CVE-2022-47015 et al affects MariaDB in Ubuntu

Work-in-progress at:
- https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04
- https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04

Thanks for preparing those Otto!
Please just let us know here when it is ready and we will gladly sponsor it.
Thanks again!

Hi Otto,

Just checking if this is now ready to sponsor, as this is the last week before holiday break.
It would be nice to still land it this week, if possible.

MariaDB 10.3.39 for Ubuntu Focal is ready at https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04 and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

MariaDB 10.6.16 for Ubuntu Jammy is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04 and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.6/+builds?build_text=&build_state=all

If you have any feedback after review, please post here so I can address it, or post Merge Request on Salsa-CI to get the exact thing changed as you want.

There are no changes in past 1-2 weeks - the delay was simply to allow time for people on the packaging mailing list to respond and review (https://alioth-lists.debian.net/pipermail/pkg-mysql-maint/2023-December/017012.html).

Thanks Otto!
My colleague Ian will start with sponsoring and some other colleague might be doing the final publication as we try to land this still today
We will let you know in case of issues, but thanks again for providing this!

Hey Otto,

something that I just realized now. You mentioned Mantic, but I think you meant Lunar being close to EOL. And Lunar has both mariadb-10.6 and mariadb (10.11).

Since Mantic will run until July next year, would you consider preparing it too?

Thanks

Hello Otto,

Working on the 10.3.39 update for Focal, when running `gbp buildpackage --git-builder="umt source"` gbp is erroring out with:

gbp:info: Creating /mariadb-10.3/mariadb-10.3_10.3.39.orig.tar.gz
gbp:error: Error creating mariadb-10.3_10.3.39.orig.tar.gz with attached signature file: Pristine-tar couldn't checkout "mariadb-10.3_10.3.39.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
pristine-tar: Failed to reproduce original tarball. Please file a bug report.
pristine-tar: failed to generate tarball

---

I am not sure if it is relevant, but if I first download mariadb-10.3_10.3.39.orig.tar.gz (sha256sum: ccb546c6fd8fc1095cfda57561080d31427a16298ecd17f5bbbc96d1816595fd) and then try the build again, it throws:

gbp:error: Pristine-tar couldn't verify "mariadb-10.3_10.3.39.orig.tar.gz": pristine-tar: /mariadb-10.3/mariadb-10.3_10.3.39.orig.tar.gz does not match stored hash (expected 18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876, got ccb546c6fd8fc1095cfda57561080d31427a16298ecd17f5bbbc96d1816595fd)

Hi Ian! What Ubuntu release are you running gbp on?

I suspect there is something in xdelta that is backwards incompatible between Ubuntu 20.04 (where I ran the import) and the latest versions. The problem you described is also reproducible in CI: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326

I will try to debug what is going on.

From https://mariadb.org/download/?t=mariadb&o=true&p=mariadb&r=10.3.39&os=source you can see that for mariadb-10.3.39.tar.gz the correct sha256sum is 18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876.

This matches what I have locally and what I used during packaging:

$ sha256sum mariadb-10.3_10.3.39.orig.tar.gz
18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876 mariadb-10.3_10.3.39.orig.tar.gz

$ gpg --verify mariadb-10.3_10.3.39.orig.tar.gz.asc
gpg: assuming signed data in 'mariadb-10.3_10.3.39.orig.tar.gz'
gpg: Signature made ma 8. toukokuuta 2023 21.20.29 CST
gpg: using RSA key 177F4010FE56CA3336300305F1656F24C74CD1D8
gpg: Good signature from "MariaDB Signing Key <email address hidden>" [full]

I imported upstream with uscan so all this validation was automatic anyway.

This is also what I get from a clean gbp-build using gbp 0.9.19 on Ubuntu 20.04.

I have double checked my local git and remote is synced.

I even downloaded the git repository from Salsa to a temporary directory and ran git-buildpackage to produce the source package both using the Focal and Debian Sid versions, and I am unable to reproduce the xdelta bug you saw with the umt builder.

MariaDB 10.11.6 for Ubuntu Mantic is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/23.10-mantic and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.11/+builds?build_text=&build_state=all

I still stand by the conclusion that the xdelta bug you ran into is due to some change in Debian unstable in past months, and if you re-run git-buildpackage on an older Debian/Ubuntu version, you will not encounter the xdelta bug.

Hello Otto,

Apologies we have been on break, thank you very much for preparing the update for Mantic and looking into the xdelta issue (it occurred on 23.04). I will take a look at both of these this coming week and update here.

Thanks again!

Hi Otto,

Indeed, I tested a build of mariadb-10.3 on a bionic system and indeed the build works without issues.

Now looking at your previous sponsoring request in February 2023 and this one, I don't see any updates for xdelta3 in jammy nor for git-buildpackage. Therefore I think it must be something else that was updated in between those two.

