Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832490 (CVE-2021-46661, CVE-2021-46662, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46666, CVE-2021-46667, CVE-2021-46668, CVE-2021-46669, CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, CVE-2022-24052) - <dev-db/mariadb-{10.2.43,10.3.34,10.4.25,10.5.15,10.6.8}: multiple vulnerabilities (CVE-2021-{46661,46662,46663,46664,46665,46666,46667,46668,46669})
Summary: <dev-db/mariadb-{10.2.43,10.3.34,10.4.25,10.5.15,10.6.8}: multiple vulnerabil...
Status: IN_PROGRESS
Alias: CVE-2021-46661, CVE-2021-46662, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46666, CVE-2021-46667, CVE-2021-46668, CVE-2021-46669, CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, CVE-2022-24052
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-02-01 08:35 UTC by filip ambroz
Modified: 2024-03-24 07:58 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2022-02-01 08:35:09 UTC
[CVE-2021-46661]
MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).
URL: https://jira.mariadb.org/browse/MDEV-25766

[CVE-2021-46662]
MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.
URL: https://jira.mariadb.org/browse/MDEV-25637

[CVE-2021-46663]
MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.
URL: https://jira.mariadb.org/browse/MDEV-26351

[CVE-2021-46664]
MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr. (closely related to CVE-2021-46665)
https://jira.mariadb.org/browse/MDEV-25761

[CVE-2021-46665]
MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.
URL: https://jira.mariadb.org/browse/MDEV-25636

[CVE-2021-46666]
MariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause.
URL: https://jira.mariadb.org/browse/MDEV-25635

[CVE-2021-46667]
MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.
URL: https://jira.mariadb.org/browse/MDEV-26350

[CVE-2021-46668]
MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.
URL: https://jira.mariadb.org/browse/MDEV-25787

[CVE-2021-46669]
MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.
URL: https://jira.mariadb.org/browse/MDEV-25638
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-18 23:03:55 UTC
CVE-2022-24052 (https://mariadb.com/kb/en/security/):

This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24048 (https://www.zerodayinitiative.com/advisories/ZDI-22-363/):

This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16191.

CVE-2022-24050 (https://www.zerodayinitiative.com/advisories/ZDI-22-364/):

This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16207.

CVE-2022-24051 (https://mariadb.com/kb/en/security/):

This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193.

Seems we need bumps to 10.6.6, 10.5.14, 10.4.23, 10.3.33, and 10.2.42.
Comment 2 Michiel Hazelhof 2022-04-24 20:32:00 UTC
Bumping to 10.6.6 isn't enough, for the following we would need 10.6.7.

- CVE-2021-46665
- CVE-2021-46664
- CVE-2021-46661
- CVE-2021-46668
- CVE-2021-46663

For such a high profile, high usage application we really should be on the ball more.
Comment 3 Michiel Hazelhof 2022-04-24 20:34:59 UTC
The previous comment also applies to 10.4.24, 10.3.34 and 10.2.43 too, the versions mentioned by John earlier do not provide protection.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-25 23:48:45 UTC
(In reply to Michiel Hazelhof from comment #2)
> Bumping to 10.6.6 isn't enough, for the following we would need 10.6.7.
> 
> - CVE-2021-46665
> - CVE-2021-46664
> - CVE-2021-46661
> - CVE-2021-46668
> - CVE-2021-46663
> 
> For such a high profile, high usage application we really should be on the
> ball more.

