On: http://dev.mysql.com/downloads/mysql/5.0.html#downloads
http://www.securityfocus.com/bid/22900
Created attachment 112992 [details, diff] mysql-5.0.37 failed patch "702_all_trigger-rename-fail-as-root-5.0.34"
Created attachment 112993 [details] mysql-5.0.37 emerge failed: complete log
When trying to write an ebuild, I edited the old one (mysql-5.0.34.ebuild) and saw: SERVER_URI="ftp://ftp.mysql.com/pub/mysql/src/mysql-${PV//_/-}.tar.gz" So I checked if there was mysql-5.0.37.tar.gz, but it wasn't. The funny thing I notied: you can upload files there, but you cannot download them. I wrote to mysql AB about it, because if someone puts backdoored code there and an admin does a chmod 664 on the file (because someone complained that he could not download the file), really evil things might happen. Well, 5.0.37 has 2 new configure flags: > --disable-profiling Build a version without query profiling code > --disable-grant-options Disables the use of --init-file, --skip-grant-tables and --bootstrap optionsShould we create new useflags "noprofiling" The mysql-5.0.34.ebuild sets a variable at the beginning, which I don't really understand, because it does not seem to be used?! : MY_EXTRAS_VER="20070217" Well, I tested the ebuild: >>> Downloading 'http://gentoo.intergenia.de/distfiles/mysql-extras-20070217.tar.bz2' --20:28:24-- http://gentoo.intergenia.de/distfiles/mysql-extras-20070217.tar.bz2 => `/usr/portage/distfiles/mysql-extras-20070217.tar.bz2' Auflösen des Hostnamen »gentoo.intergenia.de«.... 85.25.128.62, 217.172.191.164 Verbindungsaufbau zu gentoo.intergenia.de|85.25.128.62|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 50.155 (49K) [application/x-tar] 100%[==================================================================================================================>] 50.155 --.--K/s 20:28:24 (748.13 KB/s) - »/usr/portage/distfiles/mysql-extras-20070217.tar.bz2« gespeichert [50155/50155] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking mysql-5.0.37.tar.gz ;-) ... [ ok ] * checking mysql-extras-20070217.tar.bz2 ;-) ... [ ok ] * Berkeley DB support is deprecated and will be removed in future versions! >>> Unpacking source... * Using default DATADIR * MySQL DATADIR is /var/lib/mysql * Previous datadir found, it's YOUR job to change * ownership and take care of it >>> Unpacking mysql-5.0.37.tar.gz to /var/tmp/portage/dev-db/mysql-5.0.37/work >>> Unpacking mysql-extras-20070217.tar.bz2 to /var/tmp/portage/dev-db/mysql-5.0.37/work * using '035_x86_asm-pic-fixes-4.1.12.patch' * > remove page relocations * > Most part of the original patch has already been accepted by MysQL, * > here is the remaining. * > _many_ thanks to pageexec@freemail.hu * using '105_all_mysql_config_cleanup.patch' * > fix bug #156301 mysql_config wrongly retains too much info from CFLAGS * using '702_all_trigger-rename-fail-as-root-5.0.34.patch' * > portage normally ran as root, MySQL tests are designed to be used * > with lower priviledges * using '703_all_test-rpl_rotate_logs-5.0.21.patch' * using '704_all_disable_mybug_9735_test.patch' * > disable a test that fail on longtext field lenght, the expected value is * > three times the returned one, look like a multibyte character related * > failure. * Applying various patches (bugfixes/updates) ... * 035_x86_asm-pic-fixes-4.1.12.patch ... [ ok ] * 105_all_mysql_config_cleanup.patch ... [ ok ] * 702_all_trigger-rename-fail-as-root-5.0.34.patch ... * Failed Patch: 702_all_trigger-rename-fail-as-root-5.0.34.patch ! * ( /var/tmp/portage/dev-db/mysql-5.0.37/work/patch/702_all_trigger-rename-fail-as-root-5.0.34.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/dev-db/mysql-5.0.37/temp/702_all_trigger-rename-fail-as-root-5.0.34.patch-30813.out !!! ERROR: dev-db/mysql-5.0.37 failed. Call stack: ebuild.sh, line 1614: Called dyn_unpack ebuild.sh, line 751: Called qa_call 'src_unpack' environment, line 4378: Called src_unpack ebuild.sh, line 1304: Called mysql_src_unpack mysql.eclass, line 501: Called epatch eutils.eclass, line 341: Called die !!! Failed Patch: 702_all_trigger-rename-fail-as-root-5.0.34.patch! !!! If you need support, post the topmost build error, and the call stack if relevant. !!! A complete build log is located at '/var/log/portagelog/dev-db:mysql-5.0.37:20070311-192822.log'. !!! This ebuild is from an overlay: '/root/OVERLAY' I attached the files.
