mariadb: fix CVE-2024-21096

Vulnerability in the MySQL Server product of Oracle MySQL (component:
Client: mysqldump). Supported versions that are affected are 8.0.36
and prior and 8.3.0 and prior. Difficult to exploit vulnerability
allows unauthenticated attacker with logon to the infrastructure
where MySQL Server executes to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of MySQL Server accessible data as
well as unauthorized read access to a subset of MySQL Server accessible
data and unauthorized ability to cause a partial denial of service
(partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality,
Integrity and Availability impacts).

CVE-2024-21096-0001, CVE-2024-21096-0002 are CVE fixes and rest are
regression fixes.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-21096
https://security-tracker.debian.org/tracker/CVE-2024-21096

Upstream patches:
13663cb5c4
1c425a8d85
77c4c0f256
d60f5c11ea
d20518168a

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-oe/recipes-dbs/mysql/mariadb.inc

@@ -28,6 +28,11 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://CVE-2023-52969-CVE-20230-52970-0002.patch \
            file://CVE-2023-52969-CVE-20230-52970-0003.patch \
            file://CVE-2023-52969-CVE-20230-52970-0004.patch \
+           file://CVE-2024-21096-0001.patch \
+           file://CVE-2024-21096-0002.patch \
+           file://CVE-2024-21096-0003.patch \
+           file://CVE-2024-21096-0004.patch \
+           file://CVE-2024-21096-0005.patch \
           "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
 

meta-oe/recipes-dbs/mysql/mariadb/CVE-2024-21096-0002.patch

@@ -0,0 +1,38 @@
+From 1c425a8d854061d1987ad4ea352c7270652e31c4 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Wed, 8 May 2024 10:31:28 +0200
+Subject: [PATCH] MDEV-33727 update test results
+
+followup for 13663cb5c455
+
+CVE: CVE-2024-21096
+Upstream-status: Backport [https://github.com/MariaDB/server/commit/1c425a8d854061d1987ad4ea352c7270652e31c4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ mysql-test/suite/s3/mysqldump.result | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/mysql-test/suite/s3/mysqldump.result b/mysql-test/suite/s3/mysqldump.result
+index 3f4c2081..e0c0caf6 100644
+--- a/mysql-test/suite/s3/mysqldump.result
++++ b/mysql-test/suite/s3/mysqldump.result
+@@ -4,6 +4,7 @@ alter table t1 engine=S3;
+ #####
+ # mysqldump with --copy-s3-tables=0 (by default)
+ ###
++/*!999999\- enable the sandbox mode */ 
+ #####
+ # mysqldump with --copy-s3-tables=0 (by default) XML
+ ###
+@@ -15,6 +16,7 @@ alter table t1 engine=S3;
+ #####
+ # mysqldump with --copy-s3-tables=1
+ ###
++/*!999999\- enable the sandbox mode */ 
+ /*!40101 SET @saved_cs_client     = @@character_set_client */;
+ /*!40101 SET character_set_client = utf8 */;
+ CREATE TABLE `t1` (
+-- 
+2.40.0
+

meta-oe/recipes-dbs/mysql/mariadb/CVE-2024-21096-0003.patch

@@ -0,0 +1,138 @@
+From 77c4c0f256f3c268d3f72625b04240d24a70513c Mon Sep 17 00:00:00 2001
+From: Oleksandr Byelkin <sanja@mariadb.com>
+Date: Fri, 7 Jun 2024 12:13:21 +0200
+Subject: [PATCH] MDEV-34203 Sandbox mode \- is not compatible with 
+ --binary-mode
+
+"Process" sandbox short command put by masqldump to avoid an error.
+
+CVE: CVE-2024-21096
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/77c4c0f256f3c268d3f72625b04240d24a70513c]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ client/mysql.cc              | 30 +++++++++++++++++++++++++-----
+ mysql-test/main/mysql.result | 11 +++++++++++
+ mysql-test/main/mysql.test   | 16 ++++++++++++++++
+ 3 files changed, 52 insertions(+), 5 deletions(-)
+
+diff --git a/client/mysql.cc b/client/mysql.cc
+index 10f25966..0bb56510 100644
+--- a/client/mysql.cc
++++ b/client/mysql.cc
+@@ -1112,6 +1112,8 @@ inline int get_command_index(char cmd_char)
+ 
+ static int delimiter_index= -1;
+ static int charset_index= -1;
++static int sandbox_index= -1;
++
+ static bool real_binary_mode= FALSE;
+ 
+ 
+@@ -1122,7 +1124,8 @@ int main(int argc,char *argv[])
+   MY_INIT(argv[0]);
+   DBUG_ENTER("main");
+   DBUG_PROCESS(argv[0]);
+-  
++
++  sandbox_index= get_command_index('-');
+   charset_index= get_command_index('C');
+   delimiter_index= get_command_index('d');
+   delimiter_str= delimiter;
+@@ -2237,8 +2240,9 @@ static int read_and_execute(bool interactive)
+ 
+ /**
+    It checks if the input is a short form command. It returns the command's
+-   pointer if a command is found, else return NULL. Note that if binary-mode
+-   is set, then only \C is searched for.
++   pointer if a command is found, else return NULL.
++
++   Note that if binary-mode is set, then only \C and \- are searched for.
+ 
+    @param cmd_char    A character of one byte.
+ 
+@@ -2253,13 +2257,23 @@ static COMMANDS *find_command(char cmd_char)
+   int index= -1;
+ 
+   /*
+-    In binary-mode, we disallow all mysql commands except '\C'
+-    and DELIMITER.
++    In binary-mode, we disallow all client commands except '\C'
++    DELIMITER (see long comand finding find_command(char *))
++    and  '\-' (sandbox, see following comment).
+   */
+   if (real_binary_mode)
+   {
+     if (cmd_char == 'C')
+       index= charset_index;
++    /*
++       binary-mode enforces stricter controls compared to sandbox mode.
++       Whether sandbox mode is enabled or not is irrelevant when
++       binary-mode is active.
++       The only purpose of processing sandbox mode here is to avoid error
++       messages on files made by mysqldump.
++    */
++    else if (cmd_char == '-')
++      index= sandbox_index;
+   }
+   else
+     index= get_command_index(cmd_char);
+@@ -2315,6 +2329,12 @@ static COMMANDS *find_command(char *name)
+     len= (uint) strlen(name);
+ 
+   int index= -1;
++  /*
++    In binary-mode, we disallow all client commands except DELIMITER
++    and short commands '\C' and  '\-' (see short command finding
++    find_command(char)).
++  */
++
+   if (real_binary_mode)
+   {
+     if (is_delimiter_command(name, len))
+diff --git a/mysql-test/main/mysql.result b/mysql-test/main/mysql.result
+index c2e42fda..b983f009 100644
+--- a/mysql-test/main/mysql.result
++++ b/mysql-test/main/mysql.result
+@@ -639,3 +639,14 @@ drop table t1;
+ WARNING: option '--enable-cleartext-plugin' is obsolete.
+ 1
+ 1
++#
++# MDEV-34203: Sandbox mode \- is not compatible with --binary-mode
++#
++create table t1 (a int);
++drop table t1;
++show create table t1;
++Table	Create Table
++t1	CREATE TABLE `t1` (
++  `a` int(11) DEFAULT NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
++drop table t1;
+diff --git a/mysql-test/main/mysql.test b/mysql-test/main/mysql.test
+index 0f41add8..553398fd 100644
+--- a/mysql-test/main/mysql.test
++++ b/mysql-test/main/mysql.test
+@@ -716,3 +716,19 @@ drop table t1;
+ #
+ --echo
+ --exec $MYSQL test --enable-cleartext-plugin -e "select 1"
++
++--echo #
++--echo # MDEV-34203: Sandbox mode \- is not compatible with --binary-mode
++--echo #
++
++create table t1 (a int);
++
++--exec $MYSQL_DUMP test t1 > $MYSQLTEST_VARDIR/tmp/MDEV-34203.sql
++
++drop table t1;
++
++--exec $MYSQL --binary-mode test 2>&1 < $MYSQLTEST_VARDIR/tmp/MDEV-34203.sql
++
++show create table t1;
++drop table t1;
++--remove_file $MYSQLTEST_VARDIR/tmp/MDEV-34203.sql
+-- 
+2.40.0
+