USN-2291-1: MySQL vulnerabilities also applies to MariaDB

Bug #1363222 reported by Otto Kekäläinen on 2014-08-29
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-5.5 (Ubuntu)
Undecided
Otto Kekäläinen

Bug Description

The security notice http://www.ubuntu.com/usn/usn--2291-1/ also applies for package mariadb-5.5 in Trusty universe. As 5.5.38 wasn't released in Trusty until 5.5.39 came out, and it too includes security fixes, the latest mariadb-5.5.39 should be uploaded to Ubuntu.

Here is the changelog in Debian (http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/tree/debian/changelog):

mariadb-5.5 (5.5.39-1) unstable; urgency=low

  * New upstream release.
    * Fixes an error when handling MyISAM temporary files can be
      exploited to execute arbitrary code (Secunia Advisory SA60599)
  * Add patch to fix kFreeBSD builds
  * Fixed wrongly applied fix of MDEV-5957 (Closes: #752203)

mariadb-5.5 (5.5.38-1) unstable; urgency=low

  * New upstream release.
  * Added upstream release signing key in preparation for future use
  * Made libterm-readkey-perl a depends instead of suggest (LP: #1324082)
  * Add patch to fix HPPA build error (Closes: #751805)
  * Fixed lots and lots of Lintian warnings
  * Disabled TokuDB (Closes: #753222). Remember to re-enable if once
    https://mariadb.atlassian.net/browse/MDEV-6449 is closed.
  * Add in retrospect corresponding MariaDB CVEs for
    Oracle SPU July 2014 (Closes: #754940)
    - CVE-2014-2494
    - CVE-2014-4207
    - CVE-2014-4243
    - CVE-2014-4258
    - CVE-2014-4260

MariaDB 5.5.39 has been in Debian for a while, and the backported version is available at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb

On request by the Ubuntu security team I will create a separate version for Trusty upload and add it as a patch to this bug report.

Otto Kekäläinen (otto) on 2014-08-29
Changed in mariadb-5.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
status: New → In Progress
Otto Kekäläinen (otto) wrote :

Patch attached. Here are the steps to deploy this patch:

1. apt-get source mariadb-server - on Trusty will download and unpack mariadb-5.5_5.5.37-0ubuntu0.14.04.1.debian.tar.gz

2. Download mariadb-5.5.39.tar.gz from https://downloads.mariadb.org/mariadb/5.5.39/#os_group=source and rename it to mariadb-5.5_5.5.39.orig.tar.gz

3. Check that sha256sum matches:
cb850865ab55ce5f01c99a612cc75b76ead5d75adfa75a606f453d32f9089d14 mariadb-5.5.39.orig.tar.gz

4. Unpack mariadb-5.5.39.orig.tar.gz, mariadb-5.5.39/ is created

5. Replace upstream mariadb-5.5.39/debian/* with mariadb-5.5-5.5.37/debian/* from Trusty

6. Apply the attached patch mariadb-5.5_5.5.37-0ubuntu0.14.04.1__5.5.39-0ubuntu0.14.04.1.diff on mariadb-5.5.39/debian/

7. Build and ship

Unlike #1313187 I don't have time now to create test repos, but I guess they are not needed.

For more information about MariaDB in Debian and Ubuntu, please see https://wiki.debian.org/Teams/MySQL/MariaDBPlan

Seth Arnold (seth-arnold) wrote :

Thanks Otto, the patch looks good, I'll test build it locally soon, and the builders if my local build looks good.

Thanks for asking upstream to include gpg signatures! Success on that front too.

> Thanks for asking upstream to include gpg signatures! Success on that
> front too.

Yes, they responded quickly on that request and I've implemented
pgpsigurlmangle at
http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/tree/debian/watch
but I can't seem to get it working.

If you can figure out how to write the
watch file you can easily send a pull request via
https://github.com/ottok/mariadb-5.5 :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.39-0ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.39-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.39 to fix security issues (LP: #1363222)
    * 5.5.39
      - Fixes an error when handling MyISAM temporary files can be
        exploited to execute arbitrary code (Secunia Advisory SA60599)
    * 5.5.38
      - CVE-2014-2494
      - CVE-2014-4207
      - CVE-2014-4243
      - CVE-2014-4258
      - CVE-2014-4260
  * Import a few important packaging bug fixes available in Debian
 -- Otto Kekaelaeinen <email address hidden> Fri, 29 Aug 2014 23:04:24 +0300

Changed in mariadb-5.5 (Ubuntu):
status: In Progress → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers