Bug 838244 (CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27385, CVE-2022-27386, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32083, CVE-2022-32085, CVE-2022-32086, CVE-2022-32089, CVE-2022-32091)

Summary:	<dev-db/mariadb-{10.2.44,10.3.35,10.4.25,10.5.16,10.6.8}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	hydrapolic, mysql-bugs
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=822759 https://github.com/gentoo/gentoo/pull/26397
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	856820
Bug Blocks:	847526

Description John Helmert III archtester

2022-04-13 19:08:57 UTC

CVE-2022-27376 (https://jira.mariadb.org/browse/MDEV-26354):

MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.

CVE-2022-27377 (https://jira.mariadb.org/browse/MDEV-26281):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.

CVE-2022-27378 (https://jira.mariadb.org/browse/MDEV-26423):

An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27379 (https://jira.mariadb.org/browse/MDEV-26353):

An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27380 (https://jira.mariadb.org/browse/MDEV-26280):

An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27381 (https://jira.mariadb.org/browse/MDEV-26061):

An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27382 (https://jira.mariadb.org/browse/MDEV-26402):

MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order.

CVE-2022-27383 (https://jira.mariadb.org/browse/MDEV-26323):

MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.

CVE-2022-27384 (https://jira.mariadb.org/browse/MDEV-26047):

An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27385 (https://jira.mariadb.org/browse/MDEV-26415):

An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27386 (https://jira.mariadb.org/browse/MDEV-26406):

MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.

Presumably fixed in released versions, but have not dug into them.

Comment 1 John Helmert III archtester

2022-04-14 21:47:49 UTC

CVE-2022-27451 (https://jira.mariadb.org/browse/MDEV-28094):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.

CVE-2022-27452 (https://jira.mariadb.org/browse/MDEV-28090):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.

CVE-2022-27455 (https://jira.mariadb.org/browse/MDEV-28097):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.

CVE-2022-27456 (https://jira.mariadb.org/browse/MDEV-28093):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.

CVE-2022-27457 (https://jira.mariadb.org/browse/MDEV-28098):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.

CVE-2022-27458 (https://jira.mariadb.org/browse/MDEV-28099):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.

CVE-2022-27444 (https://jira.mariadb.org/browse/MDEV-28080):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.

CVE-2022-27445 (https://jira.mariadb.org/browse/MDEV-28081):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.

CVE-2022-27446 (https://jira.mariadb.org/browse/MDEV-28082):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.

CVE-2022-27447 (https://jira.mariadb.org/browse/MDEV-28099):

MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.

CVE-2022-27448 (https://jira.mariadb.org/browse/MDEV-28095):

There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc.

CVE-2022-27449 (https://jira.mariadb.org/browse/MDEV-28089):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.

Comment 2 John Helmert III archtester

2022-07-05 04:33:06 UTC

CVE-2022-32083 (https://jira.mariadb.org/browse/MDEV-26047):

MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.

CVE-2022-32085 (https://jira.mariadb.org/browse/MDEV-26407):

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

CVE-2022-32086 (https://jira.mariadb.org/browse/MDEV-26412):

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

CVE-2022-32086 (https://jira.mariadb.org/browse/MDEV-26412):

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

CVE-2022-32089 (https://jira.mariadb.org/browse/MDEV-26410):

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

CVE-2022-32091 (https://jira.mariadb.org/browse/MDEV-26431):

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

Another round of CVEs with fixes in this round of releases, according to Jira:
10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3

Comment 3 John Helmert III archtester

2022-07-05 04:34:49 UTC

So, please stabilize when ready!

Comment 4 John Helmert III archtester

2022-07-13 17:57:26 UTC

Please cleanup

Comment 5 Larry the Git Cow gentoo-dev

2022-07-15 01:26:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da14e699f370d254bf6ffe16cc1ac0492d0ddebe

commit da14e699f370d254bf6ffe16cc1ac0492d0ddebe
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-14 09:04:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-15 01:22:02 +0000

    dev-db/mariadb: drop vulnerable
    
    Bug: https://bugs.gentoo.org/847526
    Bug: https://bugs.gentoo.org/838244
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26397
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest                 |   13 -
 dev-db/mariadb/mariadb-10.2.41.ebuild   | 1289 ------------------------------
 dev-db/mariadb/mariadb-10.2.43.ebuild   | 1292 ------------------------------
 dev-db/mariadb/mariadb-10.3.32.ebuild   | 1281 ------------------------------
 dev-db/mariadb/mariadb-10.3.34.ebuild   | 1284 ------------------------------
 dev-db/mariadb/mariadb-10.4.22.ebuild   | 1302 ------------------------------
 dev-db/mariadb/mariadb-10.5.13.ebuild   | 1309 ------------------------------
 dev-db/mariadb/mariadb-10.5.15.ebuild   | 1309 ------------------------------
 dev-db/mariadb/mariadb-10.6.5-r1.ebuild | 1311 ------------------------------
 dev-db/mariadb/mariadb-10.6.8.ebuild    | 1316 -------------------------------
 10 files changed, 11706 deletions(-)

Comment 6 John Helmert III archtester

2022-07-15 01:34:40 UTC

Thanks!