pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/databases/mysql55-client

Module Name:    pkgsrc
Committed By:   maya
Date:           Sun Jan 20 18:03:25 UTC 2019

Modified Files:
        pkgsrc/databases/mysql55-client: Makefile distinfo
        pkgsrc/databases/mysql55-client/patches: patch-CMakeLists.txt
Added Files:
        pkgsrc/databases/mysql55-client/patches:
            patch-cmake_build__configurations_mysql__release.cmake
            patch-sql_sys__vars.cc

Log Message:
mysql55-client: change the default configuration to avoid information
disclosure to a malicious server.

Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be

Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 pkgsrc/databases/mysql55-client/Makefile
cvs rdiff -u -r1.62 -r1.63 pkgsrc/databases/mysql55-client/distinfo
cvs rdiff -u -r1.6 -r1.7 \
    pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake \
    pkgsrc/databases/mysql55-client/patches/patch-sql_sys__vars.cc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: pkgsrc/databases/mysql55-client/Makefile
diff -u pkgsrc/databases/mysql55-client/Makefile:1.31 pkgsrc/databases/mysql55-client/Makefile:1.32
--- pkgsrc/databases/mysql55-client/Makefile:1.31       Thu Nov 22 11:27:11 2018
+++ pkgsrc/databases/mysql55-client/Makefile    Sun Jan 20 18:03:25 2019
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.31 2018/11/22 11:27:11 adam Exp $
+# $NetBSD: Makefile,v 1.32 2019/01/20 18:03:25 maya Exp $
 
 PKGNAME=       ${DISTNAME:S/-/-client-/}
+PKGREVISION=   1
 COMMENT=       MySQL 5, a free SQL database (client)
 
 CONFLICTS=     mysql3-client-[0-9]*

Index: pkgsrc/databases/mysql55-client/distinfo
diff -u pkgsrc/databases/mysql55-client/distinfo:1.62 pkgsrc/databases/mysql55-client/distinfo:1.63
--- pkgsrc/databases/mysql55-client/distinfo:1.62       Thu Nov 22 11:27:11 2018
+++ pkgsrc/databases/mysql55-client/distinfo    Sun Jan 20 18:03:25 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.62 2018/11/22 11:27:11 adam Exp $
+$NetBSD: distinfo,v 1.63 2019/01/20 18:03:25 maya Exp $
 
 SHA1 (mysql-5.5.62.tar.gz) = b3df3c8c50b8655878cfbc288537f44715f6b060
 RMD160 (mysql-5.5.62.tar.gz) = 4b6fdfc37dc87fdabb2b944b695d5b9e687e22f2
@@ -9,12 +9,13 @@ RMD160 (sphinx-2.2.11-release.tar.gz) = 
 SHA512 (sphinx-2.2.11-release.tar.gz) = cf1a262a5b0fbf0bd2827ec6ec629edeaf709ce855a6e7b509b65342baaeb26c02717ca63f1578d32c83d21e2fd6d1e92dceb34660e6351b93cd96fd4e623689
 Size (sphinx-2.2.11-release.tar.gz) = 3061998 bytes
 SHA1 (patch-BUILD_compile-pentium-gcov) = a1ac666efa953a98455a726e5db359c903d699b6
-SHA1 (patch-CMakeLists.txt) = 2040dc4904270327c9d64178a3d889ebde2ec5d5
+SHA1 (patch-CMakeLists.txt) = 95f3f9ab5210d3e1fdb565d9565fbaad448be70c
 SHA1 (patch-client_completion_hash.cc) = e27fd7072a8206380f0a932b1a31d2843c985cbf
 SHA1 (patch-client_mysqladmin.cc) = c640d3ca742dc1b200701d21d82d8f2093917cf2
 SHA1 (patch-client_mysqlbinlog.cc) = e38abe026c10a07808ccd24b596cf13c5079e206
 SHA1 (patch-client_mysqlshow.c) = a12b06241eee91d1ec11e3b7e4f3125aa6c79905
 SHA1 (patch-client_sql_string.cc) = 1547b8d3889af2831c89b97aecdbe8158711a600
+SHA1 (patch-cmake_build__configurations_mysql__release.cmake) = 5c2e3afc7ff0099cfc24b95b6ebf3f58c9a3e7af
 SHA1 (patch-cmake_libutils.cmake) = 5d75a1762e3db6724bec2d75b45d40b17a5e9d09
 SHA1 (patch-cmake_plugin.cmake) = 2b702af6bf8f251886cea12cf7477abae7659230
 SHA1 (patch-cmake_readline.cmake) = aed279d6740e70d7e0e7565a6d9f0f214c866c8d
@@ -35,6 +36,7 @@ SHA1 (patch-sql_CMakeLists.txt) = c4e72a
 SHA1 (patch-sql_log_event.h) = 43a52ea2f410aa51b99f2f7e1f293a579e13f9c8
 SHA1 (patch-sql_mysqld.cc) = 7e2cfb58f6af8531920dd9128f7b3a35735d7d2c
 SHA1 (patch-sql_sql_string.h) = 32c0caf813f7ba94e9ed8fc6d0da4b4a52b41141
+SHA1 (patch-sql_sys__vars.cc) = d82aee9dfc512ae7316316e8da28c74340f85400
 SHA1 (patch-storage_archive_CMakeLists.txt) = 1144fc8dda537be12656e76c2a714f2af59d0368
 SHA1 (patch-storage_blackhole_CMakeLists.txt) = c8907f400c64e7405a2d112b80892fa0a395d212
 SHA1 (patch-storage_csv_CMakeLists.txt) = 59ef822fe0eeb65bd003a5cc6849b57d26276b56

Index: pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt
diff -u pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt:1.6 pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt:1.7
--- pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt:1.6    Sat Nov 29 10:01:29 2014
+++ pkgsrc/databases/mysql55-client/patches/patch-CMakeLists.txt        Sun Jan 20 18:03:25 2019
@@ -1,11 +1,15 @@
-$NetBSD: patch-CMakeLists.txt,v 1.6 2014/11/29 10:01:29 adam Exp $
+$NetBSD: patch-CMakeLists.txt,v 1.7 2019/01/20 18:03:25 maya Exp $
 
 Split configuration between mysql-client and mysql-server.
 Build with newer DTrace.
 