*** Bug 170539 has been marked as a duplicate of this bug. ***
reassigning, changing product/... since this is a security issue please provide an updated ebuild
Just FYI: about their Servers strange behavior: LenZ of the mysql team informed me, they appreciate that I informed them about it. The 5.0.37 sources are available at the usual place already and have been put on the mirror sites: http://dev.mysql.com/downloads/mysql/5.0.html. Back to the topic: I'm going to eat something now and then I'll try to create an updated ebuild. If there is anyone else interested, we could try to figure it out toghether on IRC; I'm not an experienced ebuild-writer. Sorry for spamming :)
I am working on the ebuild already, per my comment to the security folk. Hopefully out in then next 8 hours or so.
As you're much better in writing ebuilds, I guess I can't really help you, so I'll stop my efforts. BUT: I'll test it as soon as it's out :)
Any progress yet? 8 hours recently became 8 days. :/ To Robin Johnson: Are you still working on it?! Otherwise I'll try to get it to work tomorrow evening.
*** Bug 171226 has been marked as a duplicate of this bug. ***
Craig: I am indeed working on it still. See my devaway status however. At the moment, even after excluding that previous test, I am running into a few more testcases that fail, and I haven't narrowed them down to being a 5.0.37 problem or a Gentoo problem yet.
Sorry! It's not shown here, and I don't visit the "devaway" page that often. Thanks for your reply! :)
Anybody interested in the test failures, see the logs here: http://dev.gentoo.org/~robbat2/dev-db_mysql-5.0.37_20070324-204024.log.gz see the information_schema and execution_constants failures
(In reply to comment #14) > Anybody interested in the test failures, see the logs here: > http://dev.gentoo.org/~robbat2/dev-db_mysql-5.0.37_20070324-204024.log.gz > > see the information_schema and execution_constants failures > I'm not sure how to read this but is the "information_schema" failure just about the additional PROFILE stuff in there? 5.0.37 adds profiling in the code thats why and should be fine. (see http://www.planetmysql.org/kaj/?p=90 for example ) If I understood it wrong just ignore my comment. thomas
The information_schema failure turns out to be wrong-datatype stuff (upstream has a patch at http://bugs.mysql.com/bug.php?id=26600). Will integrate shortly. The execution_constants is a different matter (upstream http://bugs.mysql.com/bug.php?id=26561) - it only affects PPC and IA64 hardware, but it is more severe. (Actually if somebody with a SPARC could try it, it would be very useful to know if it exists there as well). security: should we release 5.0.37 for other arches in the meantime, and have 5.0.37 with KEYWORDS containing "-ppc -ppc64 -ia64" ?
Thx for the update Robin, do you have any ETA on the "final" fix? As for a release for certain arches I think it is up to you. An attacker has to be able to execute arbitrary SQL commands to exploit this and we already have another unpatched DoS issue (at least affecting x86) on bug #171934. Security any other opinions?
no eta from upstream on the execution_constants fix. since both of these depend on execution of arbitrary SQL, I'm inclined to wait for upstream to release either 5.0.38 or the execution constants patch.
Ok, waiting for upstream to provide patches.
5.0.38 has been released upstream, while they didn't update the link on the download-page. It's available on their ftp: ftp://ftp.mysql.com/pub/mysql/src/
*** Bug 174245 has been marked as a duplicate of this bug. ***
I've locally created an updated ebuild, get it via: svn co http://svn.hboeck.de/overlay/dev-db/mysql/ What I did: - created a new patchset mysql-extras which applies the 702-patch only up till .34 and add a fix for the null pointer DoS Please test, for yet to me unknown reasons I can't start it with the gentoo-initscript any more, but manually starting mysqld works and I can't crash it any more with the public exploit codes.
I'm testing 5.0.38 now. USE="berkdb perl ssl" - passes tests USE="embedded" - non-trivial compile failure - I'll just "use embedded && die ..." for 5.0.38 USE="big-tables cluster" - test in progress still, no failures yet. USE="extraengine" - test in progress still, this one is long, and it's got a non-trivial failure in archive_gis already.
5.0.38 is now in the tree. Give it an hour or so to get out, and for the mysql-extras tarball to make it to the mirrors. Test procedure: time FEATURES=test USE='berkdb big-tables cluster embedded extraengine' emerge mysql It takes about 70 minutes on my quad G5 (ppc64-32ul) and my core2duo.
Thanks a lot, good work!
Stable marking is handled on bug #171934.
GLSA 200705-11 combined with bug 171934
