cBEAoe5CrS8wyLcSPlEqHM2tIOoWkZcSX3g+ijs9vct5k7IBT/LmQde3F402yM4Vqvr5
ejlTQnXD9mZxOnnqMxSGeKuNrCeKcvsSDRzjAURx94kg3tmSSXWlGAcgksk0lvMxLNBk
V+LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=gr6UvQJsDoAZW0vfUqNsf8x1ICP/dawscfbk/BfRgnM=;
b=ozguKAt/zhtYFrWmt0OZeowQGUDhEHvBLe1x/2N/MiDLbxHNbHThC1RZv2dBodYqLY
1D+b8TvODvok5rTI1onD/8R/Qt0vPgFczT5C4Qisf5UOwKIaZHeBHriNyAY4v7vDVsxL
f6PcmCWfsfDu/YA5jOQ9NuAu5zageQdA9faLUUIaYiDVi1Nsu1HUu0yA6JL+dtT2NGTi
AnYy26XID5SPCplPslANfuj4K4vPt8Em1hG9QPTsROrL/b627zSTnm7ZDEk9I9vYUTC3
uQ2uFzUsWKuaSzSxuqG8VtJOlbqacT6kOAXdzYcBHmR9h8axOgIQv6bqLyINaObWf61V
Nkhw==
X-Gm-Message-State: AOAM53392Mqj2wuxSLvOWBbHMfmPk2/3mykwvueV1/X5MvNUjRIbKT3K
vnJPsRnutQPp4TS3gQVaVMCuqqzO+zNT7O3uQHs=
X-Google-Smtp-Source: ABdhPJzP7gYMOO8iU6MmjMTHDXLzAOFlURMinHdfJrCvMxgvXGXd+e9RGWyfAH0ujJVrVppCYJgMM0Ggf3cGcjnJ/5o=
X-Received: by 2002:ac8:6c3b:: with SMTP id k27mr24512026qtu.354.1617053667289;
Mon, 29 Mar 2021 14:34:27 -0700 (PDT)
MIME-Version: 1.0
References: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net>
<86r1kbl6kw.fsf@gmail.com>
<b9a61cca0f95239cb0b38fc4ef0988bd11b7777e.camel@zaclys.net>
In-Reply-To: <b9a61cca0f95239cb0b38fc4ef0988bd11b7777e.camel@zaclys.net>
From: zimoun <zimon.toutoune@gmail.com>
Date: Mon, 29 Mar 2021 23:34:15 +0200
Message-ID: <CAJ3okZ1jNE7_uSifHdoKHM5XgPwFe4OjnyhmbhJiwiLPq8C=zQ@mail.gmail.com>
Subject: Re: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)
To: Léo Le Bouter <lle-bout@zaclys.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47257
Cc: 47257@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
On Thu, 25 Mar 2021 at 12:28, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Fri, 2021-03-19 at 12:35 +0100, zimoun wrote:
> > Instead of grafting, I would fix first check the compatibility
> > between
> > mariadb and zstd. Because mariadb@10.5.8 does not build with
> > zstd@1.4.9, at least on my machine.
>
> Can you post build logs and repro scenario? mariadb@10.5.8 built fine
> for me on core-updates which has zstd@1.4.9.
On core-updates, I get this:
--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && ./pre-inst-env guix build mariadb
b20b45c6ce (HEAD -> core-updates, origin/core-updates) gnu: gd: Patch
away recent pkg-config files change that breaks php build.
[...]
Only 2061 of 5666 completed.
--------------------------------------------------------------------------
The servers were restarted 258 times
Spent 10782.523 of 607 seconds executing testcases
Failure: Failed 1/427 tests, 99.77% were successful.
Failing test(s): innodb.check_ibd_filesize
The log files in var/log may give you some hint of what went wrong.
If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html
798 tests were skipped, 39 by the test itself.
mysql-test-run: *** ERROR: there were failing test cases
Error happened at lib/mtr_report.pm line 683.
mtr_report::mtr_error("there were failing test cases") called at
lib/mtr_report.pm line 552
mtr_report::mtr_report_stats("Failure", 1, ARRAY(0x1ae0180),
ARRAY(0xd3cb68)) called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 586
main::main() called at
/tmp/guix-build-mariadb-10.5.8.drv-0/mariadb-10.5.8/mysql-test/mysql-test-run.pl
line 387
error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "./mtr" arguments: ("--verbose"
"--retry=3" "--testcase-timeout=40" "--suite-timeout=600" "--parallel"
"64" "--skip-rpl" "--skip-test-list=unstable-tests") exit-status: 1
term-signal: #f stop-signal: #f>
phase `check' failed after 606.9 seconds
command "./mtr" "--verbose" "--retry=3" "--testcase-timeout=40"
"--suite-timeout=600" "--parallel" "64" "--skip-rpl"
"--skip-test-list=unstable-tests" failed with status 1
builder for `/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed with exit code 1
build of /gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv failed
View build log at
'/var/log/guix/drvs/33/9560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv.bz2'.
guix build: error: build of
`/gnu/store/339560bw1rf3n7s4mbxx5q1ynwn5n52p-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---
Maybe, I am not doing something wrong. Then on master, it "works"
except after the ungraft. Well, it seems coherent with what I get
from core-updates. So if I am doing wrong, I do not know where.
