CVE-2025-21490 et al affects MariaDB in Ubuntu

Note that this will also include fix for https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2034125. There hasn't been any CVEs in the couple past MariaDB releases, hence the gap in e.g. 10.6.18->10.6.21.

I intend to renew the SRU MRI permission for MariaDB so we can avoid gaps in versions but I have not yet had time to complete the process. Details at https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2086527.

Jammy MR: https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/96

Noble MR: https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/106

The Debian updates are also to be found at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests

Hi Otto,

Thanks for preparing those!
I received your tag in salsa and will do a review shortly.

I've uploaded mariadb for noble into our security-proposed PPA. I will check on Tuesday (out on Monday) if we got any autopkgtest results for it.
For oracular are you working on it?

And for jammy, as I mentioned in the PR, it is missing in the pristine-tar.

Thanks!

hey @otto, it seems both builds are currently broken for riscv64:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=mariadb&field.status_filter=published&field.series_filter=

Could you please take a look on it?

I am looking into these now.,,

https://launchpadlibrarian.net/780028462/buildlog_ubuntu-noble-riscv64.mariadb_1%3A10.11.11-0ubuntu0.24.04.1_BUILDING.txt.gz :
```
[ 20%] Building C object mysys/CMakeFiles/mysys.dir/lf_alloc-pin.c.o
cd /<<PKGBUILDDIR>>/builddir/mysys && /usr/bin/cc -DHAVE_CONFIG_H -D_FILE_OFFSET_BITS=64 -I/<<PKGBUILDDIR>>/wsrep-lib/include -I/<<PKGBUILDDIR>>/wsrep-lib/wsrep-API/v26 -I/<<PKGBUILDDIR>>/builddir/include -I/<<PKGBUILDDIR>>/include/providers -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/mysys -g -O2 -fno-omit-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -fno-stack-clash-protection -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/mariadb-1:10.11.11-0ubuntu0.24.04.1 -Wdate-time -D_FORTIFY_SOURCE=3 -Wdate-time -D_FORTIFY_SOURCE=3 -pie -fPIC -fstack-protector --param=ssp-buffer-size=4 -O3 -g -DNDEBUG -g -fno-omit-frame-pointer -fno-strict-aliasing -Wno-uninitialized -fno-omit-frame-pointer -DDBUG_OFF -Wall -Wdeclaration-after-statement -Wenum-compare -Wenum-conversion -Wextra -Wformat-security -Wmissing-braces -Wno-format-truncation -Wno-init-self -Wno-nonnull-compare -Wno-unused-parameter -Wvla -Wwrite-strings -std=gnu99 -Wdate-time -D_FORTIFY_SOURCE=3 -fPIC -MD -MT mysys/CMakeFiles/mysys.dir/lf_alloc-pin.c.o -MF CMakeFiles/mysys.dir/lf_alloc-pin.c.o.d -o CMakeFiles/mysys.dir/lf_alloc-pin.c.o -c /<<PKGBUILDDIR>>/mysys/lf_alloc-pin.c
/tmp/cclf2UNo.s: Assembler messages:
/tmp/cclf2UNo.s:265: Error: unrecognized opcode `pause', extension `zihintpause' required
/tmp/cclf2UNo.s:1168: Error: unrecognized opcode `pause', extension `zihintpause' required
make[4]: *** [mysys/CMakeFiles/mysys.dir/build.make:1367: mysys/CMakeFiles/mysys.dir/lf_alloc-pin.c.o] Error 1
```

https://launchpadlibrarian.net/780036342/buildlog_ubuntu-jammy-riscv64.mariadb-10.6_1%3A10.6.21-0ubuntu0.22.04.1_BUILDING.txt.gz :
```
[ 12%] Building C object storage/mroonga/vendor/groonga/lib/CMakeFiles/libgroonga.dir/id.c.o
In file included from /<<PKGBUILDDIR>>/mysys/lf_hash.cc:30:
/<<PKGBUILDDIR>>/include/my_cpu.h: In function ‘void MY_RELAX_CPU()’:
/<<PKGBUILDDIR>>/include/my_cpu.h:100:3: error: ‘__builtin_riscv_pause’ was not declared in this scope; did you mean ‘__builtin_riscv_fsflags’?
  100 | __builtin_riscv_pause();
      | ^~~~~~~~~~~~~~~~~~~~~
      | __builtin_riscv_fsflags
```

I don't know how to fix these, so asking upstream for advse:

https://jira.mariadb.org/browse/MDEV-36217
_New MY_RELAX_CPU dependency on riscv_pause breaks riscv64 build (Regression from MDEV-35827)_

Sorry for the long delay but there was a bunch of issues to resolve. I have now at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/109 pending review, which includes not only the riscv64 build fix, but also a potential extra security fix and a severe regression fix.

I am still doing a bit of extra testing and double-checking with upstream they agree with these picks. You can however Eduardo already review it from your point of view.

My plan is to have the 24.10 upload done first to validate that everything works and riscv64 builds pass etc, and after the validation I will provide updates for the 22.04 and 24.04 versions.

Hey Otto, sorry for the delay too, I was out last Friday.
I will take a look at the PR and will try to trigger a test build on the ppa to see if it passes fine now.
Thanks again for investigating and preparing those.

I merged https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/109 and in the absense for other comments from upstream this is good to upload to Ubuntu 24.10 Oracular now.

As the 1:10.11.11-0ubuntu0.24.04.1 for Noble failed, should I increment the next version to be 1:10.11.11-1ubuntu0.24.04.1 or 1:10.11.11-0ubuntu0.24.04.2?

If you don't mind, I think it would be better to go to the `1:10.11.11-0ubuntu0.24.04.2` version instead since the .1 version is updated to the security-proposed and perhaps some brave people use that ppa in their machines. Therefore superseding it is a better solution as we cannot publish same version to the same ppa.

Please upload the 24.10 first to verify that all is good, and if no issues, you can follow up by uploading https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/108 and https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/111