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
 --- CMakeLists.txt.orig        2014-11-04 07:49:52.000000000 +0000
 +++ CMakeLists.txt
-@@ -165,6 +165,7 @@ IF(DISABLE_SHARED)
+@@ -168,6 +168,7 @@ IF(DISABLE_SHARED)
    SET(WITHOUT_DYNAMIC_PLUGINS 1)
  ENDIF()
  OPTION(ENABLED_PROFILING "Enable profiling" ON)
@@ -13,7 +17,16 @@ Build with newer DTrace.
  OPTION(CYBOZU "" OFF)
  OPTION(BACKUP_TEST "" OFF)
  OPTION(WITHOUT_SERVER OFF)
-@@ -375,7 +376,6 @@ ADD_SUBDIRECTORY(strings)
+@@ -294,7 +295,7 @@ IF(REPRODUCIBLE_BUILD)
+ ENDIF()
+ 
+ OPTION(ENABLED_LOCAL_INFILE
+- "If we should should enable LOAD DATA LOCAL by default" ${IF_WIN})
++"If we should should enable LOAD DATA LOCAL by default" OFF)
+ MARK_AS_ADVANCED(ENABLED_LOCAL_INFILE)
+ 
+ OPTION(WITH_FAST_MUTEXES "Compile with fast mutexes" OFF)
+@@ -418,7 +419,6 @@ ADD_SUBDIRECTORY(strings)
  ADD_SUBDIRECTORY(vio)
  ADD_SUBDIRECTORY(regex)
  ADD_SUBDIRECTORY(mysys)
@@ -21,7 +34,7 @@ Build with newer DTrace.
  
  IF(WITH_UNIT_TESTS)
   ENABLE_TESTING()
-@@ -387,9 +387,13 @@ IF(WITH_UNIT_TESTS)
+@@ -430,9 +430,13 @@ IF(WITH_UNIT_TESTS)
  ENDIF()
  
  ADD_SUBDIRECTORY(extra)
@@ -37,7 +50,7 @@ Build with newer DTrace.
    ADD_SUBDIRECTORY(sql)
    ADD_SUBDIRECTORY(sql/share)
    ADD_SUBDIRECTORY(libservices)
-@@ -402,11 +406,7 @@ IF(NOT WITHOUT_SERVER)
+@@ -445,11 +449,7 @@ IF(NOT WITHOUT_SERVER)
    ADD_SUBDIRECTORY(mysql-test)
    ADD_SUBDIRECTORY(mysql-test/lib/My/SafeProcess)
    ADD_SUBDIRECTORY(support-files)

Added files:

Index: pkgsrc/databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake
diff -u /dev/null pkgsrc/databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake:1.1
--- /dev/null   Sun Jan 20 18:03:25 2019
+++ pkgsrc/databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake      Sun Jan 20 18:03:25 2019
@@ -0,0 +1,17 @@
+$NetBSD: patch-cmake_build__configurations_mysql__release.cmake,v 1.1 2019/01/20 18:03:25 maya Exp $
+
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
+--- cmake/build_configurations/mysql_release.cmake.orig        2018-08-28 21:12:51.000000000 +0000
++++ cmake/build_configurations/mysql_release.cmake
+@@ -92,7 +92,7 @@ IF(FEATURE_SET)
+   ENDFOREACH()
+ ENDIF()
+ 
+-OPTION(ENABLED_LOCAL_INFILE "" ON)
++OPTION(ENABLED_LOCAL_INFILE "" OFF)
+ SET(WITH_SSL bundled CACHE STRING "")
+ SET(WITH_ZLIB bundled CACHE STRING "")
+ 
Index: pkgsrc/databases/mysql55-client/patches/patch-sql_sys__vars.cc
diff -u /dev/null pkgsrc/databases/mysql55-client/patches/patch-sql_sys__vars.cc:1.1
--- /dev/null   Sun Jan 20 18:03:25 2019
+++ pkgsrc/databases/mysql55-client/patches/patch-sql_sys__vars.cc      Sun Jan 20 18:03:25 2019
@@ -0,0 +1,17 @@
+$NetBSD: patch-sql_sys__vars.cc,v 1.1 2019/01/20 18:03:25 maya Exp $
+
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
+--- sql/sys_vars.cc.orig       2018-08-28 21:12:51.000000000 +0000
++++ sql/sys_vars.cc
+@@ -977,7 +977,7 @@ static Sys_var_charptr Sys_language(
+ 
+ static Sys_var_mybool Sys_local_infile(
+        "local_infile", "Enable LOAD DATA LOCAL INFILE",
+-       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(TRUE));
++       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(FALSE));
+ 
+ static Sys_var_ulong Sys_lock_wait_timeout(
+        "lock_wait_timeout",
Home | Main Index | Thread Index | Old Index