diff --git a/CVE-2025-13699.patch b/CVE-2025-13699.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9d1bd14616142152f1f635070e175addd67351b --- /dev/null +++ b/CVE-2025-13699.patch @@ -0,0 +1,207 @@ +diff --git a/client/mysqldump.c b/client/mysqldump.c +index e7264c07..7a019f97 100644 +--- a/client/mysqldump.c ++++ b/client/mysqldump.c +@@ -1811,6 +1811,26 @@ static char *cover_definer_clause(const char *stmt_str, + return query_str; + } + ++ ++static const char* build_path_for_table(char *to, const char *dir, ++ const char *table, const char *ext) ++{ ++ char filename[FN_REFLEN], tmp_path[FN_REFLEN]; ++ convert_dirname(tmp_path, path, NULL); ++ my_load_path(tmp_path, tmp_path, NULL); ++ if (check_if_legal_tablename(table)) ++ strxnmov(filename, sizeof(filename) - 1, table, "@@@", NULL); ++ else ++ { ++ uint errors, len; ++ len= my_convert(filename, sizeof(filename) - 1, &my_charset_filename, ++ table, (uint32)strlen(table), charset_info, &errors); ++ filename[len]= 0; ++ } ++ return fn_format(to, filename, tmp_path, ext, MYF(MY_UNPACK_FILENAME)); ++} ++ ++ + /* + Open a new .sql file to dump the table or view into + +@@ -1825,12 +1845,9 @@ static char *cover_definer_clause(const char *stmt_str, + */ + static FILE* open_sql_file_for_table(const char* table, int flags) + { +- FILE* res; +- char filename[FN_REFLEN], tmp_path[FN_REFLEN]; +- convert_dirname(tmp_path,path,NullS); +- res= my_fopen(fn_format(filename, table, tmp_path, ".sql", 4), +- flags, MYF(MY_WME)); +- return res; ++ char filename[FN_REFLEN]; ++ return my_fopen(build_path_for_table(filename, path, table, ".sql"), ++ flags, MYF(MY_WME)); + } + + +@@ -4017,15 +4034,9 @@ static void dump_table(const char *table, const char *db, const uchar *hash_key, + + if (path) + { +- char filename[FN_REFLEN], tmp_path[FN_REFLEN]; ++ char filename[FN_REFLEN]; + +- /* +- Convert the path to native os format +- and resolve to the full filepath. +- */ +- convert_dirname(tmp_path,path,NullS); +- my_load_path(tmp_path, tmp_path, NULL); +- fn_format(filename, table, tmp_path, ".txt", MYF(MY_UNPACK_FILENAME)); ++ build_path_for_table(filename, path, table, ".txt"); + + /* Must delete the file that 'INTO OUTFILE' will write to */ + my_delete(filename, MYF(0)); +@@ -4034,7 +4045,6 @@ static void dump_table(const char *table, const char *db, const uchar *hash_key, + to_unix_path(filename); + + /* now build the query string */ +- + dynstr_append_checked(&query_string, "SELECT /*!40001 SQL_NO_CACHE */ "); + dynstr_append_checked(&query_string, select_field_names.str); + dynstr_append_checked(&query_string, " INTO OUTFILE '"); +diff --git a/client/mysqlimport.c b/client/mysqlimport.c +index 687fd8c2..402affcf 100644 +--- a/client/mysqlimport.c ++++ b/client/mysqlimport.c +@@ -317,7 +317,17 @@ static int write_to_table(char *filename, MYSQL *mysql) + DBUG_ENTER("write_to_table"); + DBUG_PRINT("enter",("filename: %s",filename)); + +- fn_format(tablename, filename, "", "", 1 | 2); /* removes path & ext. */ ++ fn_format(tablename, filename, "", "", MYF(MY_REPLACE_DIR | MY_REPLACE_EXT)); ++ if (strchr(tablename, '@')) ++ { ++ uint errors, len; ++ CHARSET_INFO *cs= ++ get_charset_by_csname(default_charset, MY_CS_PRIMARY, MYF(0)); ++ len= my_convert(escaped_name, sizeof(escaped_name) - 1, cs, tablename, ++ (uint32)strlen(tablename), &my_charset_filename, &errors); ++ if (!errors) ++ strmake(tablename, escaped_name, len); ++ } + if (!opt_local_file) + strmov(hard_path,filename); + else +@@ -466,7 +476,7 @@ static MYSQL *db_connect(char *host, char *database, + mysql_options(mysql, MYSQL_DEFAULT_AUTH, opt_default_auth); + if (!strcmp(default_charset,MYSQL_AUTODETECT_CHARSET_NAME)) + default_charset= (char *)my_default_csname(); +- mysql_options(mysql, MYSQL_SET_CHARSET_NAME, my_default_csname()); ++ mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset); + mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0); + mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, + "program_name", "mysqlimport"); +diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result +index 8e8e342d..4a9c1b50 100644 +--- a/mysql-test/main/mysqldump.result ++++ b/mysql-test/main/mysqldump.result +@@ -6624,3 +6624,48 @@ SET character_set_client = @saved_cs_client; + drop view `v'1"2`; + drop table t1; + # End of 10.5 tests ++# ++# MDEV-37483 mariadb-dump -T doesn't convert table names ++# ++create database foo; ++use foo; ++create table `con_schöne_grüße` (a int) select 1 as a; ++create table `con` (b int) select 2 as b; ++create table `con/bar` (c int) select 3 as c; ++create table `con@fame` (d int) select 4 as d; ++drop database foo; ++use test; ++con@002fbar.sql ++con@002fbar.txt ++con@@@.sql ++con@@@.txt ++con@fame.sql ++con@fame.txt ++con_sch@1ine_gr@1o@1je.sql ++con_sch@1ine_gr@1o@1je.txt ++show tables; ++Tables_in_test ++con ++con/bar ++con@fame ++con_schöne_grüße ++test.con: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 ++test.con/bar: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 ++test.con@fame: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 ++select * from `con_schöne_grüße`; ++a ++1 ++select * from `con`; ++b ++2 ++select * from `con/bar`; ++c ++3 ++select * from `con@fame`; ++d ++4 ++drop table `con_schöne_grüße`; ++drop table `con`; ++drop table `con/bar`; ++drop table `con@fame`; ++# End of 10.6 tests +diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test +index 58790c15..6dc3eff5 100644 +--- a/mysql-test/main/mysqldump.test ++++ b/mysql-test/main/mysqldump.test +@@ -3033,3 +3033,44 @@ drop view `v'1"2`; # "' + drop table t1; + + --echo # End of 10.5 tests ++ ++--echo # ++--echo # MDEV-37483 mariadb-dump -T doesn't convert table names ++--echo # ++create database foo; ++use foo; ++ ++create table `con_schöne_grüße` (a int) select 1 as a; ++create table `con` (b int) select 2 as b; ++create table `con/bar` (c int) select 3 as c; ++create table `con@fame` (d int) select 4 as d; ++exec $MYSQL_DUMP foo --tab $MYSQLTEST_VARDIR/tmp; ++drop database foo; ++use test; ++move_file $MYSQLTEST_VARDIR/tmp/con@0040fame.sql $MYSQLTEST_VARDIR/tmp/con@fame.sql; ++move_file $MYSQLTEST_VARDIR/tmp/con@0040fame.txt $MYSQLTEST_VARDIR/tmp/con@fame.txt; ++list_files $MYSQLTEST_VARDIR/tmp con*; ++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@@@.sql; ++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@002fbar.sql; ++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con_sch@1ine_gr@1o@1je.sql; ++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@fame.sql; ++show tables; ++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@@@.txt; ++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@002fbar.txt; ++if (`select @@version like '10.6.