What I also did, was to comment the line `pristine-tar = True` in debian/gbp.conf. That solves the issue, but instead of continuing with the build, I stopped and saw that in ../ I had mariadb-10.3_10.3.39.orig.tar.gz
So I returned the uncommented the pristine-tar line again and tried again to build, and got the following:

$ gbp buildpackage --git-builder="umt source"
gbp:error: Pristine-tar couldn't verify "mariadb-10.3_10.3.39.orig.tar.gz": pristine-tar: /home/ubuntu/packages/mariadb-10.3/mariadb-10.3_10.3.39.orig.tar.gz does not match stored hash (expected 18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876, got 0cd8e4fb9c41e0d08a8ea6b6ebb77bc7c50d5a92a60b99155a342e7a5e3a9255)

and if I do
$ sha256sum ../mariadb-10.3_10.3.39.orig.tar.gz
0cd8e4fb9c41e0d08a8ea6b6ebb77bc7c50d5a92a60b99155a342e7a5e3a9255 mariadb-10.3_10.3.39.orig.tar.gz

If I manually download the tarball from the URL you shared, check the checksum, it matches what you pasted and the build passes.

So I'm not sure how is it possible that on bionic it gets the correct orig.tar.gz with the expected checksum, but on a jammy or lunar host it downloads a tarball with a different checksum.

I've tried to debug the issue with pristine-tar maintainer in https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326#note_451615 but without a resolution. I suspect it is something in tar or pristine-tar that changed in past years.

Anyway, it is pretty established now that there is no supply chain attack going on, but a bug in tooling. Perhaps you can manually override?

Yes, now that we know how to manually override this and also able to build on an older version we will just continue the sponsorship.

Sorry for the delay on this, we just wanted to confirm there was nothing else and we plan to do more checking after the sponsorship to get to the cause of this. We will let you know in case we get more information.

Hello Otto,

We are seeing that autopkgtests for Mantic are failing @ configuration-tracing:

https://objectstorage.prodstack5.canonical.com/swift/v1/AUTH_0f9aae918d5b4744bf7b827671c86842/autopkgtest-mantic-ubuntu-security-proposed-ppa/mantic/amd64/m/mariadb/20240117_194057_64458@/log.gz

In the debian/latest branch (and current Noble version) I see there are changes to the mariadbd-verbose-help.expected file compared to the version in the ubuntu/23.10-mantic branch. If I were to apply the changes to Mantic (minus the change for version-source-revision), the configuration-tracing passes.

I wanted to check in with you first and see if you want us to make that change from our end.

I can make the update. Thanks for noticing. Unfortunately the Salsa-CI I use does not work on Ubuntu branches (https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/327). If it did, this small and clear lapse would have been easy to detect while preparing update.

I provide fix this by tomorrow.

Please review latest commits at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/23.10-mantic

Based on the autopkgtest url you shared the failure was in ubuntu-security-proposed-ppa. Does re-uploads there require a new changelog entry? Shall I bump it to 1:10.11.6-*1*ubuntu0.23.10.1?

## Details

I figured out how to trigger Ubuntu autopkgtests on Launchpad like you hade done after reading https://wiki.ubuntu.com/ProposedMigration.

I reproduced failing baseline in https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-mysql-ubuntu-mariadb-10.11/mantic/amd64/m/mariadb/20240121_040149_a9319@/log.gz and after my changes it now fully passed in https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-mysql-ubuntu-mariadb-10.11/mantic/amd64/m/mariadb/20240121_065525_cdd96@/log.gz. Since the `main.subselect_*` reproduced on Launchpad autopkgtests I cherry-picked that fix from Debian as well.

As a note to myself, this are to commands to run after the PPA upload at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.11/+builds?build_text=&build_state=all has passed successfully:

```
VERSION_RAW="1:10.11.6-0ubuntu0.23.10.1~bpo23.10.1~1705810339.ca4c2a8b0b0+ubuntu.23.10.mantic"
VERSION="$(echo "$VERSION_RAW" | sed 's/+/%2B/g')"
echo $VERSION

PPA=mariadb-10.11
SRCPKG=mariadb
RELEASE=mantic
ARCH=amd64
LPUSER=mysql-ubuntu

browse "https://autopkgtest.ubuntu.com/request.cgi?release=$RELEASE&arch=$ARCH&package=$SRCPKG&ppa=$LPUSER/$PPA&trigger=$SRCPKG/$VERSION"

browse "https://autopkgtest.ubuntu.com/running#pkg-mariadb"

browse "https://autopkgtest.ubuntu.com/results/autopkgtest-$RELEASE-$LPUSER-$PPA/"
```

## Side note on CI health

I checked https://autopkgtest.ubuntu.com/packages/mariadb. The noble CI is failing on Perl migration related issues that are not due to MariaDB. The i386 job that is failing on all platforms is explained in https://bugs.launchpad.net/auto-package-testing/+bug/2021925 (with no replies since May).

What is the status of the MariaDB 10.3.39 upload to Ubuntu 20.04 Focal?

