diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 23:42:12 -0300 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 23:45:22 -0300 |
| commit | eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa (patch) | |
| tree | 489bde6fc096ab3331f23b25998850b5ba67d27e | |
| parent | 3ac49c86bad5d4e10aa5fe6d1621d86a0b335824 (diff) | |
| download | aports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.gz aports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.bz2 aports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.xz | |
main/mariadb-connector-c: fix CVE-2020-13249
See: #11590
| -rw-r--r-- | main/mariadb-connector-c/APKBUILD | 13 | ||||
| -rw-r--r-- | main/mariadb-connector-c/CVE-2020-13249.patch | 154 |
2 files changed, 163 insertions, 4 deletions
diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD index 39abec9d8f..7e81bf47f5 100644 --- a/main/mariadb-connector-c/APKBUILD +++ b/main/mariadb-connector-c/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb-connector-c pkgver=3.0.10 -pkgrel=0 +pkgrel=1 pkgdesc="The MariaDB Native Client library (C driver)" url="https://mariadb.org/" arch="all" @@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev" makedepends="$depends_dev cmake" replaces="mariadb-client-libs" subpackages="$pkgname-dev" -source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz +source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz cmake.patch fix-ucontext-header.patch + CVE-2020-13249.patch " builddir="$srcdir/mariadb-connector-c-$pkgver-src" +# secfixes: +# 3.0.10-r1: +# - CVE-2020-13249 + build() { cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then @@ -57,7 +62,7 @@ dev() { replaces="mariadb-dev" mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } - sha512sums="1358d8f87e4693ef05d17915a399054ef40a1c9d58675b2704673fd40af843b366293c5b7d1e60c9335f68018c22d8aa86e41d90acebf1d4364229911dc8b6dc mariadb-connector-c-3.0.10-src.tar.gz 027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch -757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch" +757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch +4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch" diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch new file mode 100644 index 0000000000..8f58063c4e --- /dev/null +++ b/main/mariadb-connector-c/CVE-2020-13249.patch @@ -0,0 +1,154 @@ +diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c +index 4c1108b..1f04c35 100644 +--- a/libmariadb/mariadb_lib.c ++++ b/libmariadb/mariadb_lib.c +@@ -76,6 +76,8 @@ + #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15) + #define MA_RPL_VERSION_HACK "5.5.5-" + ++#define CHARSET_NAME_LEN 64 ++ + #undef max_allowed_packet + #undef net_buffer_length + extern ulong max_allowed_packet; /* net.c */ +@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length) + + int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + { ++ uchar *end= mysql->net.read_pos+length; + size_t item_len; + mysql->affected_rows= net_field_length_ll(&pos); + mysql->insert_id= net_field_length_ll(&pos); +@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + pos+=2; + mysql->warning_count=uint2korr(pos); + pos+=2; +- if (pos < mysql->net.read_pos+length) ++ if (pos > end) ++ goto corrupted; ++ if (pos < end) + { + if ((item_len= net_field_length(&pos))) + mysql->info=(char*) pos; ++ if (pos + item_len > end) ++ goto corrupted; + + /* check if server supports session tracking */ + if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) +@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (mysql->server_status & SERVER_SESSION_STATE_CHANGED) + { + int i; +- if (pos < mysql->net.read_pos + length) ++ if (pos < end) + { + LIST *session_item; + MYSQL_LEX_STRING *str= NULL; + enum enum_session_state_type si_type; + uchar *old_pos= pos; +- size_t item_len= net_field_length(&pos); /* length for all items */ ++ ++ item_len= net_field_length(&pos); /* length for all items */ ++ if (pos + item_len > end) ++ goto corrupted; ++ end= pos + item_len; + + /* length was already set, so make sure that info will be zero terminated */ + if (mysql->info) + *old_pos= 0; + +- while (item_len > 0) ++ while (pos < end) + { + size_t plen; + char *data; +- old_pos= pos; + si_type= (enum enum_session_state_type)net_field_length(&pos); + switch(si_type) { + case SESSION_TRACK_SCHEMA: +@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (si_type != SESSION_TRACK_STATE_CHANGE) + net_field_length(&pos); /* ignore total length, item length will follow next */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); +@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (!strncmp(str->str, "character_set_client", str->length)) + set_charset= 1; + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); + pos+= plen; + session_item->data= str; + mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item); +- if (set_charset && ++ if (set_charset && str->length < CHARSET_NAME_LEN && + strncmp(mysql->charset->csname, str->str, str->length) != 0) + { +- char cs_name[64]; +- MARIADB_CHARSET_INFO *cs_info; ++ char cs_name[CHARSET_NAME_LEN]; ++ const MARIADB_CHARSET_INFO *cs_info; + memcpy(cs_name, str->str, str->length); + cs_name[str->length]= 0; +- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name))) ++ if ((cs_info = mysql_find_charset_name(cs_name))) + mysql->charset= cs_info; + } + } +@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + default: + /* not supported yet */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + pos+= plen; + break; + } +- item_len-= (pos - old_pos); + } + } + for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++) +@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) + ma_clear_session_state(mysql); + return(0); ++ ++oom: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); ++ return -1; ++ ++corrupted: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0); ++ return -1; + } + + int mthd_my_read_query_result(MYSQL *mysql) |