diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 27b5c46fa1..048e43d962 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -34,6 +34,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://CVE-2024-21096-0004.patch \ file://CVE-2024-21096-0005.patch \ file://CVE-2025-21490.patch \ + file://CVE-2025-30722.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch new file mode 100644 index 0000000000..d7e74d66f0 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch @@ -0,0 +1,176 @@ +From 6aa860be27480db134a3c71065b9b47d15b72674 Mon Sep 17 00:00:00 2001 +From: Sergei Golubchik +Date: Tue, 11 Mar 2025 11:22:00 +0100 +Subject: [PATCH] MDEV-36268 mariadb-dump used wrong quoting character + +use ' not " and use quote_for_equal() + +Backported according to mariadb 10.11.12 + +CVE: CVE-2025-30722 + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674] + +Signed-off-by: Divya Chellam +--- + client/mysqldump.c | 15 +++++++---- + mysql-test/main/mysqldump-system.result | 6 ++--- + mysql-test/main/mysqldump.result | 33 +++++++++++++++++++++++++ + mysql-test/main/mysqldump.test | 9 +++++++ + 4 files changed, 55 insertions(+), 8 deletions(-) + +diff --git a/client/mysqldump.c b/client/mysqldump.c +index 767413b1..9c0921c0 100644 +--- a/client/mysqldump.c ++++ b/client/mysqldump.c +@@ -2175,7 +2175,7 @@ static char *quote_for_equal(const char *name, char *buff) + *to++='\\'; + } + if (*name == '\'') +- *to++= '\\'; ++ *to++= '\''; + *to++= *name++; + } + to[0]= '\''; +@@ -3707,7 +3707,7 @@ static void dump_trigger_old(FILE *sql_file, MYSQL_RES *show_triggers_rs, + + fprintf(sql_file, + "DELIMITER ;;\n" +- "/*!50003 SET SESSION SQL_MODE=\"%s\" */;;\n" ++ "/*!50003 SET SESSION SQL_MODE='%s' */;;\n" + "/*!50003 CREATE */ ", + (*show_trigger_row)[6]); + +@@ -4686,17 +4686,19 @@ static int dump_all_users_roles_and_grants() + return 1; + while ((row= mysql_fetch_row(tableres))) + { ++ char buf[200]; + if (opt_replace_into) + /* Protection against removing the current import user */ + /* MySQL-8.0 export capability */ + fprintf(md_result_file, + "DELIMITER |\n" +- "/*M!100101 IF current_user()=\"%s\" THEN\n" ++ "/*M!100101 IF current_user()=%s THEN\n" + " SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001," + " MESSAGE_TEXT=\"Don't remove current user %s'\";\n" + "END IF */|\n" + "DELIMITER ;\n" +- "/*!50701 DROP USER IF EXISTS %s */;\n", row[0], row[0], row[0]); ++ "/*!50701 DROP USER IF EXISTS %s */;\n", ++ quote_for_equal(row[0],buf), row[0], row[0]); + if (dump_create_user(row[0])) + result= 1; + /* if roles exist, defer dumping grants until after roles created */ +@@ -6770,6 +6772,7 @@ static my_bool get_view_structure(char *table, char* db) + char *result_table, *opt_quoted_table; + char table_buff[NAME_LEN*2+3]; + char table_buff2[NAME_LEN*2+3]; ++ char temp_buff[NAME_LEN*2 + 3], temp_buff2[NAME_LEN*2 + 3]; + char query[QUERY_LENGTH]; + FILE *sql_file= md_result_file; + DBUG_ENTER("get_view_structure"); +@@ -6830,7 +6833,9 @@ static my_bool get_view_structure(char *table, char* db) + "SELECT CHECK_OPTION, DEFINER, SECURITY_TYPE, " + " CHARACTER_SET_CLIENT, COLLATION_CONNECTION " + "FROM information_schema.views " +- "WHERE table_name=\"%s\" AND table_schema=\"%s\"", table, db); ++ "WHERE table_name=%s AND table_schema=%s", ++ quote_for_equal(table, temp_buff2), ++ quote_for_equal(db, temp_buff)); + + if (mysql_query(mysql, query)) + { +diff --git a/mysql-test/main/mysqldump-system.result b/mysql-test/main/mysqldump-system.result +index 5619ec70..b502bd8d 100644 +--- a/mysql-test/main/mysqldump-system.result ++++ b/mysql-test/main/mysqldump-system.result +@@ -648,21 +648,21 @@ INSTALL PLUGIN test_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB'; + /*M!100401 UNINSTALL PLUGIN IF EXIST cleartext_plugin_server */; + INSTALL PLUGIN cleartext_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB'; + DELIMITER | +-/*M!100101 IF current_user()="'mariadb.sys'@'localhost'" THEN ++/*M!100101 IF current_user()='''mariadb.sys''@''localhost''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'mariadb.sys'@'localhost''"; + END IF */| + DELIMITER ; + /*!50701 DROP USER IF EXISTS 'mariadb.sys'@'localhost' */; + CREATE /*M!100103 OR REPLACE */ USER `mariadb.sys`@`localhost` PASSWORD EXPIRE; + DELIMITER | +-/*M!100101 IF current_user()="'root'@'localhost'" THEN ++/*M!100101 IF current_user()='''root''@''localhost''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'root'@'localhost''"; + END IF */| + DELIMITER ; + /*!50701 DROP USER IF EXISTS 'root'@'localhost' */; + CREATE /*M!100103 OR REPLACE */ USER `root`@`localhost`; + DELIMITER | +-/*M!100101 IF current_user()="'foobar'@'%'" THEN ++/*M!100101 IF current_user()='''foobar'@'%''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'foobar'@'%''"; + END IF */| + DELIMITER ; +diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result +index ca9260f1..c55e5e49 100644 +--- a/mysql-test/main/mysqldump.result ++++ b/mysql-test/main/mysqldump.result +@@ -6699,4 +6699,37 @@ CREATE TABLE `t1` ( + /*!40101 SET character_set_client = @saved_cs_client */; + ERROR at line 9: Not allowed in the sandbox mode + drop table t1; ++# ++# MDEV-36268 mariadb-dump used wrong quoting character ++# ++create table t1 (a int); ++create view `v'1"2` as select * from t1 with check option; ++/*M!999999\- enable the sandbox mode */ ++/*!40101 SET @saved_cs_client = @@character_set_client */; ++/*!40101 SET character_set_client = utf8mb4 */; ++CREATE TABLE `t1` ( ++ `a` int(11) DEFAULT NULL ++) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci; ++/*!40101 SET character_set_client = @saved_cs_client */; ++SET @saved_cs_client = @@character_set_client; ++SET character_set_client = utf8mb4; ++/*!50001 CREATE VIEW `v'1"2` AS SELECT ++ 1 AS `a` */; ++SET character_set_client = @saved_cs_client; ++/*!50001 DROP VIEW IF EXISTS `v'1"2`*/; ++/*!50001 SET @saved_cs_client = @@character_set_client */; ++/*!50001 SET @saved_cs_results = @@character_set_results */; ++/*!50001 SET @saved_col_connection = @@collation_connection */; ++/*!50001 SET character_set_client = utf8 */; ++/*!50001 SET character_set_results = utf8 */; ++/*!50001 SET collation_connection = utf8_general_ci */; ++/*!50001 CREATE ALGORITHM=UNDEFINED */ ++/*!50013 DEFINER=`root`@`localhost` SQL SECURITY DEFINER */ ++/*!50001 VIEW `v'1"2` AS select `t1`.`a` AS `a` from `t1` */ ++/*!50002 WITH CASCADED CHECK OPTION */; ++/*!50001 SET character_set_client = @saved_cs_client */; ++/*!50001 SET character_set_results = @saved_cs_results */; ++/*!50001 SET collation_connection = @saved_col_connection */; ++drop view `v'1"2`; ++drop table t1; + # End of 10.5 tests +diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test +index 9248f2ac..64d73ad3 100644 +--- a/mysql-test/main/mysqldump.test ++++ b/mysql-test/main/mysqldump.test +@@ -3003,4 +3003,13 @@ EOF + --remove_file $MYSQLTEST_VARDIR/tmp/mdev33727.sql + drop table t1; + ++--echo # ++--echo # MDEV-36268 mariadb-dump used wrong quoting character ++--echo # ++create table t1 (a int); ++create view `v'1"2` as select * from t1 with check option; # "' ++--exec $MYSQL_DUMP --compact test ++drop view `v'1"2`; # "' ++drop table t1; ++ + --echo # End of 10.5 tests +-- +2.40.0 +