databases/mariadb55-server: Fix vulnerabilities

- Add vulnerability patch from upstream - Improve OQGraph BROKEN message - Take maintaintership MFH: 2017Q1 Security: 7c27192f-0bc3-11e7-9940-b499baebfeaf Security: 4d2f9d09-ddb7-11e6-a9a5-b499baebfeaf Security: CVE-2017-3313 Security: CVE-2017-3302
svn path=/head/; revision=436493
2025-07-18 17:59:20 -04:00 · 2017-03-19 13:30:52 +00:00 · 2017-03-19 13:30:52 +00:00 · 54e46da2e7 · 2021-03-31 03:12:20 +00:00
commit 54e46da2e7
parent 40d5c6960e
3 changed files with 251 additions and 3 deletions
--- a/databases/mariadb55-client/files/patch-CVE-2017-3302
+++ b/databases/mariadb55-client/files/patch-CVE-2017-3302
@ -0,0 +1,124 @@
+From eef21014898d61e77890359d6546d4985d829ef6 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 16 Feb 2017 11:32:47 +0100
+Subject: [PATCH] MDEV-11933 Wrong usage of linked list in
+ mysql_prune_stmt_list
+
+mysql_prune_stmt_list() was walking the list following
+element->next pointers, but inside the loop it was invoking
+list_add(element) that modified element->next. So, mysql_prune_stmt_list()
+failed to visit and reset all elements, and some of them were left
+with pointers to invalid MYSQL.
+---
+ sql-common/client.c       | 11 ++---------
+ tests/mysql_client_test.c | 50 +++++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 50 insertions(+), 11 deletions(-)
+
+diff --git a/sql-common/client.c b/sql-common/client.c
+index c2e0cc3..b348afc 100644
+--- sql-common/client.c.orig
+++ sql-common/client.c
+@@ -1,5 +1,5 @@
+ /* Copyright (c) 2003, 2016, Oracle and/or its affiliates.
+-   Copyright (c) 2009, 2016, MariaDB
+   Copyright (c) 2009, 2017, MariaDB
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -3819,8 +3819,6 @@ static void mysql_close_free(MYSQL *mysql)
+ static void mysql_prune_stmt_list(MYSQL *mysql)
+ {
+   LIST *element= mysql->stmts;
+-  LIST *pruned_list= 0;
+-
+   for (; element; element= element->next)
+   {
+     MYSQL_STMT *stmt= (MYSQL_STMT *) element->data;
+@@ -3830,14 +3828,9 @@ static void mysql_prune_stmt_list(MYSQL *mysql)
+       stmt->last_errno= CR_SERVER_LOST;
+       strmov(stmt->last_error, ER(CR_SERVER_LOST));
+       strmov(stmt->sqlstate, unknown_sqlstate);
+-    }
+-    else
+-    {
+-      pruned_list= list_add(pruned_list, element);
+      mysql->stmts= list_delete(mysql->stmts, element);
+     }
+   }
+-
+-  mysql->stmts= pruned_list;
+ }
+ 
+ 
+diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
+index 446018e..f62545d 100644
+--- tests/mysql_client_test.c.orig
+++ tests/mysql_client_test.c
+@@ -1,5 +1,5 @@
+-/* Copyright (c) 2002, 2012, Oracle and/or its affiliates.
+-   Copyright (c) 2008, 2012, Monty Program Ab
+/* Copyright (c) 2002, 2014, Oracle and/or its affiliates.
+   Copyright (c) 2008, 2017, MariaDB
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -19031,6 +19031,49 @@ static void test_mdev4326()
+   myquery(rc);
+ }
+ 
+
+/**
+   BUG#17512527: LIST HANDLING INCORRECT IN MYSQL_PRUNE_STMT_LIST()
+*/
+static void test_bug17512527()
+{
+  MYSQL *conn;
+  MYSQL_STMT *stmt1, *stmt2;
+  unsigned long thread_id;
+  char query[MAX_TEST_QUERY_LENGTH];
+  int rc;
+
+  conn= client_connect(0, MYSQL_PROTOCOL_SOCKET, 1);
+
+  stmt1 = mysql_stmt_init(conn);
+  check_stmt(stmt1);
+  rc= mysql_stmt_prepare(stmt1, STRING_WITH_LEN("SELECT 1"));
+  check_execute(stmt1, rc);
+
+  stmt2 = mysql_stmt_init(conn);
+  check_stmt(stmt2);
+
+  thread_id= mysql_thread_id(conn);
+  sprintf(query, "KILL %lu", thread_id);
+  if (thread_query(query))
+    exit(1);
+
+  rc= mysql_stmt_prepare(stmt2, STRING_WITH_LEN("SELECT 2"));
+  check_execute(stmt2, rc);
+
+  rc= mysql_stmt_execute(stmt1);
+  check_execute_r(stmt1, rc);
+
+  rc= mysql_stmt_execute(stmt2);
+  check_execute(stmt2, rc);
+
+  mysql_close(conn);
+
+  mysql_stmt_close(stmt2);
+  mysql_stmt_close(stmt1);
+}
+
+
+ static struct my_tests_st my_tests[]= {
+   { "disable_query_logs", disable_query_logs },
+   { "test_view_sp_list_fields", test_view_sp_list_fields },
+@@ -19297,6 +19340,9 @@ static struct my_tests_st my_tests[]= {
+   { "test_bug13001491", test_bug13001491 },
+   { "test_mdev4326", test_mdev4326 },
+   { "test_ps_sp_out_params", test_ps_sp_out_params },
+#ifndef _WIN32
+  { "test_bug17512527", test_bug17512527},
+#endif
+   { 0, 0 }
+ };
+ 
--- a/databases/mariadb55-server/Makefile
+++ b/databases/mariadb55-server/Makefile
@ -2,7 +2,7 @@

