USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB

Bug #1451677 reported by Otto Kekäläinen on 2015-05-05
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Medium
Tyler Hicks
mariadb-5.5 (Ubuntu)
Undecided
Otto Kekäläinen

Bug Description

The mentioned security notice also affect MariaDB and the latest release includes fixes.

From https://mariadb.com/kb/en/mariadb/mariadb-5543-release-notes/:

  Fixes for the following security vulnerabilities:
    CVE-2015-0501
    CVE-2015-2571
    CVE-2015-0505
    CVE-2015-0499

I will produce a security release and upload it as a patch to this bug report.

Otto Kekäläinen (otto) wrote :

The 14.04 patch is now done. You can view the whole diff from current Ubuntu 14.04 MariaDB 5.5.41 release to 5.5.43 at https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.41-1ubuntu0.14.04.1...ubuntu-14.04

For a diff that only includes the changed for debian/* files after importing upstream 5.5.43 on the base, see https://github.com/ottok/mariadb-5.5/compare/f7f0aa7dc852bdecd2ec6e619aa5fc8c200af770...ubuntu-14.04

You can download it as a diff from the URL:
https://github.com/ottok/mariadb-5.5/compare/f7f0aa7dc852bdecd2ec6e619aa5fc8c200af770...ubuntu-14.04.diff

This is the debdiff you should apply on top of the current 5.5.41 package in Ubuntu and for the non debian/* stuff, get the upstream mariadb-5.5.41.tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).

Successful public build available (and also installable from the PPA) at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Note: I haven't actually tested installs or upgrades yet, but as you can see in the debdiff there are no changes to control files or install scripts.

Next I'll do the same for 14.10.

Otto Kekäläinen (otto) on 2015-05-05
information type: Private Security → Public Security
Otto Kekäläinen (otto) wrote :

The matching diffs for 14.10 are:

https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.41-1ubuntu0.14.10.1...ubuntu-14.10
https://github.com/ottok/mariadb-5.5/compare/aaca754...ubuntu-14.10

As ready to be applied diff:
https://github.com/ottok/mariadb-5.5/compare/aaca754...ubuntu-14.10.diff
..or patch format:
https://github.com/ottok/mariadb-5.5/compare/aaca754...ubuntu-14.10.patch

Successful public build available (and also installable from the PPA) at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Note: I haven't actually tested installs or upgrades yet, but as you can see in the debdiff there are no changes to control files or install scripts.

Otto Kekäläinen (otto) on 2015-05-09
description: updated
Otto Kekäläinen (otto) wrote :

Backported fix to crashing mysql_upgrade from 10.0.19 to 5.5.43 as upstream said they will postpone publishing 5.5.44 for now, see https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/

Otto Kekäläinen (otto) wrote :

Ping Ubuntu maintainers?

Tyler Hicks (tyhicks) wrote :

Hi Otto - If you're ready for security sponsorship, please subscribe ubuntu-security-sponsors, as documented at https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors. Thanks!

Otto Kekäläinen (otto) on 2015-05-18
Changed in mariadb-5.5 (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :
Download full text (5.8 KiB)

Thanks Otto, packages are building now.

There is an oddity I noticed in the .debdiffs I generated: there are /tmp/*/... files changed in the packages. From the trusty package:

$ grep ^Binary !$
grep ^Binary ../source/mariadb-5.5_5.5.43*debdiff
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/mysql-test/std_data/bad_row_type.MYI and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/mysql-test/std_data/bad_row_type.MYI differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/mysql-test/std_data/bad_row_type.frm and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/mysql-test/std_data/bad_row_type.frm differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/mysql-test/std_data/mysql_upgrade/event.MYI and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/mysql-test/std_data/mysql_upgrade/event.MYI differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/mysql-test/std_data/mysql_upgrade/event.frm and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/mysql-test/std_data/mysql_upgrade/event.frm differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ma10.tokudb754.loglog.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ma10.tokudb754.loglog.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ma10.tokudb754.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ma10.tokudb754.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.binlog.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.binlog.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.loglog.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.loglog.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ma55.tokudb753.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.my55.tokudb753.loglog.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.my55.tokudb753.loglog.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ps56.tokudb754.loglog.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ps56.tokudb754.loglog.png differ
Binary files /tmp/XkuaG7K9CK/mariadb-5.5-5.5.41/storage/tokudb/doc2/sysbench.update.ps56.tokudb754.png and /tmp/LgKKv09Sby/mariadb-5.5-5.5.43/storage/tokudb/doc2/sysbench.update.ps56.tokudb754.png differ

.. and from the utopic package:

$ grep ^Binary ../source/*debdiff
Binary files /tmp/_2kqsreixm/mariadb-5.5-5.5.41/mysql-test/std_data/bad_row_type.MYI and /tmp/_3iphoFfwM/mariadb-5.5-5.5.43/mysql-test/std_data/bad_row_type.MYI differ
Binary files /tmp/_2kqsreixm/mariadb-5.5-5.5.41/mysql-test/std_data/bad_row_type.frm and /tmp/_3iphoFfwM/mariadb-5.5-5.5.43/mysql-test/std_data/bad_row_type.frm differ
Binary files /tmp/_2kqsreixm/mariadb-5.5-5.5.41/mysql-test/std_data/mysql_upgrade/event.MYI and /tmp/_3iphoFfwM/mariadb-5.5-5.5.43/mysql-test/std_da...

Read more...

Otto Kekäläinen (otto) wrote :
Download full text (4.8 KiB)

Thanks for the feedback!

