Hello community, here is the log from the commit of package mariadb for openSUSE:Factory checked in at 2017-02-20 13:11:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mariadb (Old) and /work/SRC/openSUSE:Factory/.mariadb.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mariadb" Changes: -------- --- /work/SRC/openSUSE:Factory/mariadb/mariadb.changes 2017-02-03 17:49:48.765933195 +0100 +++ /work/SRC/openSUSE:Factory/.mariadb.new/mariadb.changes 2017-02-20 13:11:54.375371422 +0100 @@ -1,0 +2,24 @@ +Fri Feb 3 18:02:42 UTC 2017 - [email protected] + +- update to MariaDB 10.1.21 + * notable changes: + * Innodb updated to 5.6.35 + * Performance Schema updated to 5.6.35 + * release notes and changelog: + * https://mariadb.com/kb/en/mariadb/mariadb-10121-release-notes/ + * https://mariadb.com/kb/en/mariadb/mariadb-10121-changelog/ + * fixes the following CVEs: + CVE-2017-3318 [bsc#1020896], CVE-2017-3317 [bsc#1020894], + CVE-2017-3312 [bsc#1020873], CVE-2017-3291 [bsc#1020884], + CVE-2017-3265 [bsc#1020885], CVE-2017-3258 [bsc#1020875], + CVE-2017-3257 [bsc#1020878], CVE-2017-3244 [bsc#1020877], + CVE-2017-3243 [bsc#1020891], CVE-2017-3238 [bsc#1020882], + CVE-2016-6664 [bsc#1008253] +- add mariadb.te file to the filelist +- add mysqld_safe_helper to the filelist +- refresh mariadb-10.1.4-group.patch +- add mariadb-10.1.20-incorrect_list_handling.patch to fix incorrect + linked list handling in mysql_prune_stmt_list() function that can + cause use-after-free error [bsc#1022428] + +------------------------------------------------------------------- Old: ---- mariadb-10.1.20.tar.gz New: ---- mariadb-10.1.21.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mariadb.spec ++++++ --- /var/tmp/diff_new_pack.suxV9y/_old 2017-02-20 13:11:57.258965516 +0100 +++ /var/tmp/diff_new_pack.suxV9y/_new 2017-02-20 13:11:57.262964952 +0100 @@ -43,7 +43,7 @@ %define with_cassandra 0 %endif Name: mariadb -Version: 10.1.20 +Version: 10.1.21 Release: 0 Summary: Server part of %{pretty_name} License: SUSE-GPL-2.0-with-FLOSS-exception @@ -486,7 +486,7 @@ # Generate various filelists filelist innochecksum my_print_defaults myisam_ftdump myisamchk myisamlog myisampack mysql_fix_extensions mysql_fix_privilege_tables mysql_ssl_rsa_setup mysql_install_db mysql_secure_installation mysql_upgrade mysqlbug mysqld mysqld_multi mysqld_safe mysqlbinlog mysqldumpslow mysqlmanager mroonga resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack {m,}aria_read_log xtstat tokuft_logprint tokuftdump >mysql.files -filelist mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow mysql_config_editor >mysql-client.files +filelist mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow mysql_config_editor mysqld_safe_helper >mysql-client.files # The dialog stuff is mariadb only if [ "`ls '%{buildroot}'%{_libdir}/mysql/plugin/dialog*.so 2> /dev/null`" ]; then echo '%%dir %%_libdir/mysql' >> mysql-client.files @@ -782,6 +782,7 @@ %dir %{_datadir}/mysql/policy/selinux %{_datadir}/mysql/policy/selinux/README %{_datadir}/mysql/policy/selinux/mariadb-server.