USN-3040-1: MySQL vulnerabilities partially applies to MariaDB too

Bug #1605493 reported by Otto Kekäläinen
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen
mariadb-5.5 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen

Bug Description

The mentioned security notice also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb.5.5 in Trusty
 - mariadb-10.0 in Xenial and Wily (Yakkety can sync from Debian)

Tags: trusty xenial
Otto Kekäläinen (otto)
information type: Private Security → Public Security
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds finished successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Revision history for this message
Otto Kekäläinen (otto) wrote :

Just in case you want to see it separately, I've attached the result of the command
  git diff ubuntu/5.5.49-1ubuntu0.14.04.1..HEAD debian/ > 5.5.49-1ubuntu0.14.04.1..HEAD.diff

Mathew Hodson (mhodson)
Changed in mariadb-10.0 (Ubuntu):
importance: Undecided → Medium
Changed in mariadb-5.5 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Otto Kekäläinen (otto) wrote :

10.0 series updates for 16.04 and 15.10 are now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 and ubuntu-15.10 branches at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds finished successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

MariaDB 10.0.26 has already been uploaded to Debian unstable for some while. There was a regression in ppc64el builds that is now fixed and included in these Ubuntu branches.

Revision history for this message
Tyler Hicks (tyhicks) wrote :
Download full text (4.5 KiB)

Hi Otto - Thank you for the contributions! Sorry that it took my a little while to begin sponsoring these uploads but I believe that this is the first git-buildpackage upload that I've sponsored and it took me some time to figure out.

The 16.04 upload looks fine. The 15.10 upload will be ignored since it 15.10 is EOL as of last week.

I'm having some problems with the 14.04 upload. If I run the git diff command that you mentioned in comment 1, I see the same debdiff that you attached in comment 2. However, if I create a source upload based on your git-buildpackage tree and then look at the debdiff between mariadb-5.5_5.5.49-1ubuntu0.14.04.1.dsc and the generated mariadb-5.5_5.5.50-1ubuntu0.14.04.1.dsc, I get very different results. Many files in debian/ are changed. Here's the relevant snippet of the diffstat output:

 debian/additions/innotop/changelog.innotop | 357
 debian/additions/my.cnf | 171
 debian/changelog | 17
 debian/dist/Debian/mariadb-server-5.5.README.Debian | 109
 debian/dist/Debian/mariadb-server-5.5.dirs | 10
 debian/dist/Debian/mariadb-server-5.5.files.in | 75
 debian/dist/Debian/mariadb-server-5.5.postinst | 268
 debian/dist/Debian/mariadb-server-5.5.postrm | 83
 debian/dist/Debian/rules | 290
 debian/dist/Ubuntu/mariadb-server-5.5.README.Debian | 109
 debian/dist/Ubuntu/mariadb-server-5.5.dirs | 10
 debian/dist/Ubuntu/mariadb-server-5.5.postinst | 284
 debian/dist/Ubuntu/mariadb-server-5.5.postrm | 86
 debian/dist/Ubuntu/rules | 295
 debian/libmariadbclient-dev.files | 7
 debian/libmariadbclient18.files | 3
 debian/libmariadbd-dev.files | 2
 debian/mariadb-client-5.5.files | 28
 debian/mariadb-client-core-5.5.files | 4
 debian/mariadb-common.files | 1
 debian/mariadb-common.postrm | 8
 debian/mariadb-server-5.5.NEWS | 34
 debian/mariadb-server-core-5.5.files | 26
 debian/mariadb-test-5.5.files | 19
 debian/mysql-common.dirs | 1
 debian/mysql-common.files | 3
 debian/mysql-common.lintian-overrides | 2
 debian/mysql-common.postrm | 7
 debian/patches/00list | 11
 debian/patches/01_MAKEFILES__Docs_Images_Makefile.in.dpatch | 776 ...

Read more...

