CVE-2022-32091 et al affect MariaDB in Ubuntu

MariaDB 1:10.3.37-0ubuntu0.20.04.1 is ready on branch https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04.

Before trusting that branch, please verify that the starting point matches what is the current contents in Ubuntu 20.04 (https://launchpad.net/ubuntu/+source/mariadb-10.3) and check that you can find passing builds with corresponding git commit id at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Before upload you might want to also check out current reported bugs at https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3 and consider if you want to have other updates included, or even just changelog updates.

MariaDB 1:10.6.11-0ubuntu0.22.10.1 is ready on branch https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.10, but it would actually not constitute a security upload, so you might not be interested in it.

MariaDB 1:10.6.11-0ubuntu0.22.04.1 is ready on branch https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04.

Before trusting that branch, please verify that the starting point matches what is the current contents in Ubuntu 22.04 (https://launchpad.net/ubuntu/+source/mariadb-10.6) and check that you can find passing builds with corresponding git commit id at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.6/+builds?build_text=&build_state=all

Before upload you might want to also check out current reported bugs at https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6 and consider if you want to have other updates included, or even just changelog updates.

Thank you as always Otto!

I will be taking a look at sponsoring it and verifying everything you pointed out.
I will let you know how it goes

Hi Otto,

We will sponsor the 22.10 version as well, even though there's no clear sign that it has a security fix, it still makes sense.

I tried to build the 22.10 version and I'm facing some issues:
1. The release name in the changelog is UNRELEASED
2. One of the patches is not applying:
```
dpkg-source: info: applying rocksdb-kfreebsd.patch
patching file storage/rocksdb/build_rocksdb.cmake
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- a/storage/rocksdb/rocksdb/CMakeLists.txt
|+++ b/storage/rocksdb/rocksdb/CMakeLists.txt
--------------------------
No file to patch. Skipping patch.
2 out of 2 hunks ignored
can't find file to patch at input line 40
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- a/storage/rocksdb/rocksdb/build_tools/build_detect_platform
|+++ b/storage/rocksdb/rocksdb/build_tools/build_detect_platform
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 60
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- a/storage/rocksdb/rocksdb/env/env_posix.cc
|+++ b/storage/rocksdb/rocksdb/env/env_posix.cc
--------------------------
No file to patch. Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 92
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- a/storage/rocksdb/rocksdb/port/stack_trace.cc
|+++ b/storage/rocksdb/rocksdb/port/stack_trace.cc
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
```

The same patch applied fine in 22.04 btw.

Hi Eduardo!

Yes, changelog has UNRELEASED because I did not finalized it. If you want
to upload 22.10 too, I can finalize changelog on Friday (traveling until
then).

Patches don't apply if git submodule is missing. Run git submodule init
--update

See debian/salsa-ci.yml for more build details.

Hi Otto,

Yes, that's fine :)
I'll wait your last changes and I can release everything by Monday/Tuesday next week.

I'm curious on why the git submodule in this one specifically failed and not in the jammy version.
Our steps to sponsor your MariaDB updates are written here:
https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Thanks again :)

Branch 22.10 now updated (no UNRELEASED anymore). https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.10

For the submodule status I don't know what was going on on your machine. This is what you should see:

± git submodule status
 f1e2165c591f074feb47872a8ff712713ec411e1 extra/wolfssl/wolfssl (v5.5.1-stable)
 72b40bfaa869f3fe84242471dda989d13983d84c libmariadb (v3.3.2-9-g72b40bfa)
 5923beeab9397aa22563ff7b1f0f31ad8054bae6 storage/columnstore/columnstore (vcolumnstore-6.4.6-1)
 3846890513df0653b8919bc45a7600f9b55cab31 storage/maria/libmarias3 (heads/master)
 bba5e7bc21093d7cfa765e1280a7c4fdcd284288 storage/rocksdb/rocksdb (bba5e7b)
 8bfce04189671eb1f06e0fa83dff8c880f31088f wsrep-lib (remotes/origin/HEAD)

± git log --oneline
1c7d0d1cae6 (HEAD -> ubuntu-22.10, origin/ubuntu-22.10) Update changelog for 1:10.6.11-0ubuntu0.22.10.1 release
cf654d5e255 Update changelog and refresh patches after 10.6.11 import
6d8bcf83113 Merge tag 'mariadb-10.6.11' into ubuntu-22.10
1f0b61387e4 Start new git branch for Ubuntu 22.10 (Kinetic) maintenance

The branch https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04 as fine all the time, but you did not upload it yet it seems?

Also, will you also work on mariadb-10.3 in Focal?
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/ubuntu-20.04

Hi Otto,

Thanks for providing the changes, I just uploaded all three versions to our security-proposed ppa and should be releasing it later today.

Regarding the submodule issue, I think at the end it was some issue in my chroot. I deleted the old one, created a new one and things just worked.

I still had to make some changes to the kinetic changelog: made it kinetic-security and added a reference to this LP ticket.

