aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--databases/mariadb55-client/files/patch-CVE-2017-3302124
-rw-r--r--databases/mariadb55-server/Makefile6
-rw-r--r--databases/mariadb55-server/files/patch-CVE-2017-3302124
3 files changed, 251 insertions, 3 deletions
diff --git a/databases/mariadb55-client/files/patch-CVE-2017-3302 b/databases/mariadb55-client/files/patch-CVE-2017-3302
new file mode 100644
index 000000000000..87d08f1d8f93
--- /dev/null
+++ b/databases/mariadb55-client/files/patch-CVE-2017-3302
@@ -0,0 +1,124 @@
+From eef21014898d61e77890359d6546d4985d829ef6 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 16 Feb 2017 11:32:47 +0100
+Subject: [PATCH] MDEV-11933 Wrong usage of linked list in
+ mysql_prune_stmt_list
+
+mysql_prune_stmt_list() was walking the list following
+element->next pointers, but inside the loop it was invoking
+list_add(element) that modified element->next. So, mysql_prune_stmt_list()
+failed to visit and reset all elements, and some of them were left
+with pointers to invalid MYSQL.
+---
+ sql-common/client.c | 11 ++---------
+ tests/mysql_client_test.c | 50 +++++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 50 insertions(+), 11 deletions(-)
+
+diff --git a/sql-common/client.c b/sql-common/client.c
+index c2e0cc3..b348afc 100644
+--- sql-common/client.c.orig
++++ sql-common/client.c
+@@ -1,5 +1,5 @@
+ /* Copyright (c) 2003, 2016, Oracle and/or its affiliates.
+- Copyright (c) 2009, 2016, MariaDB
++ Copyright (c) 2009, 2017, MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -3819,8 +3819,6 @@ static void mysql_close_free(MYSQL *mysql)
+ static void mysql_prune_stmt_list(MYSQL *mysql)
+ {
+ LIST *element= mysql->stmts;
+- LIST *pruned_list= 0;
+-
+ for (; element; element= element->next)
+ {
+ MYSQL_STMT *stmt= (MYSQL_STMT *) element->data;
+@@ -3830,14 +3828,9 @@ static void mysql_prune_stmt_list(MYSQL *mysql)
+ stmt->last_errno= CR_SERVER_LOST;
+ strmov(stmt->last_error, ER(CR_SERVER_LOST));
+ strmov(stmt->sqlstate, unknown_sqlstate);
+- }
+- else
+- {
+- pruned_list= list_add(pruned_list, element);
++ mysql->stmts= list_delete(mysql->stmts, element);
+ }
+ }
+-
+- mysql->stmts= pruned_list;
+ }
+
+
+diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
+index 446018e..f62545d 100644
+--- tests/mysql_client_test.c.orig
++++ tests/mysql_client_test.c
+@@ -1,5 +1,5 @@
+-/* Copyright (c) 2002, 2012, Oracle and/or its affiliates.
+- Copyright (c) 2008, 2012, Monty Program Ab
++/* Copyright (c) 2002, 2014, Oracle and/or its affiliates.
++ Copyright (c) 2008, 2017, MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -19031,6 +19031,49 @@ static void test_mdev4326()
+ myquery(rc);
+ }
+
++
++/**
++ BUG#17512527: LIST HANDLING INCORRECT IN MYSQL_PRUNE_STMT_LIST()
++*/
++static void test_bug17512527()
++{
++ MYSQL *conn;
++ MYSQL_STMT *stmt1, *stmt2;
++ unsigned long thread_id;
++ char query[MAX_TEST_QUERY_LENGTH];
++ int rc;
++
++ conn= client_connect(0, MYSQL_PROTOCOL_SOCKET, 1);
++
++ stmt1 = mysql_stmt_init(conn);
++ check_stmt(stmt1);
++ rc= mysql_stmt_prepare(stmt1, STRING_WITH_LEN("SELECT 1"));
++ check_execute(stmt1, rc);
++
++ stmt2 = mysql_stmt_init(conn);
++ check_stmt(stmt2);
++
++ thread_id= mysql_thread_id(conn);
++ sprintf(query, "KILL %lu", thread_id);
++ if (thread_query(query))
++ exit(1);
++
++ rc= mysql_stmt_prepare(stmt2, STRING_WITH_LEN("SELECT 2"));
++ check_execute(stmt2, rc);
++
++ rc= mysql_stmt_execute(stmt1);
++ check_execute_r(stmt1, rc);
++
++ rc= mysql_stmt_execute(stmt2);
++ check_execute(stmt2, rc);
++
++ mysql_close(conn);
++
++ mysql_stmt_close(stmt2);
++ mysql_stmt_close(stmt1);
++}
++
++
+ static struct my_tests_st my_tests[]= {
+ { "disable_query_logs", disable_query_logs },
+ { "test_view_sp_list_fields", test_view_sp_list_fields },
+@@ -19297,6 +19340,9 @@ static struct my_tests_st my_tests[]= {
+ { "test_bug13001491", test_bug13001491 },
+ { "test_mdev4326", test_mdev4326 },
+ { "test_ps_sp_out_params", test_ps_sp_out_params },
++#ifndef _WIN32
++ { "test_bug17512527", test_bug17512527},
++#endif
+ { 0, 0 }
+ };
+
diff --git a/databases/mariadb55-server/Makefile b/databases/mariadb55-server/Makefile
index d4c52fdc6bca..e50da0f10566 100644
--- a/databases/mariadb55-server/Makefile
+++ b/databases/mariadb55-server/Makefile
@@ -2,7 +2,7 @@
PORTNAME?= mariadb
PORTVERSION= 5.5.54
-PORTREVISION?= 1
+PORTREVISION?= 2
CATEGORIES= databases ipv6
MASTER_SITES= http://ftp.osuosl.org/pub/mariadb/${PORTNAME}-${PORTVERSION}/source/ \
http://mirrors.supportex.net/mariadb/${PORTNAME}-${PORTVERSION}/source/ \
@@ -15,7 +15,7 @@ MASTER_SITES= http://ftp.osuosl.org/pub/mariadb/${PORTNAME}-${PORTVERSION}/sourc
http://mirror.switch.ch/mirror/mariadb/${PORTNAME}-${PORTVERSION}/source/
PKGNAMESUFFIX?= 55-server
-MAINTAINER= ports@FreeBSD.org
+MAINTAINER= brnrd@FreeBSD.org
COMMENT?= Multithreaded SQL database (server)
LICENSE= GPLv2
@@ -101,7 +101,7 @@ OQGRAPH_DESC= Open Query Graph Computation engine
OQGRAPH_USE= GCC=yes
OQGRAPH_LIB_DEPENDS= libboost_system.so:devel/boost-libs
-OQGRAPH_BROKEN= yes
+OQGRAPH_BROKEN= OQGraph does not build
MAXKEY_EXTRA_PATCHES= ${FILESDIR}/extra-patch-include_my_compare.h
.endif
diff --git a/databases/mariadb55-server/files/patch-CVE-2017-3302 b/databases/mariadb55-server/files/patch-CVE-2017-3302
new file mode 100644
index 000000000000..87d08f1d8f93
--- /dev/null
+++ b/databases/mariadb55-server/files/patch-CVE-2017-3302
@@ -0,0 +1,124 @@
+From eef21014898d61e77890359d6546d4985d829ef6 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 16 Feb 2017 11:32:47 +0100
+Subject: [PATCH] MDEV-11933 Wrong usage of linked list in
+ mysql_prune_stmt_list
+
+mysql_prune_stmt_list() was walking the list following
+element->next pointers, but inside the loop it was invoking
+list_add(element) that modified element->next. So, mysql_prune_stmt_list()
+failed to visit and reset all elements, and some of them were left
+with pointers to invalid MYSQL.