* +%{_datadir}/mysql/policy/selinux/mariadb.te %dir %{_datadir}/mysql/systemd %{_datadir}/mysql/systemd/mariadb.service %{_datadir}/mysql/systemd/[email protected] ++++++ configuration-tweaks.tar.xz ++++++ ++++++ mariadb-10.1.20.tar.gz -> mariadb-10.1.21.tar.gz ++++++ /work/SRC/openSUSE:Factory/mariadb/mariadb-10.1.20.tar.gz /work/SRC/openSUSE:Factory/.mariadb.new/mariadb-10.1.21.tar.gz differ: char 5, line 1 ++++++ mysql-patches.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mysql-patches/mysql-patches/mariadb-10.1.20-incorrect_list_handling.patch new/mysql-patches/mysql-patches/mariadb-10.1.20-incorrect_list_handling.patch --- old/mysql-patches/mysql-patches/mariadb-10.1.20-incorrect_list_handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/mysql-patches/mysql-patches/mariadb-10.1.20-incorrect_list_handling.patch 2017-01-31 11:05:33.433560970 +0100 @@ -0,0 +1,77 @@ +PATCH-P1-FIX: Fix incorrect linked list handling + +More information can be found below. + +Maintainer: Kristyna Streitova <[email protected]> + +From 4797ea0b772d5f4c5889bc552424132806f46e93 Mon Sep 17 00:00:00 2001 +From: Nisha Gopalakrishnan <[email protected]> +Date: Mon, 21 Jul 2014 21:21:15 +0530 +Subject: [PATCH] BUG#17512527: LIST HANDLING INCORRECT IN + MYSQL_PRUNE_STMT_LIST() + +Analysis: +--------- +Invalid memory access maybe observed when using prepared statements if: +a) The mysql client connection is lost after statement preparation + is complete and +b) There is at least one statement which is in initialized state but + not prepared yet. + +When the client detects a closed connection, it calls end_server() +to shutdown the connection. As part of the clean up, the +mysql_prune_stmt_list() removes the statements which has transitioned +beyond the initialized state and retains only the statements which +are in a initialized state. During this processing, the initialized +statements are moved from 'mysql->stmts' to a temporary 'pruned_list'. +When moving the first 'INIT_DONE' element to the pruned_list, +'element->next' is set to NULL. Hence the rest of the list is never +traversed and the statements which have transitioned beyond the +initialized state are never invalidated. + +When the mysql_stmt_close() is called for the statement which is not +invalidated; the statements list is updated in order to remove the +statement. This would end up accessing freed memory(freed by the +mysql_stmt_close() for a previous statement in the list). + +Fix: +--- +mysql_prune_stmt_list() called list_add() incorrectly to create a +temporary list. The use case of list_add() is to add a single +element to the front of the doubly linked list. +mysql_prune_stmt_list() called list_add() by passing an entire +list as the 'element'. + +mysql_prune_stmt_list() now uses list_delete() to remove the +statement which has transitioned beyond the initialized phase. +Thus the statement list would contain only elements where the +the state of the statement is initialized. + +Note: Run the test with valgrind-mysqltest and leak-check=full +option to see the invalid memory access. +--- + +diff --git a/sql-common/client.c b/sql-common/client.c +index eefb8a8..012292f 100644 +--- a/sql-common/client.c ++++ b/sql-common/client.c +@@ -3985,12 +3985,15 @@ static void mysql_close_free(MYSQL *mysql) + */ + static void mysql_prune_stmt_list(MYSQL *mysql) + { +- LIST *element= mysql->stmts; +- LIST *pruned_list= 0; ++ LIST *pruned_list= NULL; + +- for (; element; element= element->next) ++ while(mysql->stmts) + { +- MYSQL_STMT *stmt= (MYSQL_STMT *) element->data; ++ LIST *element= mysql->stmts; ++ MYSQL_STMT *stmt; ++ ++ mysql->stmts= list_delete(element, element); ++ stmt= (MYSQL_STMT *) element->data; + if (stmt->state != MYSQL_STMT_INIT_DONE) + { + stmt->mysql= 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mysql-patches/mysql-patches/mariadb-10.1.4-group.patch new/mysql-patches/mysql-patches/mariadb-10.1.4-group.patch --- old/mysql-patches/mysql-patches/mariadb-10.1.4-group.patch 2016-10-24 18:01:09.131171359 +0200 +++ new/mysql-patches/mysql-patches/mariadb-10.1.4-group.patch 2017-02-03 15:48:33.836935430 +0100 @@ -9,7 +9,7 @@ =================================================================== --- scripts/mysqld_safe.sh.orig +++ scripts/mysqld_safe.sh -@@ -28,6 +28,7 @@ logging=init +@@ -29,6 +29,7 @@ logging=init want_syslog=0 syslog_tag= user='@MYSQLD_USER@' @@ -17,7 +17,7 @@ pid_file= err_log= err_log_base= -@@ -289,6 +290,7 @@ parse_arguments() { +@@ -308,6 +309,7 @@ parse_arguments() { --pid[-_]file=*) pid_file="$val" ;; --plugin[-_]dir=*) PLUGIN_DIR="$val" ;; --user=*) user="$val"; SET_USER=1 ;; @@ -25,26 +25,15 @@ --log[-_]basename=*|--hostname=*|--loose[-_]log[-_]basename=*) pid_file="$val.pid"; err_log_base="$val"; -@@ -748,11 +750,17 @@ then +@@ -737,6 +739,7 @@ then if test "$user" != "root" -o $SET_USER = 1 then USER_OPTION="--user=$user" + GROUP_OPTION="--group=$group" fi - # Change the err log to the right user, if it is in use - if [ $want_syslog -eq 0 ]; then - touch "$err_log" -- chown $user "$err_log" -+ if [ "$user" -a "$group" ]; then -+ chown $user:$group $err_log -+ else -+ [ "$user" ] && chown $user $err_log -+ [ "$group" ] && chgrp $group $err_log -+ fi - fi if test -n "$open_files" then -@@ -775,7 +783,12 @@ then +@@ -759,7 +762,12 @@ then log_error "Fatal error Can't create database directory '$mysql_unix_port'" exit 1 fi @@ -70,7 +59,7 @@ force=0 in_rpm=0 -@@ -71,6 +72,11 @@ Usage: $0 [OPTIONS] +@@ -88,6 +89,11 @@ Usage: $0 [OPTIONS] user. You must be root to use this option. By default mysqld runs using your current login name and files and directories that it creates will be owned by you. @@ -82,7 +71,7 @@ All other options are passed to the mysqld program -@@ -118,11 +124,11 @@ parse_arguments() +@@ -135,11 +141,11 @@ parse_arguments() --builddir=*) builddir=`parse_arg "$arg"` ;; --srcdir=*) srcdir=`parse_arg "$arg"` ;; --ldata=*|--datadir=*|--data=*) ldata=`parse_arg "$arg"` ;; @@ -96,7 +85,7 @@ --skip-name-resolve) ip_only=1 ;; --verbose) verbose=1 ;; # Obsolete --rpm) in_rpm=1 ;; -@@ -392,7 +398,12 @@ do +@@ -420,7 +426,12 @@ do fi if test -n "$user" then @@ -110,7 +99,7 @@ if test $? -ne 0 then echo "Cannot change ownership of the database directories to the '$user'" -@@ -407,6 +418,11 @@ then +@@ -435,6 +446,11 @@ then args="$args --user=$user" fi ++++++ series ++++++ --- /var/tmp/diff_new_pack.suxV9y/_old 2017-02-20 13:11:57.770893454 +0100 +++ /var/tmp/diff_new_pack.suxV9y/_new 2017-02-20 13:11:57.770893454 +0100 @@ -10,3 +10,4 @@ mariadb-10.1.12-fortify-and-O.patch mariadb-10.1.16-systemd-cmake.patch mariadb-10.1.18-mysql_install_db-mariadb_dirs.patch +mariadb-10.1.20-incorrect_list_handling.patch