Here is a diff on the deb file contents between .41 and .43:

$ diff filelist-7a16260.log filelist-c26f269.log
800d799
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/error_simulation-master.opt
838d836
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/frm_bad_row_type-7333.test
1167d1164
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/uniques_crash-7912.test
1238d1234
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/table_keyinfo-6838.test
1247d1242
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/ctype_uca_innodb.test
1283d1277
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/filesort_bad_i_s-7585.test
1343d1336
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/t/mysql_upgrade_view.test
1820d1812
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/frm_bad_row_type-7333.result
1890d1881
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/ctype_uca_innodb.result
2128d2118
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/mysql_upgrade_view.result
2131d2120
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/uniques_crash-7912.result
2154d2142
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/table_keyinfo-6838.result
2241d2228
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/r/filesort_bad_i_s-7585.result
2277d2263
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/bad_row_type.frm
2399,2407d2384
< drwxr-xr-x root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/v4.frm
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/v3.frm
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/v1badcheck.frm
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/event.MYI
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/event.frm
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/v1.frm
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/event.MYD
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/mysql_upgrade/v2.frm
2420d2396
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/bad_row_type.MYI
2426d2401
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/std_data/bad_row_type.MYD
2645d2619
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/binlog/t/temptable_uservar_disconnect-7938.test
2767d2740
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/binlog/r/temptable_uservar_disconnect-7938.result
3451d3423
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/sys_vars/t/stored_program_cache_func.test
3459d3430
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/sys_vars/r/stored_program_cache_func.result
6279d6249
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/rpl/t/rpl_special_charset.opt
6297d6266
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/rpl/t/rpl_drop_db_fail.test
6550d6518
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/rpl/t/rpl_special_charset.test
6597d6564
< -rw-r--r-- root/root ./usr/share/mysql/mysql-test/suite/rpl/t/show_status_stop_slave_race-7126.test
6887d6853...

Read more...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.43-1ubuntu0.14.10.1

---------------
mariadb-5.5 (5.5.43-1ubuntu0.14.10.1) utopic-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.43 to fix security issues (LP: #1451677):
    - CVE-2015-0501
    - CVE-2015-2571
    - CVE-2015-0505
    - CVE-2015-0499
  * Hotfix patch to fix the server crash caused by mysql_upgrade (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Tue, 05 May 2015 09:17:31 +0300

Changed in mariadb-5.5 (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.43-1ubuntu0.14.04.2

---------------
mariadb-5.5 (5.5.43-1ubuntu0.14.04.2) trusty-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.43 to fix security issues (LP: #1451677):
    - CVE-2015-0501
    - CVE-2015-2571
    - CVE-2015-0505
    - CVE-2015-0499
  * Hotfix patch to fix the server crash caused by mysql_upgrade (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Tue, 05 May 2015 09:17:31 +0300

Changed in mariadb-5.5 (Ubuntu):
status: Confirmed → Fix Released
Seth Arnold (seth-arnold) wrote :

I'm sorry Otto, I misunderstood the output from debdiff. It even feels slightly familiar that I may have made this mistake before with the mariadb packages. I'm sorry for wasting your time on it.

Thanks again for preparing updates! It's very much appreciated.

Otto Kekäläinen (otto) wrote :

This also applies for MariaDB 10.0 which is in Vivid. I have prepared a branch for 15.04 at https://github.com/ottok/mariadb-10.0/tree/ubuntu-15.04 and I will send a debdiff for you.

What is the proper version number for vivid security update?
See https://github.com/ottok/mariadb-10.0/commit/a2bcc761a3d08c50fc8944887428d926f3acd9bb

Otto Kekäläinen (otto) wrote :

Attached output of command 'git diff ubuntu/10.0.17-0ubuntu1 ubuntu-15.04 debian/ > ../10.0.20-1ubuntu0.15.04.1.diff' when run in the ubuntu-15.04 branch of https://github.com/ottok/mariadb-10.0/tree/ubuntu-15.04

The result is the debdiff

Get the original upstream source from upstream, eg. using uscan.

Tyler Hicks (tyhicks) wrote :

Hi Otto - the version you used is correct.

I'm building the package over the weekend and expect to publish the update Monday morning if everything goes as planned. Thanks!

Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
status: New → In Progress
Tyler Hicks (tyhicks) wrote :

Hello Otto - I should be publishing the 15.04 updates shortly. Do you plan on preparing an update for mariadb-10.0 in the devel release (Wily)?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.20-0ubuntu0.15.04.1

---------------
mariadb-10.0 (10.0.20-0ubuntu0.15.04.1) vivid-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.20 (via .18 and .19) fixes security issues:
    - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and
      MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used
      together with --ssl will ensure that the established connection is
      SSL-encrypted and the MariaDB server has a valid certificate.
      (LP: #1464895)
    - CVE-2014-8964: bundled PCRE contained heap-based buffer overflow
      vulnerability that allowed the server to crash or have other unspecified
      impact via a crafted regular expression made possible with the
      REGEXP_SUBSTR function (MDEV-8006).
    - CVE-2015-0501
    - CVE-2015-2571
    - CVE-2015-0505
    - CVE-2015-0499
    (LP: #1451677)
  * New release includes fix for memory corruption on arm64 (LP: #1427406)
  * Upstream also includes lots of line ending changes (from CRLF -> LF)

 -- Otto Kekäläinen <email address hidden> Fri, 03 Jul 2015 17:39:42 +0300

Changed in mariadb-10.0 (Ubuntu):
status: In Progress → Fix Released
Otto Kekäläinen (otto) wrote :

@TylerHicks: I don't plan to do a separate release for Wily as I expect that it will sync the latest version from Debian unstable before 15.10 release.

Otto Kekäläinen (otto) wrote :

@TylerHicks: sorry, I didn't realize that syncing from Debian has stopped in 15.04 and later releases. So 15.10 went unpatched..

Anyway, I've now opened #1512241 for a new security issue.

Otto Kekäläinen (otto) on 2016-10-31
Changed in mariadb-5.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers