Ubuntu
mysql-8.0 package

libmysqlclient21 crashes if certain collation definitions are found in MySQL's sharedir

Bug #1884809 reported by Lars Tangvald
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-8.0 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Note: This was originally reported as https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1877504, but that bug contains discussions about multiple separate issues, which are not fully resolved by this fix.

[Impact]

libmysqlclient21 does not by default include any charset files in Ubuntu, but it will use charset files found in /usr/share/mysql/
If the usr/share/mysql/Index.xml file contains a charset definition with a certain combination of collations, it can cause a segmentation fault in libmysqlclient21. The default charset files in MySQL do not cause this problem, but those from MariaDB do. So a user running e.g. mythtv (which is built with libmysqlclient21) with MariaDB as the underlying server package can encounter crashes.
The segmentation fault does not happen with 8.0.19, so this is a regression from earlier versions.

[Test Case]

* Install libmysqlclient21, libmysqlclient-dev and mysql-server
* Connect to the database with "sudo mysql" and run the attached init.sql (just creates a test user with access to a test database)
* Compile attached mysql_test.c (file has full gcc command needed)
* Run the mysql_test program. It will output a few lines (contents of test table)
* Now replace /usr/share/mysql/charsets/Index.xml with the attached one
* Run the mysql_test program. It will produce a segmentation fault

[Regression Potential]

The patch itself only blocks out a single function call on a pointer if that pointer is null, but it doesn't fix the underlying issue of the charset parser picking up unexpected definition files (but this problem is present in versions prior to 8.0.20 as well)

See original description
Lars Tangvald (lars-tangvald)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-8.0 - 8.0.21-0ubuntu0.20.04.3

---------------
mysql-8.0 (8.0.21-0ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Update to 8.0.21 to fix security issues
    - CVE-2020-14539, CVE-2020-14540, CVE-2020-14547, CVE-2020-14550,
      CVE-2020-14553, CVE-2020-14559, CVE-2020-14568, CVE-2020-14575,
      CVE-2020-14576, CVE-2020-14586, CVE-2020-14591, CVE-2020-14597,
      CVE-2020-14619, CVE-2020-14620, CVE-2020-14623, CVE-2020-14624,
      CVE-2020-14631, CVE-2020-14632, CVE-2020-14633, CVE-2020-14634,
      CVE-2020-14641, CVE-2020-14643, CVE-2020-14651, CVE-2020-14654,
      CVE-2020-14656, CVE-2020-14663, CVE-2020-14678, CVE-2020-14680,
      CVE-2020-14697, CVE-2020-14702
  * debian/rules: disable some tests that have expired certificates until
    new ones can be obtained from the upstream repo.
  * debian/tests/upstream: disable some tests that have expired
    certificates until new ones can be obtained from the upstream repo.
  * debian/tests/upstream: disable new test that can't locate
    mysqltest_safe_process binary.
  * debian/mysql-router.install, debian/mysql-server-core-8.0.install,
    debian/mysql-testsuite-8.0.install: use wildcard for libprotobuf-lite
    library version.
  * debian/mysql-router.install: added router_protobuf.so.
  * debian/mysql-testsuite-8.0.install: added
    component_test_component_deinit.so.
  * debian/patches/charset_file_crash.patch: don't crash on malformed
    charset files in mysys/charset.cc (LP: #1884809)
  * Fix FTBFS on RISC-V.
    - d/p/use-largest-lock-free-type-selector-on-riscv.patch: Force
      the use of Largest_lock_free_type_selector instead of
      Lock_free_type_selector when compiling for RISC-V, since the
      latter will cause a compilation failure due to RISC-V's
      inability to provide the always-lock-free property for some
      specific types.

 -- Marc Deslauriers <email address hidden> Mon, 27 Jul 2020 11:58:55 -0400

Changed in mysql-8.0 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.