[debian-mysql] Bug#1053476: Bug#1053476: galera-3: CVE-2023-5157

Salvatore Bonaccorso carnil at debian.org
Mon Nov 20 06:17:21 GMT 2023


Hi Adrian,

On Sun, Nov 19, 2023 at 11:10:04PM +0200, Adrian Bunk wrote:
> On Thu, Oct 05, 2023 at 09:38:00PM +0200, Salvatore Bonaccorso wrote:
> > Hi Otto,
> > 
> > Thanks for the quick followup.
> > 
> > On Wed, Oct 04, 2023 at 08:59:31PM -0700, Otto Kekäläinen wrote:
> > > Thanks for reporting this Salvatore!
> > > 
> > > Are you aware of what plans upstream has?
> > 
> > We are not, basically we require your help for this report for
> > assessing the issue.
> > 
> > > The Jira MDEV-25068 was fixed in Galera 26.4.12
> > > (https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
> > > in 2022. i don't see any commits on
> > > https://github.com/codership/galera/commits/3.x since 2022. i will
> > > keep an eye for new upstream releases.
> > > 
> > > I can also review/merge for all Debian and Ubuntu releases still in
> > > maintenance a patch if somebody wants to submit a Debian-specific fix
> > > at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
> > > a quick look I did not find the 26.4.12 fix
> > > (https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
> > > so I am not aware of any specific commit nor if it can be backported
> > > to 25.3.37
> > 
> > Do you have a good upstream contact which you could reach out to ask
> > on more details, references to fixes, etc on the issue?
> 
> I looked at it for LTS and galera-3 is not affected:
> 
> The upstream fix for MDEV-25068 is
> https://github.com/codership/galera/commit/930c016108d7086b472ad7a8b9d0f6989202b48a
> (26.4.12)
> 
> This is in code that was introduced in
> https://github.com/codership/galera/commit/c27596d06a221f6c14d36759c681149964008749
> (26.4.8) which was not backported to galera-3.
> 
> The introducing commit merged assign_local_addr() and assign_remote_addr()
> into assign_addresses().
> 
> The fix is to catch the error when assign_addresses() throws asio::system_error.
> 
> The two callsites of assign_local_addr/assign_remote_addr in the old code
> in gcomm/src/asio_tcp.cpp are already (in 26.4.7 and 25.3.37):
>   try
>   {
>     ...
>     assign_local_addr()
>     assign_remote_addr()
>     ...
>   }
>   catch (asio::system_error& e)
>   {
>     ...
>   }

Thanks for the analysis of the issue.

Regards,
Salvatore



More information about the pkg-mysql-maint mailing list