580884 – glsa-check gives false positive on dev-db/mariadb-5.5.48

Bug 580884 - glsa-check gives false positive on dev-db/mariadb-5.5.48

Summary: glsa-check gives false positive on dev-db/mariadb-5.5.48

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-23 00:27 UTC by Linear Systems Tech Svcs.
Modified:	2016-07-01 07:12 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Linear Systems Tech Svcs. 2016-04-23 00:27:13 UTC

When running glsa-check, I receive the following output:

tech8 ~ # glsa-check -v -n -t affected
This system is affected by the following GLSAs:
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

...<snip>...
201504-05 [N] [remote ] MySQL and MariaDB: Multiple vulnerabilities ( dev-db/mysql dev-db/mariadb-5.5.48 )
...<snip>...

Reproducible: Always

Steps to Reproduce:
1. Install dev-db/mariadb-5.5.48 and app-portage/gentoolkit-0.3.0.9-r2
2. Run "glsa-check -v -n -t affected"
3. Check the output.
Actual Results:
glsa-check reports installed version of MariaDB-5.5.48 as being vulnerable.

Expected Results:
glsa-check shouldn't have brought MariaDB into the list at this time.

I have looked through all the posted CVEs for this GLSA (201504-05).

CVE-2014-6568: MariaDB not directly listed as affected.
CVE-2015-0374: MariaDB not directly listed as affected.
CVE-2015-0381: MariaDB not directly listed as affected.
CVE-2015-0382: MariaDB not directly listed as affected.
CVE-2015-0385: MariaDB not directly listed as affected.
CVE-2015-0391: MariaDB not directly listed as affected.
CVE-2015-0409: MariaDB not directly listed as affected.
CVE-2015-0411: MariaDB not directly listed as affected.
CVE-2015-0432: MariaDB not directly listed as affected.

Now, while I know that MySQL and MariaDB share major sections of the codebase, part of the reason for the fork was to get things improved and squared away faster than Oracle was willing to fix and improve their product.

Furthermore, to make sure I did my due diligence, I went to https://mariadb.com/kb/en/mariadb/security/ and confirmed that all reported CVEs that really affect both MySQL and MariaDB have been addressed in current versions of MariaDB 5.5 series:

----------------------------------------------------------------
Full List of CVEs fixed in MariaDB (snipped to CVEs in question)

...<snip>...
CVE-2015-0432: MariaDB 5.5.41, MariaDB 10.0.16
CVE-2015-0411: MariaDB 5.5.41, MariaDB 10.0.16
CVE-2015-0391: MariaDB 5.5.39, MariaDB 10.0.13
CVE-2015-0382: MariaDB 5.5.41, MariaDB 10.0.16
CVE-2015-0381: MariaDB 5.5.41, MariaDB 10.0.16
CVE-2015-0374: MariaDB 5.5.41, MariaDB 10.0.16
...<snip>...
CVE-2014-6568: MariaDB 5.5.41, MariaDB 10.0.16

Keep in mind that MariaDB 5.5 is the last version that acts as a full "drop-in replacement" for MySQL(5.5), which eases transition from one to the other. At MariaDB 10, some additional conversions and/or configurations may need to be done for proper functioning.

Hope that helps. Thanks for all your hard work.

Comment 1 Yury German Gentoo Infrastructure

2016-04-23 03:10:48 UTC

The GLSA for Mariadb in currently in draft stages. 
Once it is written and checked in this will be addressed.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-07-01 07:12:59 UTC

dev-db/mariadb-5.x is currently unstable, which means it is not supported by Gentoo security.  However, considering the patch is backported to >=5.5.41 we can add it to the rge so the false positive goes away.  Please let us know if you continue to have false positives or other issues.