mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
mariadb: fix CVE-2025-30722
Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N). Reference: https://security-tracker.debian.org/tracker/CVE-2025-30722 Upstream-patch: https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Divya Chellam
committed by
Gyorgy Sarvari
Gyorgy Sarvari
parent
6306bae883
commit
3c55e66f1f
@@ -34,6 +34,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
|
||||
file://CVE-2024-21096-0004.patch \
|
||||
file://CVE-2024-21096-0005.patch \
|
||||
file://CVE-2025-21490.patch \
|
||||
file://CVE-2025-30722.patch \
|
||||
"
|
||||
SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
|
||||
|
||||
|
||||
@@ -0,0 +1,176 @@
|
||||
From 6aa860be27480db134a3c71065b9b47d15b72674 Mon Sep 17 00:00:00 2001
|
||||
From: Sergei Golubchik <serg@mariadb.org>
|
||||
Date: Tue, 11 Mar 2025 11:22:00 +0100
|
||||
Subject: [PATCH] MDEV-36268 mariadb-dump used wrong quoting character
|
||||
|
||||
use ' not " and use quote_for_equal()
|
||||
|
||||
Backported according to mariadb 10.11.12
|
||||
|
||||
CVE: CVE-2025-30722
|
||||
|
||||
Upstream-Status: Backport [https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674]
|
||||
|
||||
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
|
||||
---
|
||||
client/mysqldump.c | 15 +++++++----
|
||||
mysql-test/main/mysqldump-system.result | 6 ++---
|
||||
mysql-test/main/mysqldump.result | 33 +++++++++++++++++++++++++
|
||||
mysql-test/main/mysqldump.test | 9 +++++++
|
||||
4 files changed, 55 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/client/mysqldump.c b/client/mysqldump.c
|
||||
index 767413b1..9c0921c0 100644
|
||||
--- a/client/mysqldump.c
|
||||
+++ b/client/mysqldump.c
|
||||
@@ -2175,7 +2175,7 @@ static char *quote_for_equal(const char *name, char *buff)
|
||||
*to++='\\';
|
||||
}
|
||||
if (*name == '\'')
|
||||
- *to++= '\\';
|
||||
+ *to++= '\'';
|
||||
*to++= *name++;
|
||||
}
|
||||
to[0]= '\'';
|
||||
@@ -3707,7 +3707,7 @@ static void dump_trigger_old(FILE *sql_file, MYSQL_RES *show_triggers_rs,
|
||||
|
||||
fprintf(sql_file,
|
||||
"DELIMITER ;;\n"
|
||||
- "/*!50003 SET SESSION SQL_MODE=\"%s\" */;;\n"
|
||||
+ "/*!50003 SET SESSION SQL_MODE='%s' */;;\n"
|
||||
"/*!50003 CREATE */ ",
|
||||
(*show_trigger_row)[6]);
|
||||
|
||||
@@ -4686,17 +4686,19 @@ static int dump_all_users_roles_and_grants()
|
||||
return 1;
|
||||
while ((row= mysql_fetch_row(tableres)))
|
||||
{
|
||||
+ char buf[200];
|
||||
if (opt_replace_into)
|
||||
/* Protection against removing the current import user */
|
||||
/* MySQL-8.0 export capability */
|
||||
fprintf(md_result_file,
|
||||
"DELIMITER |\n"
|
||||
- "/*M!100101 IF current_user()=\"%s\" THEN\n"
|
||||
+ "/*M!100101 IF current_user()=%s THEN\n"
|
||||
" SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001,"
|
||||
" MESSAGE_TEXT=\"Don't remove current user %s'\";\n"
|
||||
"END IF */|\n"
|
||||
"DELIMITER ;\n"
|
||||
- "/*!50701 DROP USER IF EXISTS %s */;\n", row[0], row[0], row[0]);
|
||||
+ "/*!50701 DROP USER IF EXISTS %s */;\n",
|
||||
+ quote_for_equal(row[0],buf), row[0], row[0]);
|
||||
if (dump_create_user(row[0]))
|
||||
result= 1;
|
||||
/* if roles exist, defer dumping grants until after roles created */
|
||||
@@ -6770,6 +6772,7 @@ static my_bool get_view_structure(char *table, char* db)
|
||||
char *result_table, *opt_quoted_table;
|
||||
char table_buff[NAME_LEN*2+3];
|
||||
char table_buff2[NAME_LEN*2+3];
|
||||
+ char temp_buff[NAME_LEN*2 + 3], temp_buff2[NAME_LEN*2 + 3];
|
||||
char query[QUERY_LENGTH];
|
||||
FILE *sql_file= md_result_file;
|
||||
DBUG_ENTER("get_view_structure");
|
||||
@@ -6830,7 +6833,9 @@ static my_bool get_view_structure(char *table, char* db)
|
||||
"SELECT CHECK_OPTION, DEFINER, SECURITY_TYPE, "
|
||||
" CHARACTER_SET_CLIENT, COLLATION_CONNECTION "
|
||||
"FROM information_schema.views "
|
||||
- "WHERE table_name=\"%s\" AND table_schema=\"%s\"", table, db);
|
||||
+ "WHERE table_name=%s AND table_schema=%s",
|
||||
+ quote_for_equal(table, temp_buff2),
|
||||
+ quote_for_equal(db, temp_buff));
|
||||
|
||||
if (mysql_query(mysql, query))
|
||||
{
|
||||
diff --git a/mysql-test/main/mysqldump-system.result b/mysql-test/main/mysqldump-system.result
|
||||
index 5619ec70..b502bd8d 100644
