aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-10 23:42:12 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-10 23:45:22 -0300
commiteeb63a5f99497c5b12a40fbb2c463ece02ba2aaa (patch)
tree489bde6fc096ab3331f23b25998850b5ba67d27e
parent3ac49c86bad5d4e10aa5fe6d1621d86a0b335824 (diff)
downloadaports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.gz
aports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.bz2
aports-eeb63a5f99497c5b12a40fbb2c463ece02ba2aaa.tar.xz
main/mariadb-connector-c: fix CVE-2020-13249
See: #11590
-rw-r--r--main/mariadb-connector-c/APKBUILD13
-rw-r--r--main/mariadb-connector-c/CVE-2020-13249.patch154
2 files changed, 163 insertions, 4 deletions
diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD
index 39abec9d8f..7e81bf47f5 100644
--- a/main/mariadb-connector-c/APKBUILD
+++ b/main/mariadb-connector-c/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb-connector-c
pkgver=3.0.10
-pkgrel=0
+pkgrel=1
pkgdesc="The MariaDB Native Client library (C driver)"
url="https://mariadb.org/"
arch="all"
@@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev"
makedepends="$depends_dev cmake"
replaces="mariadb-client-libs"
subpackages="$pkgname-dev"
-source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz
+source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz
cmake.patch
fix-ucontext-header.patch
+ CVE-2020-13249.patch
"
builddir="$srcdir/mariadb-connector-c-$pkgver-src"
+# secfixes:
+# 3.0.10-r1:
+# - CVE-2020-13249
+
build() {
cd "$builddir"
if [ "$CBUILD" != "$CHOST" ]; then
@@ -57,7 +62,7 @@ dev() {
replaces="mariadb-dev"
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-
sha512sums="1358d8f87e4693ef05d17915a399054ef40a1c9d58675b2704673fd40af843b366293c5b7d1e60c9335f68018c22d8aa86e41d90acebf1d4364229911dc8b6dc mariadb-connector-c-3.0.10-src.tar.gz
027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch
-757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch"
+757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch
+4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch"
diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch
new file mode 100644
index 0000000000..8f58063c4e
--- /dev/null
+++ b/main/mariadb-connector-c/CVE-2020-13249.patch
@@ -0,0 +1,154 @@
+diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
+index 4c1108b..1f04c35 100644
+--- a/libmariadb/mariadb_lib.c
++++ b/libmariadb/mariadb_lib.c
+@@ -76,6 +76,8 @@
+ #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15)
+ #define MA_RPL_VERSION_HACK "5.5.5-"
+
++#define CHARSET_NAME_LEN 64
++
+ #undef max_allowed_packet
+ #undef net_buffer_length
+ extern ulong max_allowed_packet; /* net.c */
+@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length)
+
+ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ {
++ uchar *end= mysql->net.read_pos+length;
+ size_t item_len;
+ mysql->affected_rows= net_field_length_ll(&pos);
+ mysql->insert_id= net_field_length_ll(&pos);
+@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ pos+=2;
+ mysql->warning_count=uint2korr(pos);
+ pos+=2;
+- if (pos < mysql->net.read_pos+length)
++ if (pos > end)
++ goto corrupted;
++ if (pos < end)
+ {
+ if ((item_len= net_field_length(&pos)))
+ mysql->info=(char*) pos;
++ if (pos + item_len > end)
++ goto corrupted;
+
+ /* check if server supports session tracking */
+ if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)
+@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (mysql->server_status & SERVER_SESSION_STATE_CHANGED)
+ {
+ int i;
+- if (pos < mysql->net.read_pos + length)
++ if (pos < end)
+ {
+ LIST *session_item;
+ MYSQL_LEX_STRING *str= NULL;
+ enum enum_session_state_type si_type;
+ uchar *old_pos= pos;
+- size_t item_len= net_field_length(&pos); /* length for all items */
++
++ item_len= net_field_length(&pos); /* length for all items */
++ if (pos + item_len > end)
++ goto corrupted;
++ end= pos + item_len;
+
+ /* length was already set, so make sure that info will be zero terminated */
+ if (mysql->info)
+ *old_pos= 0;
+
+- while (item_len > 0)
++ while (pos < end)
+ {
+ size_t plen;
+ char *data;
+- old_pos= pos;
+ si_type= (enum enum_session_state_type)net_field_length(&pos);
+ switch(si_type) {
+ case SESSION_TRACK_SCHEMA:
+@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (si_type != SESSION_TRACK_STATE_CHANGE)
+ net_field_length(&pos); /* ignore total length, item length will follow next */
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ if (!ma_multi_malloc(0,
+ &session_item, sizeof(LIST),
+ &str, sizeof(MYSQL_LEX_STRING),
+ &data, plen,
+ NULL))
+- {
+- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
+- return -1;
+- }
++ goto oom;
+ str->length= plen;
+ str->str= data;
+ memcpy(str->str, (char *)pos, plen);
+@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (!strncmp(str->str, "character_set_client", str->length))
+ set_charset= 1;
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ if (!ma_multi_malloc(0,
+ &session_item, sizeof(LIST),
+ &str, sizeof(MYSQL_LEX_STRING),
+ &data, plen,
+ NULL))
+- {
+- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
+- return -1;
+- }
++ goto oom;
+ str->length= plen;
+ str->str= data;
+ memcpy(str->str, (char *)pos, plen);
+ pos+= plen;
+ session_item->data= str;
+ mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);
+- if (set_charset &&
++ if (set_charset && str->length < CHARSET_NAME_LEN &&
+ strncmp(mysql->charset->csname, str->str, str->length) != 0)
+ {
+- char cs_name[64];
+- MARIADB_CHARSET_INFO *cs_info;
++ char cs_name[CHARSET_NAME_LEN];
++ const MARIADB_CHARSET_INFO *cs_info;
+ memcpy(cs_name, str->str, str->length);
+ cs_name[str->length]= 0;
+- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name)))
++ if ((cs_info = mysql_find_charset_name(cs_name)))
+ mysql->charset= cs_info;
+ }
+ }
+@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ default:
+ /* not supported yet */
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ pos+= plen;
+ break;
+ }
+- item_len-= (pos - old_pos);
+ }
+ }
+ for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++)
+@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)
+ ma_clear_session_state(mysql);
+ return(0);
++
++oom:
++ ma_clear_session_state(mysql);
++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
++ return -1;
++
++corrupted:
++ ma_clear_session_state(mysql);
++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0);
++ return -1;
+ }
+
+ int mthd_my_read_query_result(MYSQL *mysql)