diff mbox series

[meta-oe,kirkstone,3/3] mariadb: fix CVE-2025-30722

Message ID 20251024122624.1325594-3-divya.chellam@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/3] mariadb: fix CVE-2025-21490 | expand

Commit Message

dchellam Oct. 24, 2025, 12:26 p.m. UTC 
From: Divya Chellam <divya.chellam@windriver.com>

Vulnerability in the MySQL Client product of Oracle MySQL (component:
Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41,
8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Client. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all MySQL Client
accessible data as well as unauthorized update, insert or delete access to
some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality
and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-30722

Upstream-patch:
https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 meta-oe/recipes-dbs/mysql/mariadb.inc         |   1 +
 .../mysql/mariadb/CVE-2025-30722.patch        | 176 ++++++++++++++++++
 2 files changed, 177 insertions(+)
 create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 27b5c46fa1..048e43d962 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -34,6 +34,7 @@  SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://CVE-2024-21096-0004.patch \
            file://CVE-2024-21096-0005.patch \
 	   file://CVE-2025-21490.patch \
+	   file://CVE-2025-30722.patch \
           "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch
new file mode 100644
index 0000000000..d7e74d66f0
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch
@@ -0,0 +1,176 @@ 
+From 6aa860be27480db134a3c71065b9b47d15b72674 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Tue, 11 Mar 2025 11:22:00 +0100
+Subject: [PATCH] MDEV-36268 mariadb-dump used wrong quoting character
+
+use ' not " and use quote_for_equal()
+
+Backported according to mariadb 10.11.12
+
+CVE: CVE-2025-30722
+
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ client/mysqldump.c                      | 15 +++++++----
+ mysql-test/main/mysqldump-system.result |  6 ++---
+ mysql-test/main/mysqldump.result        | 33 +++++++++++++++++++++++++
+ mysql-test/main/mysqldump.test          |  9 +++++++
+ 4 files changed, 55 insertions(+), 8 deletions(-)
+
+diff --git a/client/mysqldump.c b/client/mysqldump.c
+index 767413b1..9c0921c0 100644
+--- a/client/mysqldump.c
++++ b/client/mysqldump.c
+@@ -2175,7 +2175,7 @@ static char *quote_for_equal(const char *name, char *buff)
+       *to++='\\';
+     }
+     if (*name == '\'')
+-      *to++= '\\';
++      *to++= '\'';
+     *to++= *name++;
+   }
+   to[0]= '\'';
+@@ -3707,7 +3707,7 @@ static void dump_trigger_old(FILE *sql_file, MYSQL_RES *show_triggers_rs,
+ 
+   fprintf(sql_file,
+           "DELIMITER ;;\n"
+-          "/*!50003 SET SESSION SQL_MODE=\"%s\" */;;\n"
++          "/*!50003 SET SESSION SQL_MODE='%s' */;;\n"
+           "/*!50003 CREATE */ ",
+           (*show_trigger_row)[6]);
+ 
+@@ -4686,17 +4686,19 @@ static int dump_all_users_roles_and_grants()
+     return 1;
+   while ((row= mysql_fetch_row(tableres)))
+   {
++    char buf[200];
+     if (opt_replace_into)
+       /* Protection against removing the current import user */
+       /* MySQL-8.0 export capability */
+       fprintf(md_result_file,
+         "DELIMITER |\n"
+-        "/*M!100101 IF current_user()=\"%s\" THEN\n"
++        "/*M!100101 IF current_user()=%s THEN\n"
+         "  SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001,"
+         " MESSAGE_TEXT=\"Don't remove current user %s'\";\n"
+         "END IF */|\n"
+         "DELIMITER ;\n"
+-        "/*!50701 DROP USER IF EXISTS %s */;\n", row[0], row[0], row[0]);
++        "/*!50701 DROP USER IF EXISTS %s */;\n",
++        quote_for_equal(row[0],buf), row[0], row[0]);
+     if (dump_create_user(row[0]))
+       result= 1;
+     /* if roles exist, defer dumping grants until after roles created */
+@@ -6770,6 +6772,7 @@ static my_bool get_view_structure(char *table, char* db)
+   char       *result_table, *opt_quoted_table;
+   char       table_buff[NAME_LEN*2+3];
+   char       table_buff2[NAME_LEN*2+3];
++  char       temp_buff[NAME_LEN*2 + 3], temp_buff2[NAME_LEN*2 + 3];
+   char       query[QUERY_LENGTH];
+   FILE       *sql_file= md_result_file;
+   DBUG_ENTER("get_view_structure");
+@@ -6830,7 +6833,9 @@ static my_bool get_view_structure(char *table, char* db)
