Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585366 - dev-db/xtrabackup-bin: depends on vulnerable < dev-libs/libgcrypt-1.6.3-r4
Summary: dev-db/xtrabackup-bin: depends on vulnerable < dev-libs/libgcrypt-1.6.3-r4
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Christian Ruppert (idl0r)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 567382
  Show dependency tree
 
Reported: 2016-06-08 10:01 UTC by manwe
Modified: 2016-08-18 16:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ebuild (percona-xtrabackup-2.4.3.ebuild,1.14 KB, text/plain)
2016-06-11 14:35 UTC, manwe
Details
ebuild v2 (percona-xtrabackup-2.4.3.ebuild,1.11 KB, text/plain)
2016-06-11 14:36 UTC, manwe
Details

Note You need to log in before you can comment on or make changes to this bug.
Description manwe 2016-06-08 10:01:57 UTC
In GLSA 201606-04 dev-libs/libgcrypt was marked in versions below 1.6.3-r4. Package dev-db/xtrabackup-bin depends on vulnerable dev-libs/libgcrypt:0/11 or dev-libs/libgcrypt:11/11. I've checked newest version on upstream (2.4.3) but it still loads /usr/lib64/libgcrypt.so.11

I think we should try to move to non-binary version of this ebuild and get rid of this problematic dependency. There is one in bgo-overlay called dev-db/percona-xtrabackup
Comment 1 Tomáš Mózes 2016-06-08 14:28:16 UTC
I think we just hard-mask these and wait until upstream uses the new libs.

However, I've tried playing around with building percona xtrabackup from source and now it's much better - they have everything in the source package. Watch for https://bugs.gentoo.org/show_bug.cgi?id=265407.
Comment 2 Tomáš Mózes 2016-06-10 14:33:25 UTC
manwe, can you please try the ebuild for 2.4.3 in https://bugs.gentoo.org/show_bug.cgi?id=265407 that is built from source?
Comment 3 manwe 2016-06-10 15:44:40 UTC
Sure, will do, but that =dev-libs/boost-1.59.0 is kinda weird. It's neither newest stable [1.56.0-r1] nor unstable [1.61.0].
Comment 4 Tomáš Mózes 2016-06-11 04:16:22 UTC
(In reply to manwe from comment #3)
> Sure, will do, but that =dev-libs/boost-1.59.0 is kinda weird. It's neither
> newest stable [1.56.0-r1] nor unstable [1.61.0].

Seems like MySQL 5.7 fails to build with other version of Boost. I've tried 1.60 but with no luck yet. If you wish, you can play around with other version, being able to use a wider range of Boost versions would be really great.
Comment 5 manwe 2016-06-11 14:35:14 UTC
Created attachment 437168 [details]
ebuild

MySQL and related stuff needs boost only for build time, there's no need for requiring it in the system.

So how about this approach?

SRC_URI="https://www.percona.com/downloads/XtraBackup/Percona-XtraBackup-${PV}/source/tarball/${P}.tar.gz
		http://jenkins.percona.com/downloads/boost/boost_1_59_0.tar.gz"


src_configure() {
	mkdir ${T}/boost || die
	tar --extract --directory ${T}/boost --file ${DISTDIR}/boost_1_59_0.tar.gz || die
	cmake -DBUILD_CONFIG=xtrabackup_release -DDOWNLOAD_BOOST=0 -DWITH_BOOST=${T}/boost || die
}

Might not be the nicest but works (just tested it) and there's nothing the package is downloading on itself. 

Modified ebuild as an attachment.
Comment 6 manwe 2016-06-11 14:36:53 UTC
Created attachment 437170 [details]
ebuild v2

One more time, I forgot to remove boost from DEPEND.
Comment 7 Tomáš Mózes 2016-06-11 18:55:45 UTC
Yes, that is also an option. However I do believe that upstream will move on and adjust the building to work with boost 1.60 and higher.

Try posting your ebuild to #265407.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-07-19 15:02:49 UTC
dev-db/xtrabackup-bin is blocking removal of vulnerable libgcrypt 1.5 branch from stable tree, it should either be fixed to allow a newer libgcrypt (1.6 compatible ABI) or reduced to ~arch to match 11/11 subslot visibility
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-08-18 16:15:47 UTC
commit 6338c46d8f99ba1af6bcad49c853b71823e26250
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Thu Aug 18 18:09:03 2016 +0200

    profiles: stable mask use flag for sst-xtrabackup for mysql/mariadb
    
    In relation to removal of libgcrypt 1.5 from stable

commit bea66751f3c367fe021041fec0eb80a638526df3
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Thu Aug 18 17:34:19 2016 +0200

    dev-db/xtrabackup-bin: Reduce to testing keywords
    
    libgcrypt 1.5 branch is no longer in stable, the compatibility slot 11
    should be used which is in testing only. libgcrypt is scheduled for EOL
    and subject to complete removal
    
    Gentoo-Bug: 585366
    Gentoo-Bug: 567382