mariadb: fix CVE-2023-52968

MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under mysql_derived_prepare when derived is not yet prepared, leading to a find_field_in_table crash. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-52968 Upstream patch: 74883f5e2f Fix indent issue in mariadb.inc file. Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-12 03:24:08 +00:00 · 2025-06-25 13:03:11 +05:30
parent 72f2dd38ca
commit c2140f3f2a
2 changed files with 108 additions and 1 deletions
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -22,7 +22,8 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
           file://cross-compiling.patch \
           file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
           file://0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch \
-	   file://CVE-2023-22084.patch \
+           file://CVE-2023-22084.patch \
+           file://CVE-2023-52968.patch \
          "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"

--- a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-52968.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-52968.patch
@@ -0,0 +1,106 @@
+From 74883f5e2f4c0e09f4f4e9e272a8e5bfd91a9489 Mon Sep 17 00:00:00 2001
+From: Aleksey Midenkov <midenok@gmail.com>
+Date: Thu, 9 Nov 2023 16:26:11 +0300
+Subject: [PATCH] MDEV-32082 Server crash in find_field_in_table
+
+Attempt to resolve FOR SYSTEM_TIME expression as field for derived
+table is done before derived table is fully prepared, so we fail on
+assertion that table_list->table is missing.
+
+Actually Vers_history_point::resolve_unit() is done under the call of
+mysql_derived_prepare() itself (sql_derived.cc:824) and the table is
+assigned later at 867.
+
+The fix disables unit resolution for field type in FOR SYSTEM_TIME
+expression as it does a little sense in any case: making historical
+queries based on variable field values produces the result of multiple
+time points.
+
+fix_fields_if_needed() in resolve_units() was introduced by 46be31982a4
+
+CVE: CVE-2023-52968
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/74883f5e2f4c0e09f4f4e9e272a8e5bfd91a9489]
+
+Changes:
+-Use old my_error API instead of new bad_expression_data_type_error API.
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ mysql-test/suite/versioning/r/select.result | 11 ++++++++++-
+ mysql-test/suite/versioning/t/select.test   | 12 +++++++++++-
+ sql/table.cc                                |  6 ++++++
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/mysql-test/suite/versioning/r/select.result b/mysql-test/suite/versioning/r/select.result
+index 90c99d1b..714455b6 100644
+--- a/mysql-test/suite/versioning/r/select.result
+++ b/mysql-test/suite/versioning/r/select.result
+@@ -443,7 +443,7 @@ create or replace table t1 (x int) with system versioning;
+ select * from t1 for system_time as of current_timestamp;
+ x
+ select * from t1 for system_time as of now;
+-ERROR 42S22: Unknown column 'now' in 'FOR SYSTEM_TIME'
+ERROR HY000: Illegal parameter data type now for operation 'FOR SYSTEM_TIME'
+ ### Issue #405, NATURAL JOIN failure
+ create or replace table t1 (a int) with system versioning;
+ create or replace table t2 (b int);
+@@ -708,3 +708,12 @@ No	A	B	C	D
+ 33	1	1	1	1
+ 34	1	1	1	1
+ SET GLOBAL innodb_stats_persistent = @saved_stats_persistent;
+#
+# MDEV-32082 Server crash in find_field_in_table
+#
+create table t0 (c0 int) with system versioning;
+select x0 from (
+select c0 x0 from t0
+) for system_time as of nowasdf deriv;
+ERROR HY000: Illegal parameter data type nowasdf for operation 'FOR SYSTEM_TIME'
+drop table t0;
+diff --git a/mysql-test/suite/versioning/t/select.test b/mysql-test/suite/versioning/t/select.test
+index 9142a8fa..5603d1a3 100644
+--- a/mysql-test/suite/versioning/t/select.test
+++ b/mysql-test/suite/versioning/t/select.test
+@@ -314,7 +314,7 @@ select * from t1 where (a, 2) in ((1, 1), (2, 2)) and b = 1;
+ --echo ### Issue #398, NOW is now non-magic
+ create or replace table t1 (x int) with system versioning;
+ select * from t1 for system_time as of current_timestamp;
+---error ER_BAD_FIELD_ERROR
+--error ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION
+ select * from t1 for system_time as of now;
+
+ --echo ### Issue #405, NATURAL JOIN failure
+@@ -487,4 +487,14 @@ call verify_trt_dummy(34);
+
+ SET GLOBAL innodb_stats_persistent = @saved_stats_persistent;
+
+--echo #
+--echo # MDEV-32082 Server crash in find_field_in_table
+--echo #
+create table t0 (c0 int) with system versioning;
+--error ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION
+select x0 from (
+  select c0 x0 from t0
+) for system_time as of nowasdf deriv;
+drop table t0;
+
+ -- source suite/versioning/common_finish.inc
+diff --git a/sql/table.cc b/sql/table.cc
+index e0e06702..81a5674a 100644
+--- a/sql/table.cc
+++ b/sql/table.cc
+@@ -10326,6 +10326,12 @@ bool Vers_history_point::check_unit(THD *thd)
+ {
+   if (!item)
+     return false;
+  if (item->real_type() == Item::FIELD_ITEM)
+  {
+    my_error(ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION, MYF(0),
+             item->full_name(), "FOR SYSTEM_TIME");
+    return true;
+  }
+   if (item->fix_fields_if_needed(thd, &item))
+     return true;
+   const Type_handler *t= item->this_item()->real_type_handler();
+--
+2.40.0