Thanks! Feel free to submit a PR
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-25 23:50:13 UTC
(In reply to John Helmert III from comment #4)
> (In reply to Michiel Hazelhof from comment #2)
> > Bumping to 10.6.6 isn't enough, for the following we would need 10.6.7.
> > 
> > - CVE-2021-46665
> > - CVE-2021-46664
> > - CVE-2021-46661
> > - CVE-2021-46668
> > - CVE-2021-46663
> > 
> > For such a high profile, high usage application we really should be on the
> > ball more.
> 
> Thanks! Feel free to submit a PR

Ah, I see. The maintainer already nacked a PR on Github. I wish they'd keep the rest of us in the loop.
Comment 6 Larry the Git Cow gentoo-dev 2022-05-12 20:40:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d0f80602bd1122a3638d8d74857502d7ed975b9

commit 1d0f80602bd1122a3638d8d74857502d7ed975b9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-12 20:40:19 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-05-12 20:40:19 +0000

    dev-db/mariadb: bump to 10.5.15
    
    Closes: https://github.com/gentoo/gentoo/pull/24852
    Bug: https://bugs.gentoo.org/832490
    Acked-by: Robin H. Johnson <robbat2@gentoo.org>
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-db/mariadb/Manifest               |    2 +
 dev-db/mariadb/mariadb-10.5.15.ebuild | 1323 +++++++++++++++++++++++++++++++++
 2 files changed, 1325 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2022-05-31 22:10:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f22921d74ad881d241ecee3f20f8254abbbdef7

commit 3f22921d74ad881d241ecee3f20f8254abbbdef7
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-31 20:01:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:39 +0000

    dev-db/mariadb: bump to 10.6.8
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25707
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest              |    2 +
 dev-db/mariadb/mariadb-10.6.8.ebuild | 1316 ++++++++++++++++++++++++++++++++++
 2 files changed, 1318 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5e96bd91204dc7f536640ebabdd88e713a277c3

commit a5e96bd91204dc7f536640ebabdd88e713a277c3
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-31 18:54:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:32 +0000

    dev-db/mariadb: bump to 10.5.16
    
    Bug: https://bugs.gentoo.org/832490
    Closes: https://bugs.gentoo.org/843992
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25705
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    1 +
 dev-db/mariadb/mariadb-10.5.16.ebuild | 1312 +++++++++++++++++++++++++++++++++
 2 files changed, 1313 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5ac359b6a7722e6165639e4acd89cf38e0c4194

commit e5ac359b6a7722e6165639e4acd89cf38e0c4194
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-31 18:49:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:24 +0000

    dev-db/mariadb: bump to 10.4.25
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25704
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    2 +
 dev-db/mariadb/mariadb-10.4.25.ebuild | 1305 +++++++++++++++++++++++++++++++++
 2 files changed, 1307 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92e9fbf72178359ea32c18224c39c4f0c072e0c8

commit 92e9fbf72178359ea32c18224c39c4f0c072e0c8
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-31 18:39:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:15 +0000

    dev-db/mariadb: bump to 10.3.35
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25554
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    1 +
 dev-db/mariadb/mariadb-10.3.35.ebuild | 1284 +++++++++++++++++++++++++++++++++
 2 files changed, 1285 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0025eace3007f2f213b7c920d1f0a300f69907d

commit f0025eace3007f2f213b7c920d1f0a300f69907d
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-18 21:06:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:14 +0000

    dev-db/mariadb: bump to 10.3.34
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    2 +
 dev-db/mariadb/mariadb-10.3.34.ebuild | 1284 +++++++++++++++++++++++++++++++++
 2 files changed, 1286 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23206621f995162acdf73df1c3ac49f32ed3679b

commit 23206621f995162acdf73df1c3ac49f32ed3679b
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-31 18:34:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:01 +0000

    dev-db/mariadb: bump to 10.2.44
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25529
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    1 +
 dev-db/mariadb/mariadb-10.2.44.ebuild | 1292 +++++++++++++++++++++++++++++++++
 2 files changed, 1293 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d87587fb8a874172aaf5d69afeb24707e6095d2f

commit d87587fb8a874172aaf5d69afeb24707e6095d2f
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-05-16 21:01:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-31 22:10:00 +0000

    dev-db/mariadb: bump to 10.2.43
    
    Bug: https://bugs.gentoo.org/832490
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest               |    2 +
 dev-db/mariadb/mariadb-10.2.43.ebuild | 1292 +++++++++++++++++++++++++++++++++
 2 files changed, 1294 insertions(+)