+---
+ sql-common/client.c | 11 ++---------
+ tests/mysql_client_test.c | 50 +++++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 50 insertions(+), 11 deletions(-)
+
+diff --git a/sql-common/client.c b/sql-common/client.c
+index c2e0cc3..b348afc 100644
+--- sql-common/client.c.orig
++++ sql-common/client.c
+@@ -1,5 +1,5 @@
+ /* Copyright (c) 2003, 2016, Oracle and/or its affiliates.
+- Copyright (c) 2009, 2016, MariaDB
++ Copyright (c) 2009, 2017, MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -3819,8 +3819,6 @@ static void mysql_close_free(MYSQL *mysql)
+ static void mysql_prune_stmt_list(MYSQL *mysql)
+ {
+ LIST *element= mysql->stmts;
+- LIST *pruned_list= 0;
+-
+ for (; element; element= element->next)
+ {
+ MYSQL_STMT *stmt= (MYSQL_STMT *) element->data;
+@@ -3830,14 +3828,9 @@ static void mysql_prune_stmt_list(MYSQL *mysql)
+ stmt->last_errno= CR_SERVER_LOST;
+ strmov(stmt->last_error, ER(CR_SERVER_LOST));
+ strmov(stmt->sqlstate, unknown_sqlstate);
+- }
+- else
+- {
+- pruned_list= list_add(pruned_list, element);
++ mysql->stmts= list_delete(mysql->stmts, element);
+ }
+ }
+-
+- mysql->stmts= pruned_list;
+ }
+
+
+diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
+index 446018e..f62545d 100644
+--- tests/mysql_client_test.c.orig
++++ tests/mysql_client_test.c
+@@ -1,5 +1,5 @@
+-/* Copyright (c) 2002, 2012, Oracle and/or its affiliates.
+- Copyright (c) 2008, 2012, Monty Program Ab
++/* Copyright (c) 2002, 2014, Oracle and/or its affiliates.
++ Copyright (c) 2008, 2017, MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -19031,6 +19031,49 @@ static void test_mdev4326()
+ myquery(rc);
+ }
+
++
++/**
++ BUG#17512527: LIST HANDLING INCORRECT IN MYSQL_PRUNE_STMT_LIST()
++*/
++static void test_bug17512527()
++{
++ MYSQL *conn;
++ MYSQL_STMT *stmt1, *stmt2;
++ unsigned long thread_id;
++ char query[MAX_TEST_QUERY_LENGTH];
++ int rc;
++
++ conn= client_connect(0, MYSQL_PROTOCOL_SOCKET, 1);
++
++ stmt1 = mysql_stmt_init(conn);
++ check_stmt(stmt1);
++ rc= mysql_stmt_prepare(stmt1, STRING_WITH_LEN("SELECT 1"));
++ check_execute(stmt1, rc);
++
++ stmt2 = mysql_stmt_init(conn);
++ check_stmt(stmt2);
++
++ thread_id= mysql_thread_id(conn);
++ sprintf(query, "KILL %lu", thread_id);
++ if (thread_query(query))
++ exit(1);
++
++ rc= mysql_stmt_prepare(stmt2, STRING_WITH_LEN("SELECT 2"));
++ check_execute(stmt2, rc);
++
++ rc= mysql_stmt_execute(stmt1);
++ check_execute_r(stmt1, rc);
++
++ rc= mysql_stmt_execute(stmt2);
++ check_execute(stmt2, rc);
++
++ mysql_close(conn);
++
++ mysql_stmt_close(stmt2);
++ mysql_stmt_close(stmt1);
++}
++
++
+ static struct my_tests_st my_tests[]= {
+ { "disable_query_logs", disable_query_logs },
+ { "test_view_sp_list_fields", test_view_sp_list_fields },
+@@ -19297,6 +19340,9 @@ static struct my_tests_st my_tests[]= {
+ { "test_bug13001491", test_bug13001491 },
+ { "test_mdev4326", test_mdev4326 },
+ { "test_ps_sp_out_params", test_ps_sp_out_params },
++#ifndef _WIN32
++ { "test_bug17512527", test_bug17512527},
++#endif
+ { 0, 0 }
+ };
+