MySQL Server installation fails if root password contains special characters such as apostrophe

Bug #1598992 reported by davidreedernst on 2016-07-05
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mysql-5.7 (Ubuntu)
High
Lars Tangvald
Xenial
High
Lars Tangvald

Bug Description

The postinst script for mysql-server-5.7 can take a root password for the server as input. It does not properly escape this password before passing it to the server in an SQL script.

[Impact]
If a user enters a root password containing such a password, MySQL will throw a syntax error when d/postinst tries to set it, causing postinst failure.

One would expect the password to support special characters, and e.g. pwgen -y will generate password containing such.

We fix this by passing the password through coreutil's printf %q, which escapes all special characters.

[Test case]
Install the mysql-server-5.7 package, and enter "pass'word" when prompted for the root password. This should work

[Regression Potential]
This change has been in Yakkety for some time (5.7.15-0ubuntu2).

== printf %q changes behavior ==
Unlikely, since it's part of coreutils, but it might cause similar syntax errors as what is seen now, or result in a root password that is different from what the user expect (fixable for an admin, but would be confusing)

== printf %q escapes characters that should not be escaped ==
Some characters, such as $, do not need to be escaped for MySQL, but are escaped by printf %q. For those tested, MySQL supports both (passing \$ is equivalent to passing $), but if this support is incomplete it could result in syntax error and postinst failure.

[Original description]
Running linuxmint 18, had trouble installating mysql-server. After a fair amount of frustration, I dug around, found a temp file that had a command in it to change my root password, my password was there (in plain text), and had a clear problem with the apostrophe in the password. It looked something like this:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YouWeren'tExpectingThis');

I didn't save the file, did successfully install MySQL with a password without the single quote, and I'm not going to undo that all just to give a better bug report. I'm sure your programmers won't have any trouble tracking this down.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mysql-server-5.7 5.7.12-0ubuntu1.1
ProcVersionSignature: Ubuntu 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Mon Jul 4 22:36:34 2016
InstallationDate: Installed on 2016-07-02 (2 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
Logs.var.log.daemon.log:

MySQLConf.etc.mysql.conf.d.mysql.cnf: [mysql]
MySQLConf.etc.mysql.conf.d.mysqldump.cnf:
 [mysqldump]
 quick
 quote-names
 max_allowed_packet = 16M
MySQLConf.etc.mysql.mysql.conf.d.mysqld_safe_syslog.cnf:
 [mysqld_safe]
 syslog
MySQLVarLibDirListing: False
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: mysql-5.7
UpgradeStatus: No upgrade log present (probably fresh install)

davidreedernst (via-web) wrote :
Robie Basak (racb) on 2016-07-06
Changed in mysql-5.7 (Ubuntu):
importance: Undecided → High
assignee: nobody → Lars Tangvald (lars-tangvald)
Lars Tangvald (lars-tangvald) wrote :

We have pretty much the same issue with the upstream packages. Filtering the password with printf %q in postinst seems to escape the characters correctly so the password can be passed to the server.

Upstream report: http://bugs.mysql.com/bug.php?id=81958

Robie Basak (racb) on 2016-07-14
Changed in mysql-5.7 (Ubuntu Xenial):
importance: Undecided → High
Changed in mysql-5.7 (Ubuntu):
status: New → In Progress
Gasol Wu (gasol-wu) wrote :

According to Table 10.1 Special Character Escape Sequences [1]. If debconf dialog can't be input unprintable character, We can easily and safely escape single quote to resolve this issue.