Changed in mariadb-5.5 (Ubuntu):
status: New → Incomplete
Changed in mariadb-10.0 (Ubuntu):
status: New → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Also, can you tell me what amount of testing you've performed on these Ubuntu builds of mariadb?

Mathew Hodson (mhodson)
tags: added: trusty xenial
Revision history for this message
Otto Kekäläinen (otto) wrote :

Sorry for the long delay in replying. It seems that at some point somebody who did the upload has had some mixup, and used the debian/* contents from the mariadb.org upstream and not from the sources I provided.

The mixup is understandable. When you untar the upstream package, there is already some contents in debian/* (upstream legacy). The uploader needs to remove that, import the debian/* from the current package in Ubuntu and then apply the debdiff I provided to get the new changelog entry etc.

From now on I will only provide git-buildpackage branches and ask the uploader to use them. That is less error prone, as the uploader does not need to untar and move folders and apply patches manually at all. Running git-buildpackage is all that is needed, and everything can be verified thanks to the pristine-tar and gpg signatures provides by git-buildpackage.

What to do with the mixed up mariadb-5.5 in 14.04 then? I don't know. I will continue to maintain the branch ubuntu-14.04 at https://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?id=refs/heads/ubuntu-14.04 how it was and should be. I would hope the mariadb-5.5 in Ubuntu official repos would have the mixup cleaned away, but I don't have resources at the moment to test if that causes some regressions and if it is feasible to do.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Actually, it should be pretty feasible to do, as the MariaDB 5.5. packages in Debian and Ubuntu (which stem from the same official Debian packaging) have been previously tested to be compatible with the legacy packaging used by upstream MariaDB.org, so that it is easy for people to upgrade from legacy packaging to the official and correct packaging done Debian Developers and released at Debian repositories.

Revision history for this message
Otto Kekäläinen (otto) wrote :

It seems this 10.0.26 has not yet been uploaded to Xenial. I shall soon start preparing 10.0.27 due to CVE-2016-6662 (see https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html)

Revision history for this message
Jan Claeys (janc) wrote :

Will you work on 5.5.51 (for 14.04 “Trusty”) also (for the same CVE)?

Revision history for this message
Otto Kekäläinen (otto) wrote :

Yes, I will. So the plan is now that I should remove the never uploaded commits from the ubuntu-14.04 and ubuntu 16.04 branches and jump straight to updating the branches read for 5.5.51 and 10.0.27 uploading.

Revision history for this message
Otto Kekäläinen (otto) wrote :

I have now prepared 5.5.52 for Trusty and 10.0.27 for Xenial. I will not prepare an update for Wily anymore, as it is EOL. Xenial can sync from Debian.

Sources and build logs are available at the same locations as linked above. Test builds in the PPA are still running. I'll ping you when all testing has passed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.27-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.27-0ubuntu0.16.04.1) xenial-security; urgency=low

  * SECURITY UPDATE: New upstream release 10.0.27. Includes fixes for the
    following security vulnerabilities (LP: #1605493):
    - CVE-2016-6662
  * Previous release 10.0.26 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-3615
    - CVE-2016-3521
    - CVE-2016-3477
  * Update old changelog entries to include new CVE identifiers

 -- Otto Kekäläinen <email address hidden> Wed, 14 Sep 2016 22:30:17 +0300

Changed in mariadb-10.0 (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.52-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.52-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: New upstream release 5.5.52 (LP: #1605493)
    - Latest maintenance release includes only fixes to serious bugs.
  * Previous release 5.5.51 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-6662
  * Previous release 5.5.50 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-5440
    - CVE-2016-3615
    - CVE-2016-3521
    - CVE-2016-3477
  * Update previous changelog entries to contain new CVE identifiers

 -- Otto Kekäläinen <email address hidden> Wed, 14 Sep 2016 21:01:08 +0300

Changed in mariadb-5.5 (Ubuntu):
status: Incomplete → Fix Released
Otto Kekäläinen (otto)
Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-5.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers