GNU bug report logs - #47257
mariadb is vulnerable to CVE-2021-27928 (RCE)

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 19 Mar 2021 10:26:02 UTC

Severity: normal

Tags: security

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: bug#47257: closed (Re: bug#47257: [PATCH v3] gnu: mariadb: Fix
 CVE-2021-27928.)
Date: Fri, 26 Mar 2021 01:24:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 47257 <at> debbugs.gnu.org.

-- 
47257: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47257
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: Mark H Weaver <mhw <at> netris.org>, 47257-done <at> debbugs.gnu.org
Subject: Re: bug#47257: [PATCH v3] gnu: mariadb: Fix CVE-2021-27928.
Date: Fri, 26 Mar 2021 02:23:47 +0100

[Message part 3 (text/plain, inline)]
On Thu, 2021-03-25 at 21:16 -0400, Mark H Weaver wrote:
> 
> Looks good to me.  Please push.  Thank you!
> 
>      Mark

Thank you for the review, pushed as
52c8d07a4f7033534a71ac7efeec21a65d35c125.

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: mariadb is vulnerable to CVE-2021-27928 (RCE)
Date: Fri, 19 Mar 2021 11:25:31 +0100

[Message part 6 (text/plain, inline)]
CVE-2021-27928	04:15
A remote code execution issue was discovered in MariaDB 10.2 before
10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before
10.5.9; Percona Server through 2021-03-03; and the wsrep patch through
2021-03-03 for MySQL. An untrusted search path leads to eval injection,
in which a database SUPER user can execute OS commands after modifying
wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an
Oracle product.

From https://jira.mariadb.org/browse/MDEV-25179 it looks like 10.5.9
fixes it for us since we package 10.5.8 currently.

However:

$ ./pre-inst-env guix refresh -l mariadb
Building the following 552 packages would ensure 1047 dependent
packages are rebuilt:
[..]

Is it possible to graft mariadb you think? I am thinking this issue
doesnt need updating of the "lib" output which is what's causing the
high number of dependents AIUI. I am not sure we could actually update
individual outputs right now though. Might be a good idea to split the
packages for the future.

Léo

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 49 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.