If you didn't do it yet, please fetch latest git head with one more CVE fix at https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04. The builds and post-build test passed at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all and well as full Focal autopkgtests at https://autopkgtest.ubuntu.com/results/autopkgtest-focal-mysql-ubuntu-mariadb-10.3/focal/amd64/m/mariadb-10.3/20240121_212332_e5fd0@/log.gz

Hello Otto,

Looks great, thank you for the updates and for the autopkgtests verification!

I was waiting to release all three updates together, so I have re-spun the update for Focal as well - I bumped the versions locally before uploading to:

  1:10.3.39-0ubuntu0.20.04.2

    and

  1:10.11.6-0ubuntu0.23.10.2

I will aim to have these published on Thursday.

Thanks for update and confirmation about changelog entry need. I pushed updated changelogs at:
- https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04
- https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu%2F23.10-mantic

I also tagged the previous uploads, but I will postpone tagging these new ones until I see what you uploaded and can ensure that what ends up in git matches what was uploaded.

Note: I also added CVE-2023-22084 to this bug report so it is tracked. I was looking at https://ubuntu.com/security/CVE-2023-22084 and it was out of sync for MariaDB based on https://mariadb.com/kb/en/security/. This should fix the tracker. You could also manually add there that MariaDB 5.5/10.0/10.1 are no longer maintained upstream and thus should be ignored (https://mariadb.org/about/#maintenance-policy).

This bug was fixed in the package mariadb-10.3 - 1:10.3.39-0ubuntu0.20.04.2

---------------
mariadb-10.3 (1:10.3.39-0ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.39 includes fixes for the
    following security vulnerabilities (LP: #2045452):
    - CVE-2022-47015
  * Add patch to revert upstream libmariadb API change (Debian Bug#1031773)
  * Make SysV init script explicit on its dependencies (Debian Bug#1035949)
  * Both of the changes above was included in the MariaDB Server version
    1:10.3.39-0+deb10u1 in Deban Buster without any reported regressions
    since June 2023 and are thus safe and appropriate to include in Ubuntu
    20.04 (Focal) as well
  * Include extra patch for CVE-2023-22084: A vulnerability allowed high
    privileged attacker with network access via multiple protocols to compromise
    the server. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) the server (Debian Bug#1055034)
  * According to https://mariadb.org/about/#maintenance-policy this
    was the last minor maintenance release for MariaDB 10.3 series

 -- Otto Kekäläinen <email address hidden> Sat, 02 Dec 2023 00:23:50 -0800

This bug was fixed in the package mariadb-10.6 - 1:10.6.16-0ubuntu0.22.04.1

---------------
mariadb-10.6 (1:10.6.16-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.6.16includes fixes for the
    following security vulnerabilities (LP: #2045452):
    - CVE-2023-22084
  * Previous upstream version 10.6.13 included security fixes for:
    - CVE-2022-47015
  * Include new test plugin file and header file
  * Update libmariadb3.symbols to include new ABI changes in 3.3.5
    and fix DPKG_GENSYMBOLS_CHECK_LEVEL so it actually takes effect and in
    build will properly fail if there are unaccounted symbol changes in
    future upstream maintenance releases
  * For details, see https://mariadb.com/kb/en/mariadb-10-6-16-release-notes/
    and previous upstream release notes

 -- Otto Kekäläinen <email address hidden> Fri, 01 Dec 2023 19:44:37 -0800

This bug was fixed in the package mariadb - 1:10.11.6-0ubuntu0.23.10.2

---------------
mariadb (1:10.11.6-0ubuntu0.23.10.2) mantic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.11.6 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-11-6-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2045452):
    - CVE-2023-22084
  * Update configuration tracing to match what is expected for 10.11.5
    so autopkgtests that check for unaccounted configuration changes
    pass
  * Use upstream patch to fix subselect test regressions which may
    randomly fail in autopkgtests

 -- Otto Kekäläinen <email address hidden> Sat, 20 Jan 2024 19:07:07 -0800

Hello Otto,

For the changelogs I kept them as they were originally and bumped the version (versus two separate entries).

I have updated the EOL release statuses for CVE-2023-22084 here: https://git.launchpad.net/ubuntu-cve-tracker/commit/active/CVE-2023-22084?id=33dc35c590f30ec5e5bfd09d36b4a35b6b4647bc

And I also updated our boilerplate statuses so the EOL statuses/note can be carried forward on future CVEs: https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=a27e52f39bfe29f3f1b9764357fb4027b61b6ea5

Thanks for uploads!

I ensured git is synced to avoid diverging from Ubuntu repo contents, and tagged:

https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/debian/1%2510.3.39-0ubuntu0.20.04.2?ref_type=tags

https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/1%2510.6.16-0ubuntu0.22.04.1?ref_type=tags

https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/1%2510.11.6-0ubuntu0.23.10.2?ref_type=tags

See you again in February when we have the next round of MariaDB 10.6 and 10.11 updates :)

Looks great thank you, see you in February!