|
||||
--- a/mysql-test/main/mysqldump-system.result
|
||||
+++ b/mysql-test/main/mysqldump-system.result
|
||||
@@ -648,21 +648,21 @@ INSTALL PLUGIN test_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB';
|
||||
/*M!100401 UNINSTALL PLUGIN IF EXIST cleartext_plugin_server */;
|
||||
INSTALL PLUGIN cleartext_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB';
|
||||
DELIMITER |
|
||||
-/*M!100101 IF current_user()="'mariadb.sys'@'localhost'" THEN
|
||||
+/*M!100101 IF current_user()='''mariadb.sys''@''localhost''' THEN
|
||||
SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'mariadb.sys'@'localhost''";
|
||||
END IF */|
|
||||
DELIMITER ;
|
||||
/*!50701 DROP USER IF EXISTS 'mariadb.sys'@'localhost' */;
|
||||
CREATE /*M!100103 OR REPLACE */ USER `mariadb.sys`@`localhost` PASSWORD EXPIRE;
|
||||
DELIMITER |
|
||||
-/*M!100101 IF current_user()="'root'@'localhost'" THEN
|
||||
+/*M!100101 IF current_user()='''root''@''localhost''' THEN
|
||||
SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'root'@'localhost''";
|
||||
END IF */|
|
||||
DELIMITER ;
|
||||
/*!50701 DROP USER IF EXISTS 'root'@'localhost' */;
|
||||
CREATE /*M!100103 OR REPLACE */ USER `root`@`localhost`;
|
||||
DELIMITER |
|
||||
-/*M!100101 IF current_user()="'foobar'@'%'" THEN
|
||||
+/*M!100101 IF current_user()='''foobar'@'%''' THEN
|
||||
SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'foobar'@'%''";
|
||||
END IF */|
|
||||
DELIMITER ;
|
||||
diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result
|
||||
index ca9260f1..c55e5e49 100644
|
||||
--- a/mysql-test/main/mysqldump.result
|
||||
+++ b/mysql-test/main/mysqldump.result
|
||||
@@ -6699,4 +6699,37 @@ CREATE TABLE `t1` (
|
||||
/*!40101 SET character_set_client = @saved_cs_client */;
|
||||
ERROR at line 9: Not allowed in the sandbox mode
|
||||
drop table t1;
|
||||
+#
|
||||
+# MDEV-36268 mariadb-dump used wrong quoting character
|
||||
+#
|
||||
+create table t1 (a int);
|
||||
+create view `v'1"2` as select * from t1 with check option;
|
||||
+/*M!999999\- enable the sandbox mode */
|
||||
+/*!40101 SET @saved_cs_client = @@character_set_client */;
|
||||
+/*!40101 SET character_set_client = utf8mb4 */;
|
||||
+CREATE TABLE `t1` (
|
||||
+ `a` int(11) DEFAULT NULL
|
||||
+) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;
|
||||
+/*!40101 SET character_set_client = @saved_cs_client */;
|
||||
+SET @saved_cs_client = @@character_set_client;
|
||||
+SET character_set_client = utf8mb4;
|
||||
+/*!50001 CREATE VIEW `v'1"2` AS SELECT
|
||||
+ 1 AS `a` */;
|
||||
+SET character_set_client = @saved_cs_client;
|
||||
+/*!50001 DROP VIEW IF EXISTS `v'1"2`*/;
|
||||
+/*!50001 SET @saved_cs_client = @@character_set_client */;
|
||||
+/*!50001 SET @saved_cs_results = @@character_set_results */;
|
||||
+/*!50001 SET @saved_col_connection = @@collation_connection */;
|
||||
+/*!50001 SET character_set_client = utf8 */;
|
||||
+/*!50001 SET character_set_results = utf8 */;
|
||||
+/*!50001 SET collation_connection = utf8_general_ci */;
|
||||
+/*!50001 CREATE ALGORITHM=UNDEFINED */
|
||||
+/*!50013 DEFINER=`root`@`localhost` SQL SECURITY DEFINER */
|
||||
+/*!50001 VIEW `v'1"2` AS select `t1`.`a` AS `a` from `t1` */
|
||||
+/*!50002 WITH CASCADED CHECK OPTION */;
|
||||
+/*!50001 SET character_set_client = @saved_cs_client */;
|
||||
+/*!50001 SET character_set_results = @saved_cs_results */;
|
||||
+/*!50001 SET collation_connection = @saved_col_connection */;
|
||||
+drop view `v'1"2`;
|
||||
+drop table t1;
|
||||
# End of 10.5 tests
|
||||
diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test
|
||||
index 9248f2ac..64d73ad3 100644
|
||||
--- a/mysql-test/main/mysqldump.test
|
||||
+++ b/mysql-test/main/mysqldump.test
|
||||
@@ -3003,4 +3003,13 @@ EOF
|
||||
--remove_file $MYSQLTEST_VARDIR/tmp/mdev33727.sql
|
||||
drop table t1;
|
||||
|
||||
+--echo #
|
||||
+--echo # MDEV-36268 mariadb-dump used wrong quoting character
|
||||
+--echo #
|
||||
+create table t1 (a int);
|
||||
+create view `v'1"2` as select * from t1 with check option; # "'
|
||||
+--exec $MYSQL_DUMP --compact test
|
||||
+drop view `v'1"2`; # "'
|
||||
+drop table t1;
|
||||
+
|
||||
--echo # End of 10.5 tests
|
||||
--
|
||||
2.40.0
|
||||
|
||||
Reference in New Issue
Block a user