+               "SELECT CHECK_OPTION, DEFINER, SECURITY_TYPE, "
+               "       CHARACTER_SET_CLIENT, COLLATION_CONNECTION "
+               "FROM information_schema.views "
+-              "WHERE table_name=\"%s\" AND table_schema=\"%s\"", table, db);
++              "WHERE table_name=%s AND table_schema=%s",
++              quote_for_equal(table, temp_buff2),
++              quote_for_equal(db, temp_buff));
+ 
+   if (mysql_query(mysql, query))
+   {
+diff --git a/mysql-test/main/mysqldump-system.result b/mysql-test/main/mysqldump-system.result
+index 5619ec70..b502bd8d 100644
+--- a/mysql-test/main/mysqldump-system.result
++++ b/mysql-test/main/mysqldump-system.result
+@@ -648,21 +648,21 @@ INSTALL PLUGIN test_plugin_server  SONAME 'AUTH_TEST_PLUGIN_LIB';
+ /*M!100401 UNINSTALL PLUGIN IF EXIST cleartext_plugin_server */;
+ INSTALL PLUGIN cleartext_plugin_server  SONAME 'AUTH_TEST_PLUGIN_LIB';
+ DELIMITER |
+-/*M!100101 IF current_user()="'mariadb.sys'@'localhost'" THEN
++/*M!100101 IF current_user()='''mariadb.sys''@''localhost''' THEN
+   SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'mariadb.sys'@'localhost''";
+ END IF */|
+ DELIMITER ;
+ /*!50701 DROP USER IF EXISTS 'mariadb.sys'@'localhost' */;
+ CREATE /*M!100103 OR REPLACE */ USER `mariadb.sys`@`localhost` PASSWORD EXPIRE;
+ DELIMITER |
+-/*M!100101 IF current_user()="'root'@'localhost'" THEN
++/*M!100101 IF current_user()='''root''@''localhost''' THEN
+   SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'root'@'localhost''";
+ END IF */|
+ DELIMITER ;
+ /*!50701 DROP USER IF EXISTS 'root'@'localhost' */;
+ CREATE /*M!100103 OR REPLACE */ USER `root`@`localhost`;
+ DELIMITER |
+-/*M!100101 IF current_user()="'foobar'@'%'" THEN
++/*M!100101 IF current_user()='''foobar'@'%''' THEN
+   SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'foobar'@'%''";
+ END IF */|
+ DELIMITER ;
+diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result
+index ca9260f1..c55e5e49 100644
+--- a/mysql-test/main/mysqldump.result
++++ b/mysql-test/main/mysqldump.result
+@@ -6699,4 +6699,37 @@ CREATE TABLE `t1` (
+ /*!40101 SET character_set_client = @saved_cs_client */;
+ ERROR at line 9: Not allowed in the sandbox mode
+ drop table t1;
++#
++# MDEV-36268 mariadb-dump used wrong quoting character
++#
++create table t1 (a int);
++create view `v'1"2` as select * from t1 with check option;
++/*M!999999\- enable the sandbox mode */ 
++/*!40101 SET @saved_cs_client     = @@character_set_client */;
++/*!40101 SET character_set_client = utf8mb4 */;
++CREATE TABLE `t1` (
++  `a` int(11) DEFAULT NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;
++/*!40101 SET character_set_client = @saved_cs_client */;
++SET @saved_cs_client     = @@character_set_client;
++SET character_set_client = utf8mb4;
++/*!50001 CREATE VIEW `v'1"2` AS SELECT
++ 1 AS `a` */;
++SET character_set_client = @saved_cs_client;
++/*!50001 DROP VIEW IF EXISTS `v'1"2`*/;
++/*!50001 SET @saved_cs_client          = @@character_set_client */;
++/*!50001 SET @saved_cs_results         = @@character_set_results */;
++/*!50001 SET @saved_col_connection     = @@collation_connection */;
++/*!50001 SET character_set_client      = utf8 */;
++/*!50001 SET character_set_results     = utf8 */;
++/*!50001 SET collation_connection      = utf8_general_ci */;
++/*!50001 CREATE ALGORITHM=UNDEFINED */
++/*!50013 DEFINER=`root`@`localhost` SQL SECURITY DEFINER */
++/*!50001 VIEW `v'1"2` AS select `t1`.`a` AS `a` from `t1` */
++/*!50002 WITH CASCADED CHECK OPTION */;
++/*!50001 SET character_set_client      = @saved_cs_client */;
++/*!50001 SET character_set_results     = @saved_cs_results */;
++/*!50001 SET collation_connection      = @saved_col_connection */;
++drop view `v'1"2`;
++drop table t1;
+ # End of 10.5 tests
+diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test
+index 9248f2ac..64d73ad3 100644
+--- a/mysql-test/main/mysqldump.test
++++ b/mysql-test/main/mysqldump.test
+@@ -3003,4 +3003,13 @@ EOF
+ --remove_file $MYSQLTEST_VARDIR/tmp/mdev33727.sql
+ drop table t1;
+ 
++--echo #
++--echo # MDEV-36268 mariadb-dump used wrong quoting character
++--echo #
++create table t1 (a int);
++create view `v'1"2` as select * from t1 with check option; # "'
++--exec $MYSQL_DUMP --compact test
++drop view `v'1"2`; # "'
++drop table t1;
++
+ --echo # End of 10.5 tests
+-- 
+2.40.0
+