From 34b095fab607a5eb73c02097c42b2e20e45ec8db Mon Sep 17 00:00:00 2001 From: BinduSri-6522866 Date: Tue, 30 Dec 2025 04:48:49 +0000 Subject: [PATCH 1/3] Upgrade mariadb to 10.11.15 for CVE-2025-13699 --- SPECS/mariadb/CVE-2023-52971.patch | 157 -------------------------- SPECS/mariadb/mariadb.signatures.json | 4 +- SPECS/mariadb/mariadb.spec | 12 +- cgmanifest.json | 4 +- 4 files changed, 9 insertions(+), 168 deletions(-) delete mode 100644 SPECS/mariadb/CVE-2023-52971.patch diff --git a/SPECS/mariadb/CVE-2023-52971.patch b/SPECS/mariadb/CVE-2023-52971.patch deleted file mode 100644 index 539898527cf..00000000000 --- a/SPECS/mariadb/CVE-2023-52971.patch +++ /dev/null @@ -1,157 +0,0 @@ -From a9b6bf9fa83604ac13e921c150a2806a64d23f92 Mon Sep 17 00:00:00 2001 -From: Mayank Singh -Date: Mon, 5 May 2025 09:20:46 +0000 -Subject: [PATCH] Address CVE-2023-52971 -Upstream Reference Link: https://github.com/MariaDB/server/commit/3b4de4c281cb3e33e6d3ee9537e542bf0a84b83e - ---- - mysql-test/main/join_nested.result | 12 +++++ - mysql-test/main/join_nested.test | 13 ++++++ - mysql-test/main/join_nested_jcl6.result | 12 +++++ - sql/sql_select.cc | 58 +++++++++++++++++++++++-- - 4 files changed, 91 insertions(+), 4 deletions(-) - -diff --git a/mysql-test/main/join_nested.result b/mysql-test/main/join_nested.result -index cb9dffc8..56468518 100644 ---- a/mysql-test/main/join_nested.result -+++ b/mysql-test/main/join_nested.result -@@ -2051,3 +2051,15 @@ a b c a a b - DROP TABLE t1, t2, t3; - set join_cache_level= @save_join_cache_level; - # end of 10.3 tests -+# -+# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release -+# -+CREATE TABLE t1 (i int); -+INSERT INTO t1 values (1),(2); -+SELECT 1 FROM t1 WHERE i IN -+(SELECT 1 FROM t1 c -+LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); -+1 -+1 -+DROP TABLE t1; -+# end of 10.11 tests -diff --git a/mysql-test/main/join_nested.test b/mysql-test/main/join_nested.test -index ed1fe4c9..62370b95 100644 ---- a/mysql-test/main/join_nested.test -+++ b/mysql-test/main/join_nested.test -@@ -1458,3 +1458,16 @@ DROP TABLE t1, t2, t3; - set join_cache_level= @save_join_cache_level; - - --echo # end of 10.3 tests -+ -+--echo # -+--echo # MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release -+--echo # -+CREATE TABLE t1 (i int); -+INSERT INTO t1 values (1),(2); -+ -+SELECT 1 FROM t1 WHERE i IN -+ (SELECT 1 FROM t1 c -+ LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); -+ -+DROP TABLE t1; -+--echo # end of 10.11 tests -diff --git a/mysql-test/main/join_nested_jcl6.result b/mysql-test/main/join_nested_jcl6.result -index 0bda8d43..50a1e83a 100644 ---- a/mysql-test/main/join_nested_jcl6.result -+++ b/mysql-test/main/join_nested_jcl6.result -@@ -2060,6 +2060,18 @@ a b c a a b - DROP TABLE t1, t2, t3; - set join_cache_level= @save_join_cache_level; - # end of 10.3 tests -+# -+# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release -+# -+CREATE TABLE t1 (i int); -+INSERT INTO t1 values (1),(2); -+SELECT 1 FROM t1 WHERE i IN -+(SELECT 1 FROM t1 c -+LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); -+1 -+1 -+DROP TABLE t1; -+# end of 10.11 tests - CREATE TABLE t5 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); - CREATE TABLE t6 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); - CREATE TABLE t7 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); -diff --git a/sql/sql_select.cc b/sql/sql_select.cc -index b88e8b4c..b8e15264 100644 ---- a/sql/sql_select.cc -+++ b/sql/sql_select.cc -@@ -18544,6 +18544,8 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top, - prev_table->dep_tables|= used_tables; - if (prev_table->on_expr) - { -+ /* If the ON expression is still there, it's an outer join */ -+ DBUG_ASSERT(prev_table->outer_join); - prev_table->dep_tables|= table->on_expr_dep_tables; - table_map prev_used_tables= prev_table->nested_join ? - prev_table->nested_join->used_tables : -@@ -18558,11 +18560,59 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top, - prevents update of inner table dependences. - For example it might happen if RAND() function - is used in JOIN ON clause. -- */ -- if (!((prev_table->on_expr->used_tables() & -- ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT)) & -- ~prev_used_tables)) -+ */ -+ table_map prev_on_expr_deps= prev_table->on_expr->used_tables() & -+ ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT); -+ prev_on_expr_deps&= ~prev_used_tables; -+ -+ if (!prev_on_expr_deps) - prev_table->dep_tables|= used_tables; -+ else -+ { -+ /* -+ Another possible case is when prev_on_expr_deps!=0 but it depends -+ on a table outside this join nest. SQL name resolution don't allow -+ this but it is possible when LEFT JOIN is inside a subquery which -+ is converted into a semi-join nest, Example: -+ -+ t1 SEMI JOIN ( -+ t2 -+ LEFT JOIN (t3 LEFT JOIN t4 ON t4.col=t1.col) ON expr -+ ) ON ... -+ -+ here, we would have prev_table=t4, table=t3. The condition -+ "ON t4.col=t1.col" depends on tables {t1, t4}. To make sure the -+ optimizer puts t3 before t4 we need to make sure t4.dep_tables -+ includes t3. -+ */ -+ -+ DBUG_ASSERT(table->embedding == prev_table->embedding); -+ if (table->embedding) -+ { -+ /* -+ Find what are the "peers" of "table" in the join nest. Normally, -+ it is table->embedding->nested_join->used_tables, but here we are -+ in the process of recomputing that value. -+ So, we walk the join list and collect the bitmap of peers: -+ */ -+ table_map peers= 0; -+ List_iterator_fast li(*join_list); -+ TABLE_LIST *peer; -+ while ((peer= li++)) -+ { -+ table_map curmap= peer->nested_join -+ ? peer->nested_join->used_tables -+ : peer->get_map(); -+ peers|= curmap; -+ } -+ /* -+ If prev_table doesn't depend on any of its peers, add a -+ dependency on nearest peer, that is, on 'table'. -+ */ -+ if (!(prev_on_expr_deps & peers)) -+ prev_table->dep_tables|= used_tables; -+ } -+ } - } - } - prev_table= table; --- -2.45.3 - diff --git a/SPECS/mariadb/mariadb.signatures.json b/SPECS/mariadb/mariadb.signatures.json index 2481d68eed7..0ef27ae00fd 100644 --- a/SPECS/mariadb/mariadb.signatures.json +++ b/SPECS/mariadb/mariadb.signatures.json @@ -4,7 +4,7 @@ "README.mariadb-docs": "c3c6584dbdc35445014ac48023da59cafc5abc6996859cebb4e357c2f380990f", "README.wsrep_sst_rsync_tunnel": "f121b2f6e804a8aaf01e0c835e62b64a0d0bf6cd922cc1a21897f196f8b0714f", "clustercheck.sh": "4be47a46f99b714bc3681fdf11b09d242dae5e3eb81274b3040a73f9d7800d50", - "mariadb-10.11.11.tar.gz": "14cc0d9d9a7a330231d9ed91ac28f29b502d2f1e7021d81c940280db52bac812", + "mariadb-10.11.15.tar.gz": "6190529d9d047163259967a92095b505df15b39195ea55cdf856314eef4546f5", "mariadb-check-socket.sh": "6d04410549275140f07b89a1dcef99f31cd47751ef9142d14e7898e7cbcff023", "mariadb-check-upgrade.sh": "e49c23e79155d416f7bad292d073213c0beafed99c172a06d909ec3e24ee6e75", "mariadb-prepare-db-dir.sh": "ff8d2e719f6db158eda0acb58a9d84b43c959baf0d2a8f4d9ce7a62f13af36d0", @@ -21,4 +21,4 @@ "rh-skipped-tests-s390.list": "5e826f9f3cc920c0fe67434fd32b25a205d6a8530552e998edb376c4661b59f3", "wsrep_sst_rsync_tunnel": "5194ed1971d0afe8d2836c1d143263f6891311c9ac0fae536b866f2a885d056e" } -} +} \ No newline at end of file diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index 2c115a681f9..f163fa97f00 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,8 +1,5 @@ # Plain package name for cases, where %%{name} differs (e.g. for versioned packages) %global majorname mariadb -%define package_version 10.11.11 -%define majorversion %(echo %{package_version} | cut -d'.' -f1-2 ) - %define _vpath_builddir . @@ -132,7 +129,7 @@ %global sameevr %{epoch}:%{version}-%{release} Name: %{majorname} -Version: %{package_version} +Version: 10.11.15 Release: 1%{?dist} Epoch: 3 @@ -201,7 +198,6 @@ Patch12: rocksdb-6.8-gcc13.patch Patch13: %{majorname}-libfmt.patch # Patch14: make MTR port calculation reasonably predictable Patch14: %{majorname}-mtr.patch -Patch15: CVE-2023-52971.patch %global pkgname %{majorname} @@ -823,7 +819,6 @@ rm -r storage/rocksdb/ %endif %patch -P14 -p1 -%patch -P15 -p1 # generate a list of tests that fail, but are not disabled by upstream cat %{SOURCE50} | tee -a mysql-test/unstable-tests @@ -1487,7 +1482,7 @@ fi %{_mandir}/man1/galera_recovery.1* %config(noreplace) %{_sysconfdir}/my.cnf.d/galera.cnf %attr(0640,root,root) %ghost %config(noreplace) %{_sysconfdir}/sysconfig/clustercheck -#%{_datadir}/selinux/packages/targeted/%{majorname}-server-galera.pp +#%%{_datadir}/selinux/packages/targeted/%%{majorname}-server-galera.pp %endif %files -n %{pkgname}-server @@ -1772,6 +1767,9 @@ fi %endif %changelog +* Mon Dec 29 2025 BinduSri Adabala - 10.11.15-1 +- Upgrade to 10.11.15 for CVE-2025-13699 + * Fri Apr 04 2025 Mayank Singh - 10.11.11-1 - Initial Azure Linux import from Fedora 42 (license: MIT). - License verified diff --git a/cgmanifest.json b/cgmanifest.json index 27d7c253972..1a8d24f719d 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -12961,8 +12961,8 @@ "type": "other", "other": { "name": "mariadb", - "version": "10.11.11", - "downloadUrl": "https://downloads.mariadb.org/interstitial/mariadb-10.11.11/source/mariadb-10.11.11.tar.gz" + "version": "10.11.15", + "downloadUrl": "https://downloads.mariadb.org/interstitial/mariadb-10.11.15/source/mariadb-10.11.15.tar.gz" } } }, From e219f12855075babb8af1fe194cc3628df9e0851 Mon Sep 17 00:00:00 2001 From: BinduSri-6522866 Date: Tue, 30 Dec 2025 11:15:42 +0000 Subject: [PATCH 2/3] address review comment --- SPECS/mariadb/mariadb.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index f163fa97f00..d944420c7c5 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -128,7 +128,7 @@ # Make long macros shorter %global sameevr %{epoch}:%{version}-%{release} -Name: %{majorname} +Name: mariadb Version: 10.11.15 Release: 1%{?dist} Epoch: 3 @@ -1482,7 +1482,7 @@ fi %{_mandir}/man1/galera_recovery.1* %config(noreplace) %{_sysconfdir}/my.cnf.d/galera.cnf %attr(0640,root,root) %ghost %config(noreplace) %{_sysconfdir}/sysconfig/clustercheck -#%%{_datadir}/selinux/packages/targeted/%%{majorname}-server-galera.pp +#%{_datadir}/selinux/packages/targeted/%{majorname}-server-galera.pp %endif %files -n %{pkgname}-server From e92cc433c85e2447e53b03795c35b1ceb89a82c3 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Tue, 30 Dec 2025 17:37:53 +0000 Subject: [PATCH 3/3] revert the macros --- SPECS/mariadb/mariadb.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index d944420c7c5..ad8e7bcf0b7 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,5 +1,7 @@ # Plain package name for cases, where %%{name} differs (e.g. for versioned packages) %global majorname mariadb +%define package_version 10.11.15 +%define majorversion %(echo %{package_version} | cut -d'.' -f1-2 ) %define _vpath_builddir . @@ -128,8 +130,8 @@ # Make long macros shorter %global sameevr %{epoch}:%{version}-%{release} -Name: mariadb -Version: 10.11.15 +Name: %{majorname} +Version: %{package_version} Release: 1%{?dist} Epoch: 3