 PORTNAME?=	mariadb
 PORTVERSION=	5.5.54
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://ftp.osuosl.org/pub/mariadb/${PORTNAME}-${PORTVERSION}/source/ \
 		http://mirrors.supportex.net/mariadb/${PORTNAME}-${PORTVERSION}/source/ \
@ -15,7 +15,7 @@ MASTER_SITES=	http://ftp.osuosl.org/pub/mariadb/${PORTNAME}-${PORTVERSION}/sourc
 		http://mirror.switch.ch/mirror/mariadb/${PORTNAME}-${PORTVERSION}/source/
 PKGNAMESUFFIX?=	55-server

-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	brnrd@FreeBSD.org
 COMMENT?=	Multithreaded SQL database (server)

 LICENSE=	GPLv2
@ -101,7 +101,7 @@ OQGRAPH_DESC=	Open Query Graph Computation engine

 OQGRAPH_USE=	GCC=yes
 OQGRAPH_LIB_DEPENDS=	libboost_system.so:devel/boost-libs
-OQGRAPH_BROKEN=	yes
+OQGRAPH_BROKEN=	OQGraph does not build

 MAXKEY_EXTRA_PATCHES=	${FILESDIR}/extra-patch-include_my_compare.h
 .endif
--- a/databases/mariadb55-server/files/patch-CVE-2017-3302
+++ b/databases/mariadb55-server/files/patch-CVE-2017-3302
@ -0,0 +1,124 @@
+From eef21014898d61e77890359d6546d4985d829ef6 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 16 Feb 2017 11:32:47 +0100
+Subject: [PATCH] MDEV-11933 Wrong usage of linked list in
+ mysql_prune_stmt_list
+
+mysql_prune_stmt_list() was walking the list following
+element->next pointers, but inside the loop it was invoking
+list_add(element) that modified element->next. So, mysql_prune_stmt_list()
+failed to visit and reset all elements, and some of them were left
+with pointers to invalid MYSQL.
+---
+ sql-common/client.c       | 11 ++---------
+ tests/mysql_client_test.c | 50 +++++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 50 insertions(+), 11 deletions(-)
+
+diff --git a/sql-common/client.c b/sql-common/client.c
+index c2e0cc3..b348afc 100644
+--- sql-common/client.c.orig
+++ sql-common/client.c
+@@ -1,5 +1,5 @@
+ /* Copyright (c) 2003, 2016, Oracle and/or its affiliates.
+-   Copyright (c) 2009, 2016, MariaDB
+   Copyright (c) 2009, 2017, MariaDB
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -3819,8 +3819,6 @@ static void mysql_close_free(MYSQL *mysql)
+ static void mysql_prune_stmt_list(MYSQL *mysql)
+ {
+   LIST *element= mysql->stmts;
+-  LIST *pruned_list= 0;
+-
+   for (; element; element= element->next)
+   {
+     MYSQL_STMT *stmt= (MYSQL_STMT *) element->data;
