Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1106790,
regarding bookworm-pu: package mydumper/0.10.1-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106790: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106790
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:mydumper
User: [email protected]
Usertags: pu
This is a targeted fix for CVE-2025-30224. I have not been able to reproduce the
issue with the provided PoC against mysql-server 10 from unstable, which is the
only version that ships the rewriter plugin that's needed. Presumably a specific
mysql server version is needed to reproduce the issue.
It however does not break anything, as I added autopkgtests to the package.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru mydumper-0.10.1/debian/changelog mydumper-0.10.1/debian/changelog
--- mydumper-0.10.1/debian/changelog 2021-02-09 21:49:25.000000000 +0100
+++ mydumper-0.10.1/debian/changelog 2025-05-29 22:11:53.000000000 +0200
@@ -1,3 +1,20 @@
+mydumper (0.10.1-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix CVE-2025-30224:
+ - The MySQL C client library (libmysqlclient) allows authenticated remote
+ actors to read arbitrary files from client systems via a crafted server
+ response to LOAD LOCAL INFILE query, leading to sensitive information
+ disclosure when clients connect to untrusted MySQL servers without
+ explicitly disabling the local infile capability. Mydumper had the local
+ infile option enabled by default and does not have an option to disable
+ it. This can lead to an unexpected arbitrary file read if the Mydumper
+ tool connects to an untrusted server.
+ * Add autopkgtest integration tests
+ * Add debian/gbp.conf
+
+ -- Lee Garrett <[email protected]> Thu, 29 May 2025 22:11:53 +0200
+
mydumper (0.10.1-1) unstable; urgency=medium
* New upstream version 0.10.1
diff -Nru mydumper-0.10.1/debian/gbp.conf mydumper-0.10.1/debian/gbp.conf
--- mydumper-0.10.1/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/gbp.conf 2025-05-29 22:09:54.000000000 +0200
@@ -0,0 +1,10 @@
+# Configuration for git-buildpackage and affiliated tools
+
+[DEFAULT]
+debian-branch = debian/bookworm
+pristine-tar = True
+sign-tags = True
+upstream-branch = upstream/bookworm
+
+[import-orig]
+merge-mode = replace
diff -Nru mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch
mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch
--- mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch 1970-01-01
01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch 2025-05-29
22:02:21.000000000 +0200
@@ -0,0 +1,9 @@
+--- a/connection.c
++++ b/connection.c
+@@ -52,4 +52,6 @@
+ mysql_ssl_set(conn, key, cert, ca, capath, cipher);
+ mysql_options(conn, MYSQL_OPT_SSL_ENFORCE, &i);
+ #endif
++ /* unconditionally disable infile to fix CVE-2025-30224 */
++ mysql_options(conn, MYSQL_OPT_LOCAL_INFILE, NULL);
+ }
diff -Nru mydumper-0.10.1/debian/patches/series
mydumper-0.10.1/debian/patches/series
--- mydumper-0.10.1/debian/patches/series 2021-02-09 21:46:48.000000000
+0100
+++ mydumper-0.10.1/debian/patches/series 2025-05-29 21:23:34.000000000
+0200
@@ -2,3 +2,4 @@
0002-dont-install-documentation-source.patch
0001-Link-mydumper-against-libm.patch
0003-ssl-mariadb-connector.patch
+0005-CVE-2025-30224.patch
diff -Nru mydumper-0.10.1/debian/tests/control
mydumper-0.10.1/debian/tests/control
--- mydumper-0.10.1/debian/tests/control 1970-01-01 01:00:00.000000000
+0100
+++ mydumper-0.10.1/debian/tests/control 2025-05-29 21:23:17.000000000
+0200
@@ -0,0 +1,6 @@
+Tests: integration-test.sh
+Depends: @,
+ default-mysql-server
+Restrictions:
+ isolation-machine,
+ needs-root,
diff -Nru mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
--- mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
2025-05-29 21:23:17.000000000 +0200
@@ -0,0 +1,7 @@
+/*!40101 SET NAMES binary*/;
+/*!40014 SET FOREIGN_KEY_CHECKS=0*/;
+/*!40103 SET TIME_ZONE='+00:00' */;
+INSERT INTO `itd` VALUES
+(1,"foo"),
+(2,"bar"),
+(3,"baz");
diff -Nru mydumper-0.10.1/debian/tests/integration-test.sh
mydumper-0.10.1/debian/tests/integration-test.sh
--- mydumper-0.10.1/debian/tests/integration-test.sh 1970-01-01
01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration-test.sh 2025-05-29
21:23:17.000000000 +0200
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# This script will
+# - create a database
+# - dump this database with mydumper and compare it with the reference
+# - restore the dump to another database
+# - dump that other database with mydumper and compare it with the reference
+# - delete the database that were created.
+
+set -eu
+
+echo "pwd is $(pwd)"
+
+# check that it outputs something sensible and doesn't error out
+echo "### minimal functionality check of mydumper binary ###"
+mydumper -V | grep mydumper
+
+echo "### create a mariadb database, tables, and adding some values ###"
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian;'
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian2;'
+mysql -e 'CREATE TABLE itd (id INT AUTO_INCREMENT, words VARCHAR(50), PRIMARY
KEY (id));' integration_test_debian
+mysql -e 'INSERT INTO itd (words) VALUES ("foo"), ("bar"), ("baz");'
integration_test_debian
+
+echo "\n\n### Dump the database we just created ###"
+mydumper --database integration_test_debian -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+myloader --database integration_test_debian2 --directory $(ls -1td ./export-*
| head -n 1)
+
+echo '\n\n### sleep for 2 seconds to make sure the export dir increments ###'
+sleep 2
+
+echo "\n\n### Dump the new database we just restored ###"
+mydumper --database integration_test_debian2 -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian2.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+echo "\n\n### Cleaning up databases ###"
+mysql -e 'drop database integration_test_debian;'
+mysql -e 'drop database integration_test_debian2;'
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