Thanks again for providing those updates

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package mariadb-10.3 - 1:10.3.37-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.37-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.37 includes fixes for security
    vulnerabilities from previous releases as listed below (LP: #1996452)
  * Previous upstream version 10.3.36 included security fixes for:
    - CVE-2018-25032
    - CVE-2022-32084
    - CVE-2022-32091
  * Previous upstream version 10.3.35 included security fixes for:
    - CVE-2021-46669
    - CVE-2022-21427
    - CVE-2022-27376
    - CVE-2022-27377
    - CVE-2022-27378
    - CVE-2022-27379
    - CVE-2022-27380
    - CVE-2022-27381
    - CVE-2022-27383
    - CVE-2022-27384
    - CVE-2022-27386
    - CVE-2022-27387
    - CVE-2022-27445
    - CVE-2022-27447
    - CVE-2022-27448
    - CVE-2022-27449
    - CVE-2022-27452
    - CVE-2022-27456
    - CVE-2022-27458
    - CVE-2022-32083
    - CVE-2022-32085
    - CVE-2022-32087
    - CVE-2022-32088

 -- Otto Kekäläinen <email address hidden> Sat, 12 Nov 2022 22:11:54 -0800

This bug was fixed in the package mariadb-10.6 - 1:10.6.11-0ubuntu0.22.04.1

---------------
mariadb-10.6 (1:10.6.11-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.6.11 includes fixes for security
    vulnerabilities from previous releases as listed below (LP: #1996452)
  * New upstream version 10.6.10. Includes several important fixes for
    issues that regressed in previous release. See details in:
    https://mariadb.org/regressions-in-recent-mariadb-server-releases/
  * New upstream version 10.6.9. Includes security fixes for
    - CVE-2018-25032
    - CVE-2022-32081
    - CVE-2022-32082
    - CVE-2022-32084
    - CVE-2022-32089
    - CVE-2022-32091
  * New upstream version 10.6.8. Includes security fixes for
    - CVE-2021-46669
    - CVE-2022-27376
    - CVE-2022-27377
    - CVE-2022-27378
    - CVE-2022-27379
    - CVE-2022-27380
    - CVE-2022-27381
    - CVE-2022-27382
    - CVE-2022-27383
    - CVE-2022-27384
    - CVE-2022-27386
    - CVE-2022-27387
    - CVE-2022-27444
    - CVE-2022-27445
    - CVE-2022-27446
    - CVE-2022-27447
    - CVE-2022-27448
    - CVE-2022-27449
    - CVE-2022-27451
    - CVE-2022-27452
    - CVE-2022-27455
    - CVE-2022-27456
    - CVE-2022-27457
    - CVE-2022-27458
    - CVE-2022-32085
    - CVE-2022-32086
    - CVE-2022-32087
    - CVE-2022-32088
  * Clean away several patches:
    - Remove Mroonga patch that didn't help make it build in a reproducible way.
      The patch does not hurt, but cleaning away all excess cruft is a vice.
    - Remove multiple patches that all got merged upstream or that were
      themselves backported existing upstream commits.
    - Remove the OpenSSL 30 patches that all got merged upstream in
      https://github.com/MariaDB/server/pull/2036
  * Add Bulgarian and Chinese translations for error messages
  * Include new wsrep_sst_backup in mariadb-server-10.6 package

 -- Otto Kekäläinen <email address hidden> Sat, 12 Nov 2022 23:48:47 -0800

This bug was fixed in the package mariadb-10.6 - 1:10.6.11-0ubuntu0.22.10.1

---------------
mariadb-10.6 (1:10.6.11-0ubuntu0.22.10.1) kinetic-security; urgency=medium

  * New upstream version 10.6.11. Neither 10.6.11 nor 10.6.10 contain any
    known CVE tracked security vulnerabilities. (LP: #1996452)

 -- Otto Kekäläinen <email address hidden> Sun, 20 Nov 2022 19:22:48 -0800

Thanks Eduardo!

Sorry, thanks for finalizing this. If you have further improvement suggestions to the packaging, feel free to submit a Merge Request on Salsa.

I also see that 10.6.11-1 from Debian unstable has synced to Lunar proposed, so we are all good here.

Seems the was not exactly the same as in version control:

https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commit/4dc894c4142aa3b849737bf757cbc29c0b000786

vs

http://changelogs.ubuntu.com/changelogs/pool/universe/m/mariadb-10.3/mariadb-10.3_10.3.37-0ubuntu0.20.04.1/changelog

mariadb-10.3 ubuntu-20.04(+0/-2)+* ± git diff
diff --git a/debian/changelog b/debian/changelog
index 9c97d96aa..d2b05a2d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,8 +30,6 @@ mariadb-10.3 (1:10.3.37-0ubuntu0.20.04.1) focal-security; urgency=medium
     - CVE-2022-32085
     - CVE-2022-32087
     - CVE-2022-32088
- * Previous upstream release 10.3.35 included fix for MDEV-27937
- (LP: #1964622)

  -- Otto Kekäläinen <email address hidden> Sat, 12 Nov 2022 22:11:54 -0800

I marked https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1964622 as fixed now manually, so all good.

I verified what was uploaded to Focal (no change) and Kinetic (updated https://salsa.debian.org/mariadb-team/mariadb-server/-/commit/b2b8b1974558414da7c0dec0c719e0ab9c6a5f96) and tagged them so next round of packaging updates will have correct starting point:
- https://salsa.debian.org/mariadb-team/mariadb-server/-/tags/ubuntu%2F1%2510.6.11-0ubuntu0.22.04.1
- https://salsa.debian.org/mariadb-team/mariadb-server/-/tags/debian%2F1%2510.6.11-0ubuntu0.22.10.1

Hi Otto,

Yes, I was going to send you a PR for the changelog changes to 22.10 but only today I got access to debian salsa. Thank you for merging it.