+@@ -3830,14 +3828,9 @@ static void mysql_prune_stmt_list(MYSQL *mysql)
+       stmt->last_errno= CR_SERVER_LOST;
+       strmov(stmt->last_error, ER(CR_SERVER_LOST));
+       strmov(stmt->sqlstate, unknown_sqlstate);
+-    }
+-    else
+-    {
+-      pruned_list= list_add(pruned_list, element);
+      mysql->stmts= list_delete(mysql->stmts, element);
+     }
+   }
+-
+-  mysql->stmts= pruned_list;
+ }
+ 
+ 
+diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
+index 446018e..f62545d 100644
+--- tests/mysql_client_test.c.orig
+++ tests/mysql_client_test.c
+@@ -1,5 +1,5 @@
+-/* Copyright (c) 2002, 2012, Oracle and/or its affiliates.
+-   Copyright (c) 2008, 2012, Monty Program Ab
+/* Copyright (c) 2002, 2014, Oracle and/or its affiliates.
+   Copyright (c) 2008, 2017, MariaDB
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -19031,6 +19031,49 @@ static void test_mdev4326()
+   myquery(rc);
+ }
+ 
+
+/**
+   BUG#17512527: LIST HANDLING INCORRECT IN MYSQL_PRUNE_STMT_LIST()
+*/
+static void test_bug17512527()
+{
+  MYSQL *conn;
+  MYSQL_STMT *stmt1, *stmt2;
+  unsigned long thread_id;
+  char query[MAX_TEST_QUERY_LENGTH];
+  int rc;
+
+  conn= client_connect(0, MYSQL_PROTOCOL_SOCKET, 1);
+
+  stmt1 = mysql_stmt_init(conn);
+  check_stmt(stmt1);
+  rc= mysql_stmt_prepare(stmt1, STRING_WITH_LEN("SELECT 1"));
+  check_execute(stmt1, rc);
+
+  stmt2 = mysql_stmt_init(conn);
+  check_stmt(stmt2);
+
+  thread_id= mysql_thread_id(conn);
+  sprintf(query, "KILL %lu", thread_id);
+  if (thread_query(query))
+    exit(1);
+
+  rc= mysql_stmt_prepare(stmt2, STRING_WITH_LEN("SELECT 2"));
+  check_execute(stmt2, rc);
+
+  rc= mysql_stmt_execute(stmt1);
+  check_execute_r(stmt1, rc);
+
+  rc= mysql_stmt_execute(stmt2);
+  check_execute(stmt2, rc);
+
+  mysql_close(conn);
+
+  mysql_stmt_close(stmt2);
+  mysql_stmt_close(stmt1);
+}
+
+
+ static struct my_tests_st my_tests[]= {
+   { "disable_query_logs", disable_query_logs },
+   { "test_view_sp_list_fields", test_view_sp_list_fields },
+@@ -19297,6 +19340,9 @@ static struct my_tests_st my_tests[]= {
+   { "test_bug13001491", test_bug13001491 },
+   { "test_mdev4326", test_mdev4326 },
+   { "test_ps_sp_out_params", test_ps_sp_out_params },
+#ifndef _WIN32
+  { "test_bug17512527", test_bug17512527},
+#endif
+   { 0, 0 }
+ };
+