--8<---------------cut here---------------start------------->8---
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
a801c7379a (HEAD) gnu: Remove QT 4.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 6%] LOAD gnu/packages/compression.scm
[ 12%] LOAD gnu/packages/databases.scm
[ 19%] LOAD gnu/packages/engineering.scm
[ 25%] LOAD gnu/packages/messaging.scm
[ 31%] LOAD gnu/packages/password-utils.scm
[ 38%] LOAD gnu/packages/pdf.scm
[ 44%] LOAD gnu/packages/qt.scm
[ 50%] LOAD gnu/packages/sqlite.scm
[ 56%] GUILEC gnu/packages/compression.go
[ 62%] GUILEC gnu/packages/databases.go
[ 69%] GUILEC gnu/packages/engineering.go
[ 75%] GUILEC gnu/packages/messaging.go
[ 81%] GUILEC gnu/packages/password-utils.go
[ 88%] GUILEC gnu/packages/pdf.go
[ 94%] GUILEC gnu/packages/qt.go
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/231bip1j7j3prx4q6mr44f3hdn8sl9nh-mariadb-10.5.8-dev
/gnu/store/43sbv46pn6a31722savgbqcrryyn513h-mariadb-10.5.8-lib
/gnu/store/68az8ch2l6x0ldjnjhqsmpn19ns9srjp-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
52c8d07a4f (HEAD) gnu: mariadb: Fix CVE-2021-27928.
cd . && /bin/bash /home/sitour/src/guix/wk/fix-zstd/build-aux/missing
automake-1.16 --gnu Makefile
cd . && /bin/bash ./config.status Makefile depfiles
config.status: creating Makefile
config.status: executing depfiles commands
Making all in po/guix
Making all in po/packages
GEN scripts/guix
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/databases.scm
[100%] GUILEC gnu/packages/databases.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
6e7ba45357 (HEAD) gnu: sqlite: Update to 3.32.3 [security fixes].
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/sqlite.scm
[100%] GUILEC gnu/packages/sqlite.go
/gnu/store/25sdln6zpjm2hcnmb55wi794k359mgkm-zstd-1.4.9-lib
/gnu/store/n64pny0wdqrk2mw4crs9bznwzg5cm5bc-zstd-1.4.9
/gnu/store/pjd5wx2dvrbxr3saf0a9a8va4v43b7zk-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
692f1e5217 (HEAD) DRAFT: gnu: zstd: Fix test suite.
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/q33xvan4j71f4kil0lg4h2yk549al1rv-zstd-1.4.9-lib
/gnu/store/rixmvq9497dwqxr7apa4n70gmhb50lc7-zstd-1.4.9
/gnu/store/2ym2nn0rmzgigagj7zrx4s6gidk94pqg-zstd-1.4.9-static
/gnu/store/avgmb7dr3r7555zxnspzzjzxcy5vhhz4-mariadb-10.5.8-dev
/gnu/store/jj2gmail5rfnlpmh2rj0vqxil0wihbj7-mariadb-10.5.8-lib
/gnu/store/bjgz8jnfsbb4qvaa9csfy8i3x1i3ivp7-mariadb-10.5.8
$ git log --oneline -1 && make -s 2>/dev/null && \
> ./pre-inst-env guix build zstd -q && \
> ./pre-inst-env guix build mariadb -q
93fee48ada (HEAD -> fix-zstd) DRAFT: gnu: zstd: Update to 1.4.9 (ungraft).
Making all in po/guix
Making all in po/packages
Compiling Scheme modules...
[ 50%] LOAD gnu/packages/compression.scm
[100%] GUILEC gnu/packages/compression.go
/gnu/store/mmsp9ym0d3zcc0g1rr2gwmxb5pcq1wkm-zstd-1.4.9-lib
/gnu/store/6bi9kvsj0si590ra99yzb8dchikzlxb1-zstd-1.4.9
/gnu/store/1cnbqm29rc0gp30h18x7hs785c55fl0m-zstd-1.4.9-static
guix build: error: build of
`/gnu/store/5927s1x3hpfv4v9rsc9y06kycx93zqvh-mariadb-10.5.8.drv'
failed
--8<---------------cut here---------------end--------------->8---
I could be wrong... and I have not investigated more. As I said
elsewhere, grafting zstd from 1.4.4 to 1.4.9 seems totally *wrong*.
There is ~1.5 years and 4 releases between these 2 releases.
BTW, note that:
$ guix graph --path mariadb zstd
guix graph: error: no path from 'mariadb@10.5.8' to 'zstd@1.4.9'
Grafting MariaDB makes sense here. The culprit is zstd, IMHO.
> > Other said, I seem better to do this fix as a whole on core-updates
> > without any graft. Instead of grafting here and there; and not
> > necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from
> > 10.5.8
> > to 10.5.8).
>
> We can't patch security issues through core-updates, especially this
> RCE.
I will not comment because I am bored by all that.
Last, you have been prompted to commit a major update and disable the
test-suite for zstd, and I am still waiting that you are prompt again
to fix it; especially when a proposal fix is done here:
<https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00295.html>
Best regards,
simon
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.