[1]: https://dev.mysql.com/doc/refman/5.7/en/string-literals.html

The attachment "mysql-5.7_5.7.13-0ubuntu5.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Lars Tangvald (lars-tangvald) wrote :

Updated the incorrect bug

Changed in mysql-5.7 (Ubuntu):
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Changed in mysql-5.7 (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.7 - 5.7.15-0ubuntu2

---------------
mysql-5.7 (5.7.15-0ubuntu2) yakkety; urgency=medium

  * Add working dir to perl lib path for dep8 upstream.
    New versions of perl will no longer automatically include working dir in
    the path. This was causing the mtr suite to fail to start.
  * Change mysql-testsuite dependency from python to libjson-perl.
    Tests written in python were rewritten in perl, so testsuite no longer
    depends on python, but tests fail if libjson-perl is missing.
  * Build with DWITH_LZ4=system
    If the flag is not set the package will be built with a bundled liblz4
    instead of the one provided by the liblz4-dev build-dep.
  * Add support for custom datadir to systemd service (LP: #1574782)
    The service was reporting errors if no database was found in /var/lib/mysql
    It will now check the path specified in the config
  * Fix support for soft-link datadir (LP: #1474212)
    Upgrading more than once when datadir is soft-link was causing errors
  * Escape special characters in password (LP: #1598992)
    The password string was not escaped, causing SQL errors if certain special
    characters such as apostrophes were included.
  * Removed always-false check on purge in postrm (LP: #1602945)
    Users were never seeing the query to remove data on a package purge

 -- Lars Tangvald <email address hidden> Fri, 16 Sep 2016 22:23:41 +0200

Changed in mysql-5.7 (Ubuntu):
status: Fix Committed → Fix Released
davidreedernst (via-web) wrote :

Excellent. As the one who wrote the bug report at the top of this thread, I'm very glad to see that it's been resolved. Thank you!

tags: added: xenial-candidate
summary: - MySQL Server installation freezes if root password contains a single
- quote (apostrophe)
+ MySQL Server installation freezes if root password contains special
+ characters such as apostrophe
summary: - MySQL Server installation freezes if root password contains special
+ MySQL Server installation fails if root password contains special
characters such as apostrophe
description: updated
Changed in mysql-5.7 (Ubuntu Xenial):
assignee: nobody → Lars Tangvald (lars-tangvald)
status: New → Fix Committed
Changed in mysql-5.7 (Ubuntu Xenial):
status: Fix Committed → In Progress
Robie Basak (racb) on 2017-01-06
Changed in mysql-5.7 (Ubuntu Xenial):
milestone: none → xenial-updates

Hello davidreedernst, or anyone else affected,

Accepted mysql-5.7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.17-0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in mysql-5.7 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Lars Tangvald (lars-tangvald) wrote :

Verified fixed with 5.7.17-0ubuntu0.16.04.2 (simple password with apostrophe and various other special characters)

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.7 - 5.7.17-0ubuntu0.16.04.2

---------------
mysql-5.7 (5.7.17-0ubuntu0.16.04.2) xenial; urgency=medium

  * Add libjson-perl dependency for test suite (LP: #1631338)
    The last two python tests in the mtr suite were rewritten
    in perl, and require this package. Added for mysql-testsuite
    and as a build-dep.
  * Build with DWITH_LZ4=system (LP: #1631339)
    Package was previously built with bundled liblz4, though it
    was specified as a build-dep.
  * Add support for custom datadir to systemd service (LP: #1574782)
    The service was reporting an error if no database could be found in
    /var/lib/mysql. It now checks the location specified in the config.
    Note that user must still handle apparmor access for custom datadir.
  * Fix copy of soft-link datadir to /var/lib/mysql-upgrade (LP: #1474212)
    Upgrade would sometimes fail if mysql-upgrade already contained a
    link copy from a previous upgrade.
  * Escape special characters in password (LP: #1598992)
    Special characters in the root password would cause syntax errors
    and postinst failures.
  * Failing tests on platforms supported by upstream fail build (LP: #1646488)
    A passing test suite is now enforced on i386 and amd64 platforms at
    build-time.
  * d/copyright: Updated with information about new source files
  * Unstable test main.xa_prepared_binlog_off disabled pending upstream fix.
    Upstream bug report: http://bugs.mysql.com/bug.php?id=83340
  * d/lintian-overrides: Updated line numbers

 -- Lars Tangvald <email address hidden> Fri, 03 Feb 2017 08:53:04 +0100

Changed in mysql-5.7 (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for mysql-5.7 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.