%'`) { ++# utf8 console output on Windows is fixed in MDEV-26713, until then ++--disable_result_log ++} ++exec $MYSQL_IMPORT --default-character-set=utf8mb4 test $MYSQLTEST_VARDIR/tmp/con_sch@1ine_gr@1o@1je.txt; ++--enable_result_log ++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@fame.txt; ++select * from `con_schöne_grüße`; ++select * from `con`; ++select * from `con/bar`; ++select * from `con@fame`; ++drop table `con_schöne_grüße`; ++drop table `con`; ++drop table `con/bar`; ++drop table `con@fame`; ++ ++--echo # End of 10.6 tests diff --git a/mariadb-upstream-6257a830.patch b/mariadb-upstream-6257a830.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ee3a75f0bbe5243d50513eea3c53591c614d0bc --- /dev/null +++ b/mariadb-upstream-6257a830.patch @@ -0,0 +1,231 @@ +--- a/CVE-2025-13699.patch ++++ b/CVE-2025-13699.patch +@@ -0,0 +1,207 @@ ++diff --git a/client/mysqldump.c b/client/mysqldump.c ++index e7264c07..7a019f97 100644 ++--- a/client/mysqldump.c +++++ b/client/mysqldump.c ++@@ -1811,6 +1811,26 @@ static char *cover_definer_clause(const char *stmt_str, ++ return query_str; ++ } ++ +++ +++static const char* build_path_for_table(char *to, const char *dir, +++ const char *table, const char *ext) +++{ +++ char filename[FN_REFLEN], tmp_path[FN_REFLEN]; +++ convert_dirname(tmp_path, path, NULL); +++ my_load_path(tmp_path, tmp_path, NULL); +++ if (check_if_legal_tablename(table)) +++ strxnmov(filename, sizeof(filename) - 1, table, "@@@", NULL); +++ else +++ { +++ uint errors, len; +++ len= my_convert(filename, sizeof(filename) - 1, &my_charset_filename, +++ table, (uint32)strlen(table), charset_info, &errors); +++ filename[len]= 0; +++ } +++ return fn_format(to, filename, tmp_path, ext, MYF(MY_UNPACK_FILENAME)); +++} +++ +++ ++ /* ++ Open a new .sql file to dump the table or view into ++ ++@@ -1825,12 +1845,9 @@ static char *cover_definer_clause(const char *stmt_str, ++ */ ++ static FILE* open_sql_file_for_table(const char* table, int flags) ++ { ++- FILE* res; ++- char filename[FN_REFLEN], tmp_path[FN_REFLEN]; ++- convert_dirname(tmp_path,path,NullS); ++- res= my_fopen(fn_format(filename, table, tmp_path, ".sql", 4), ++- flags, MYF(MY_WME)); ++- return res; +++ char filename[FN_REFLEN]; +++ return my_fopen(build_path_for_table(filename, path, table, ".sql"), +++ flags, MYF(MY_WME)); ++ } ++ ++ ++@@ -4017,15 +4034,9 @@ static void dump_table(const char *table, const char *db, const uchar *hash_key, ++ ++ if (path) ++ { ++- char filename[FN_REFLEN], tmp_path[FN_REFLEN]; +++ char filename[FN_REFLEN]; ++ ++- /* ++- Convert the path to native os format ++- and resolve to the full filepath. ++- */ ++- convert_dirname(tmp_path,path,NullS); ++- my_load_path(tmp_path, tmp_path, NULL); ++- fn_format(filename, table, tmp_path, ".txt", MYF(MY_UNPACK_FILENAME)); +++ build_path_for_table(filename, path, table, ".txt"); ++ ++ /* Must delete the file that 'INTO OUTFILE' will write to */ ++ my_delete(filename, MYF(0)); ++@@ -4034,7 +4045,6 @@ static void dump_table(const char *table, const char *db, const uchar *hash_key, ++ to_unix_path(filename); ++ ++ /* now build the query string */ ++- ++ dynstr_append_checked(&query_string, "SELECT /*!40001 SQL_NO_CACHE */ "); ++ dynstr_append_checked(&query_string, select_field_names.str); ++ dynstr_append_checked(&query_string, " INTO OUTFILE '"); ++diff --git a/client/mysqlimport.c b/client/mysqlimport.c ++index 687fd8c2..402affcf 100644 ++--- a/client/mysqlimport.c +++++ b/client/mysqlimport.c ++@@ -317,7 +317,17 @@ static int write_to_table(char *filename, MYSQL *mysql) ++ DBUG_ENTER("write_to_table"); ++ DBUG_PRINT("enter",("filename: %s",filename)); ++ ++- fn_format(tablename, filename, "", "", 1 | 2); /* removes path & ext. */ +++ fn_format(tablename, filename, "", "", MYF(MY_REPLACE_DIR | MY_REPLACE_EXT)); +++ if (strchr(tablename, '@')) +++ { +++ uint errors, len; +++ CHARSET_INFO *cs= +++ get_charset_by_csname(default_charset, MY_CS_PRIMARY, MYF(0)); +++ len= my_convert(escaped_name, sizeof(escaped_name) - 1, cs, tablename, +++ (uint32)strlen(tablename), &my_charset_filename, &errors); +++ if (!errors) +++ strmake(tablename, escaped_name, len); +++ } ++ if (!opt_local_file) ++ strmov(hard_path,filename); ++ else ++@@ -466,7 +476,7 @@ static MYSQL *db_connect(char *host, char *database, ++ mysql_options(mysql, MYSQL_DEFAULT_AUTH, opt_default_auth); ++ if (!strcmp(default_charset,MYSQL_AUTODETECT_CHARSET_NAME)) ++ default_charset= (char *)my_default_csname(); ++- mysql_options(mysql, MYSQL_SET_CHARSET_NAME, my_default_csname()); +++ mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset); ++ mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0); ++ mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, ++ "program_name", "mysqlimport"); ++diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result ++index 8e8e342d..4a9c1b50 100644 ++--- a/mysql-test/main/mysqldump.result +++++ b/mysql-test/main/mysqldump.result ++@@ -6624,3 +6624,48 @@ SET character_set_client = @saved_cs_client; ++ drop view `v'1"2`; ++ drop table t1; ++ # End of 10.5 tests +++# +++# MDEV-37483 mariadb-dump -T doesn't convert table names +++# +++create database foo; +++use foo; +++create table `con_schöne_grüße` (a int) select 1 as a; +++create table `con` (b int) select 2 as b; +++create table `con/bar` (c int) select 3 as c; +++create table `con@fame` (d int) select 4 as d; +++drop database foo; +++use test; +++con@002fbar.sql +++con@002fbar.txt +++con@@@.sql +++con@@@.txt +++con@fame.sql +++con@fame.txt +++con_sch@1ine_gr@1o@1je.sql +++con_sch@1ine_gr@1o@1je.txt +++show tables; +++Tables_in_test +++con +++con/bar +++con@fame +++con_schöne_grüße +++test.con: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 +++test.con/bar: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 +++test.con@fame: Records: 1 Deleted: 0 Skipped: 0 Warnings: 0 +++select * from `con_schöne_grüße`; +++a +++1 +++select * from `con`; +++b +++2 +++select * from `con/bar`; +++c +++3 +++select * from `con@fame`; +++d +++4 +++drop table `con_schöne_grüße`; +++drop table `con`; +++drop table `con/bar`; +++drop table `con@fame`; +++# End of 10.6 tests ++diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test ++index 58790c15..6dc3eff5 100644 ++--- a/mysql-test/main/mysqldump.test +++++ b/mysql-test/main/mysqldump.test ++@@ -3033,3 +3033,44 @@ drop view `v'1"2`; # "' ++ drop table t1; ++ ++ --echo # End of 10.5 tests +++ +++--echo # +++--echo # MDEV-37483 mariadb-dump -T doesn't convert table names +++--echo # +++create database foo; +++use foo; +++ +++create table `con_schöne_grüße` (a int) select 1 as a; +++create table `con` (b int) select 2 as b; +++create table `con/bar` (c int) select 3 as c; +++create table `con@fame` (d int) select 4 as d; +++exec $MYSQL_DUMP foo --tab $MYSQLTEST_VARDIR/tmp; +++drop database foo; +++use test; +++move_file $MYSQLTEST_VARDIR/tmp/con@0040fame.sql $MYSQLTEST_VARDIR/tmp/con@fame.sql; +++move_file $MYSQLTEST_VARDIR/tmp/con@0040fame.txt $MYSQLTEST_VARDIR/tmp/con@fame.txt; +++list_files $MYSQLTEST_VARDIR/tmp con*; +++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@@@.sql; +++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@002fbar.sql; +++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con_sch@1ine_gr@1o@1je.sql; +++exec $MYSQL test < $MYSQLTEST_VARDIR/tmp/con@fame.sql; +++show tables; +++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@@@.txt; +++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@002fbar.txt; +++if (`select @@version like '10.6.%'`) { +++# utf8 console output on Windows is fixed in MDEV-26713, until then +++--disable_result_log +++} +++exec $MYSQL_IMPORT --default-character-set=utf8mb4 test $MYSQLTEST_VARDIR/tmp/con_sch@1ine_gr@1o@1je.txt; +++--enable_result_log +++exec $MYSQL_IMPORT test $MYSQLTEST_VARDIR/tmp/con@fame.txt; +++select * from `con_schöne_grüße`; +++select * from `con`; +++select * from `con/bar`; +++select * from `con@fame`; +++drop table `con_schöne_grüße`; +++drop table `con`; +++drop table `con/bar`; +++drop table `con@fame`; +++ +++--echo # End of 10.6 tests + +--- a/mariadb.spec ++++ b/mariadb.spec +@@ -226,6 +226,8 @@ Patch10: %{pkgnamepatch}-ssl-cipher-tests.patch + # Patch14: make MTR port calculation reasonably predictable + Patch14: %{pkgnamepatch}-mtr.patch + ++Patch18: CVE-2025-13699.patch ++ + BuildRequires: make + BuildRequires: cmake gcc-c++ + BuildRequires: multilib-rpm-config +@@ -757,6 +759,7 @@ rm -r storage/rocksdb/ + # Keeping the patch commented out, need to revisit + # once the test is re-enabled by upstream in some future release + #%%patch10 -p1 ++%patch18 -p1 + + # generate a list of tests that fail, but are not disabled by upstream + cat %{SOURCE50} | tee -a mysql-test/unstable-tests + diff --git a/mariadb.spec b/mariadb.spec index 86bf5384adfcef90825b3e458c1cd7b3f0a9a0aa..8264f4d976d97cf3e9685df3aee2e3cefaac4bec 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %undefine __cmake_in_source_build # Prefix that is used for patches @@ -99,6 +99,7 @@ Patch7: %{pkgnamepatch}-scripts.patch Patch9: %{pkgnamepatch}-ownsetup.patch Patch10: %{pkgnamepatch}-ssl-cipher-tests.patch Patch11: %{pkgnamepatch}-pcdir.patch +Patch18: CVE-2025-13699.patch BuildRequires: make BuildRequires: cmake gcc-c++ @@ -627,6 +628,7 @@ rm -r storage/rocksdb/ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch18 -p1 # generate a list of tests that fail, but are not disabled by upstream cat %{SOURCE50} | tee -a mysql-test/unstable-tests @@ -1496,6 +1498,9 @@ fi %doc CONTRIBUTING.md CREDITS KNOWN_BUGS.txt README.md VERSION THIRDPARTY %changelog +* Thu Jan 29 2026 wenjie2025 - 3:10.6.22-3 +- Add CVE-2025-13699.patch to fix security vulnerability + * Fri Jun 13 2025 Shangtong Guo - 3:10.6.22-2 - add support for riscv64