838244 – (CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27385, CVE-2022-27386, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32083, CVE-2022-32085, CVE-2022-32086, CVE-2022-32089, CVE-2022-32091) <dev-db/mariadb-{10.2.44,10.3.35,10.4.25,10.5.16,10.6.8}: multiple vulnerabilities

Bug 838244 (CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27385, CVE-2022-27386, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32083, CVE-2022-32085, CVE-2022-32086, CVE-2022-32089, CVE-2022-32091) - <dev-db/mariadb-{10.2.44,10.3.35,10.4.25,10.5.16,10.6.8}: multiple vulnerabilities

Summary: <dev-db/mariadb-{10.2.44,10.3.35,10.4.25,10.5.16,10.6.8}: multiple vulnerabil...

Status:	RESOLVED FIXED

Alias:	CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27385, CVE-2022-27386, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32083, CVE-2022-32085, CVE-2022-32086, CVE-2022-32089, CVE-2022-32091

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:	PullRequest

Depends on:	856820
Blocks:	CVE-2022-31621, CVE-2022-31622, CVE-2022-31623, CVE-2022-31624
	Show dependency tree

Reported:	2022-04-13 19:08 UTC by John Helmert III
Modified:	2024-05-08 08:42 UTC (History)
CC List:	2 users (show)

See Also:	822759 https://github.com/gentoo/gentoo/pull/26397
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-04-13 19:08:57 UTC

CVE-2022-27376 (https://jira.mariadb.org/browse/MDEV-26354):

MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.

CVE-2022-27377 (https://jira.mariadb.org/browse/MDEV-26281):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.

CVE-2022-27378 (https://jira.mariadb.org/browse/MDEV-26423):

An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27379 (https://jira.mariadb.org/browse/MDEV-26353):

An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27380 (https://jira.mariadb.org/browse/MDEV-26280):

An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27381 (https://jira.mariadb.org/browse/MDEV-26061):

An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27382 (https://jira.mariadb.org/browse/MDEV-26402):

MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order.

CVE-2022-27383 (https://jira.mariadb.org/browse/MDEV-26323):

MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.

CVE-2022-27384 (https://jira.mariadb.org/browse/MDEV-26047):

An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27385 (https://jira.mariadb.org/browse/MDEV-26415):

An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27386 (https://jira.mariadb.org/browse/MDEV-26406):

MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.

Presumably fixed in released versions, but have not dug into them.

Comment 1 John Helmert III archtester

2022-04-14 21:47:49 UTC

CVE-2022-27451 (https://jira.mariadb.org/browse/MDEV-28094):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.

CVE-2022-27452 (https://jira.mariadb.org/browse/MDEV-28090):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.

CVE-2022-27455 (https://jira.mariadb.org/browse/MDEV-28097):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.

CVE-2022-27456 (https://jira.mariadb.org/browse/MDEV-28093):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.

CVE-2022-27457 (https://jira.mariadb.org/browse/MDEV-28098):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.

CVE-2022-27458 (https://jira.mariadb.org/browse/MDEV-28099):

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.

CVE-2022-27444 (https://jira.mariadb.org/browse/MDEV-28080):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.

CVE-2022-27445 (https://jira.mariadb.org/browse/MDEV-28081):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.

CVE-2022-27446 (https://jira.mariadb.org/browse/MDEV-28082):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.

CVE-2022-27447 (https://jira.mariadb.org/browse/MDEV-28099):

MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.

CVE-2022-27448 (https://jira.mariadb.org/browse/MDEV-28095):

There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc.

CVE-2022-27449 (https://jira.mariadb.org/browse/MDEV-28089):

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.

Comment 2 John Helmert III archtester

2022-07-05 04:33:06 UTC

CVE-2022-32083 (https://jira.mariadb.org/browse/MDEV-26047):

MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.

CVE-2022-32085 (https://jira.mariadb.org/browse/MDEV-26407):

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

CVE-2022-32086 (https://jira.mariadb.org/browse/MDEV-26412):

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

CVE-2022-32086 (https://jira.mariadb.org/browse/MDEV-26412):

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

CVE-2022-32089 (https://jira.mariadb.org/browse/MDEV-26410):

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

CVE-2022-32091 (https://jira.mariadb.org/browse/MDEV-26431):

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

Another round of CVEs with fixes in this round of releases, according to Jira:
10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3

Comment 3 John Helmert III archtester

2022-07-05 04:34:49 UTC

So, please stabilize when ready!

Comment 4 John Helmert III archtester

2022-07-13 17:57:26 UTC

Please cleanup

Comment 5 Larry the Git Cow gentoo-dev

2022-07-15 01:26:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da14e699f370d254bf6ffe16cc1ac0492d0ddebe

commit da14e699f370d254bf6ffe16cc1ac0492d0ddebe
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-14 09:04:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-15 01:22:02 +0000

    dev-db/mariadb: drop vulnerable
    
    Bug: https://bugs.gentoo.org/847526
    Bug: https://bugs.gentoo.org/838244
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26397
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mariadb/Manifest                 |   13 -
 dev-db/mariadb/mariadb-10.2.41.ebuild   | 1289 ------------------------------
 dev-db/mariadb/mariadb-10.2.43.ebuild   | 1292 ------------------------------
 dev-db/mariadb/mariadb-10.3.32.ebuild   | 1281 ------------------------------
 dev-db/mariadb/mariadb-10.3.34.ebuild   | 1284 ------------------------------
 dev-db/mariadb/mariadb-10.4.22.ebuild   | 1302 ------------------------------
 dev-db/mariadb/mariadb-10.5.13.ebuild   | 1309 ------------------------------
 dev-db/mariadb/mariadb-10.5.15.ebuild   | 1309 ------------------------------
 dev-db/mariadb/mariadb-10.6.5-r1.ebuild | 1311 ------------------------------
 dev-db/mariadb/mariadb-10.6.8.ebuild    | 1316 -------------------------------
 10 files changed, 11706 deletions(-)

Comment 6 John Helmert III archtester

2022-07-15 01:34:40 UTC

Thanks!

Comment 7 Larry the Git Cow gentoo-dev

2024-05-08 08:40:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b69f175bb86c550d8cad22e4c391edbf3ccd7c16

commit b69f175bb86c550d8cad22e4c391edbf3ccd7c16
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-08 08:40:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-08 08:40:18 +0000

    [ GLSA 202405-25 ] MariaDB: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/699874
    Bug: https://bugs.gentoo.org/822759
    Bug: https://bugs.gentoo.org/832490
    Bug: https://bugs.gentoo.org/838244
    Bug: https://bugs.gentoo.org/847526
    Bug: https://bugs.gentoo.org/856484
    Bug: https://bugs.gentoo.org/891781
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-25.xml | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)