Bug 227621 - databases/mysql57-server: Update to 5.7.22 fixes multiple CVE
Summary: databases/mysql57-server: Update to 5.7.22 fixes multiple CVE
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mahdi Mokhtari
URL: http://www.oracle.com/technetwork/sec...
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-04-18 21:24 UTC by Markus Kohlmeyer
Modified: 2018-05-06 16:03 UTC (History)
1 user (show)

See Also:
mmokhi: maintainer-feedback+


Attachments
pourdiere testport output showing build failure (328.30 KB, text/plain)
2018-04-22 15:19 UTC, John W. O'Brien
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2018-04-18 21:24:21 UTC
Oracle released MySQL 5.7.22 which fixes multiple CVEs
Comment 1 commit-hook freebsd_committer 2018-04-20 10:48:34 UTC
A commit references this bug:

Author: mmokhi
Date: Fri Apr 20 10:47:55 UTC 2018
New revision: 467819
URL: https://svnweb.freebsd.org/changeset/ports/467819

Log:
  mysql57-{client, server}: Update port to 5.7.22
  This update includes fixes for multiple CVEs including:
      CVE-2018-2755 in replication component, MySQL protocol
      CVE-2018-2805 in GIS extention
      CVE-2018-2782 in InnoDB
      and more info on http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL

  PR:		227621
  Reported by:	Markus Kohlmeyer <rootservice@gmail.com>
  Sponsored by:	Netzkommune GmbH

Changes:
  head/databases/mysql57-client/Makefile
  head/databases/mysql57-server/Makefile
  head/databases/mysql57-server/distinfo
  head/databases/mysql57-server/pkg-plist
Comment 2 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-20 10:49:47 UTC
Thanks committed.
Comment 3 John W. O'Brien 2018-04-21 18:57:19 UTC
I'm having trouble building MySQL since the upgrade to 5.7.22. Please let me know if you'd like me to open a new bug for this.

The error is

/usr/local/libexec/ccache/c++ -fPIC -O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing  -isystem /usr/local/include -Wall -Wextra -Wformat-security -Wvla -Woverloaded-virtual -Wno-unused-parameter -Wno-null-conversion -Wno-unused-private-field -O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing  -isystem /usr/local/include -DDBUG_OFF -fPIC -O2 -pipe  -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -L/usr/local/lib    -Wl,-rpath,/usr/local/lib -fstack-protector -shared  -o authentication_ldap_sasl_client.so CMakeFiles/authentication_ldap_sasl_client.dir/auth_ldap_sasl_client.cc.o CMakeFiles/authentication_ldap_sasl_client.dir/log_client.cc.o -pthread -L/usr/local/lib -R/usr/local/lib -lsasl2 
c++: error: unknown argument: '-R/usr/local/lib'
*** Error code 1

The offending hunk appears to be 

--- mysql-5.7.21/libmysql/authentication_ldap/CMakeLists.txt    2017-12-27 22:46:26.
000000000 -0500
+++ mysql-5.7.22/libmysql/authentication_ldap/CMakeLists.txt    2018-03-04 08:40:40.
000000000 -0500
@@ -48,7 +53,9 @@
 # IF someone like can build the cyrus sasl library on windows and build LDAP authen
tication sasl client as well.
 IF (CMAKE_SYSTEM_NAME MATCHES "SunOS")
   SET(SASL_LIBRARY "sasl")
-ELSE ()
+ELSEIF(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+  SET(SASL_LIBRARY "-L/usr/local/lib -R/usr/local/lib -lsasl2")
+ELSE()
   SET(SASL_LIBRARY "sasl2")
 ENDIF ()
Comment 4 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-22 10:45:49 UTC
(In reply to John W. O'Brien from comment #3)
Thanks for reporting.
I already tested it and haven't seen the mismatch. gonna look at it deeper.

About your question for new PR, I think it's fine, We can track the issue here :D
Comment 5 John W. O'Brien 2018-04-22 15:19:01 UTC
Created attachment 192730 [details]
pourdiere testport output showing build failure

(In reply to Mahdi Mokhtari from comment #4)
Thank you.

Here is the full testport output from my system.

Let me know what other information I could provide to help narrow it down. FWIW, I located the full upstream patch, though I don't what what the bug number in the summary references.

https://github.com/mysql/mysql-server/commit/4bae6fe90b3d2514ffc3386442db73af613bedc1
Comment 6 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-22 15:30:59 UTC
(In reply to John W. O'Brien from comment #5)
Thanks for the build-log.
I was to write the hunk you pasted isn't in our patch-set anymore because it was merged to upstream (and this part was existing in CMake-script from older releases).
Anyway, I tried the build with all different options on 11.x and CURRENT, and comparing it to your build-log I see maybe it's something 10.4-related.
(as you can check my log here: https://dpaste.de/BwCN#L2039 it uses the -R flag without any problems on 11.1 `:D).

I'll play with it more (and I'd appreciate if you can also do a clean-env build on 10.4 as well, if it's not already and clean-env ``:D).
I'll update you on any discoveries ASASP :D
Comment 7 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-22 15:40:17 UTC
Ok, yes.
With a new fresh 10.4 jail setup, I confirm the issue exist on 10.4 (and only on that :D).
I'll try to patch it :)
Comment 8 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-22 16:25:23 UTC
Fixed in r468035 :)
thanks for reporting :)

[I close it, but feel free to re-open it in case there was issue regarding this].
Comment 9 commit-hook freebsd_committer 2018-05-06 16:03:48 UTC
A commit references this bug:

Author: mmokhi
Date: Sun May  6 16:03:05 UTC 2018
New revision: 469236
URL: https://svnweb.freebsd.org/changeset/ports/469236

Log:
  MFH: r467819 r468035

  mysql57-{client, server}: Update port to 5.7.22
  This update includes fixes for multiple CVEs including:
      CVE-2018-2755 in replication component, MySQL protocol
      CVE-2018-2805 in GIS extention
      CVE-2018-2782 in InnoDB
      and more info on http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL

  PR:		227621
  Reported by:	Markus Kohlmeyer <rootservice@gmail.com>
  Sponsored by:	Netzkommune GmbH

  databases/mysql57-client: Fix build with 10.x default compiler/linker
  The upstream seems merged our local-patches but
  added a -R flag to its `c++` [actually ld] command.
  The -R $DIR is like -rpath on 11.x and CURRENT bases but not on 10.x
  We then use -rpath to make sure it works on all supported bases.

  Reported by:	John W. O'Brien <john@saltant.com>
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2018Q2/
  branches/2018Q2/databases/mysql57-client/Makefile
  branches/2018Q2/databases/mysql57-client/files/patch-libmysql_authentication__ldap_CMakeLists.txt
  branches/2018Q2/databases/mysql57-server/Makefile
  branches/2018Q2/databases/mysql57-server/distinfo
  branches/2018Q2/databases/mysql57-server/pkg-plist