Patch mariadb for CVE-2023-52971[Medium] and Bug 51837515: Fix mariadb package installation broken and import spec from Fedora (#13271)

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>

Author: mayankfz

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -887,6 +887,7 @@
                 "man-pages-ru",
                 "man-pages-zh-CN",
                 "mandoc",
+                "mariadb",
                 "mariadb-connector-c",
                 "mariadb-connector-odbc",
                 "marisa",
@@ -2900,7 +2901,6 @@
                 "make",
                 "man-db",
                 "man-pages",
-                "mariadb",
                 "maven",
                 "mc",
                 "mercurial",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -0,0 +1,157 @@
+From a9b6bf9fa83604ac13e921c150a2806a64d23f92 Mon Sep 17 00:00:00 2001
+From: Mayank Singh <mayansingh@microsoft.com>
+Date: Mon, 5 May 2025 09:20:46 +0000
+Subject: [PATCH] Address CVE-2023-52971
+Upstream Reference Link: https://github.com/MariaDB/server/commit/3b4de4c281cb3e33e6d3ee9537e542bf0a84b83e
+
+---
+ mysql-test/main/join_nested.result      | 12 +++++
+ mysql-test/main/join_nested.test        | 13 ++++++
+ mysql-test/main/join_nested_jcl6.result | 12 +++++
+ sql/sql_select.cc                       | 58 +++++++++++++++++++++++--
+ 4 files changed, 91 insertions(+), 4 deletions(-)
+
+diff --git a/mysql-test/main/join_nested.result b/mysql-test/main/join_nested.result
+index cb9dffc8..56468518 100644
+--- a/mysql-test/main/join_nested.result
++++ b/mysql-test/main/join_nested.result
+@@ -2051,3 +2051,15 @@ a	b	c	a	a	b
+ DROP TABLE t1, t2, t3;
+ set join_cache_level= @save_join_cache_level;
+ # end of 10.3 tests
++#
++# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release
++#
++CREATE TABLE t1 (i int);
++INSERT INTO t1 values (1),(2);
++SELECT 1 FROM  t1 WHERE i IN
++(SELECT 1 FROM t1 c
++LEFT JOIN  (t1 a LEFT JOIN t1 b ON t1.i = b.i)  ON c.i = t1.i);
++1
++1
++DROP TABLE t1;
++# end of 10.11 tests
+diff --git a/mysql-test/main/join_nested.test b/mysql-test/main/join_nested.test
+index ed1fe4c9..62370b95 100644
+--- a/mysql-test/main/join_nested.test
++++ b/mysql-test/main/join_nested.test
+@@ -1458,3 +1458,16 @@ DROP TABLE t1, t2, t3;
+ set join_cache_level= @save_join_cache_level;
+ 
+ --echo # end of 10.3 tests
++
++--echo #
++--echo # MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release
++--echo #
++CREATE TABLE t1 (i int);
++INSERT INTO t1 values (1),(2);
++
++SELECT 1 FROM  t1 WHERE i IN
++  (SELECT 1 FROM t1 c
++    LEFT JOIN  (t1 a LEFT JOIN t1 b ON t1.i = b.i)  ON c.i = t1.i);
++
++DROP TABLE t1;
++--echo # end of 10.11 tests
+diff --git a/mysql-test/main/join_nested_jcl6.result b/mysql-test/main/join_nested_jcl6.result
+index 0bda8d43..50a1e83a 100644
+--- a/mysql-test/main/join_nested_jcl6.result
++++ b/mysql-test/main/join_nested_jcl6.result
+@@ -2060,6 +2060,18 @@ a	b	c	a	a	b
+ DROP TABLE t1, t2, t3;
+ set join_cache_level= @save_join_cache_level;
+ # end of 10.3 tests
++#
++# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release
++#
++CREATE TABLE t1 (i int);
++INSERT INTO t1 values (1),(2);
++SELECT 1 FROM  t1 WHERE i IN
++(SELECT 1 FROM t1 c
++LEFT JOIN  (t1 a LEFT JOIN t1 b ON t1.i = b.i)  ON c.i = t1.i);
++1
++1
++DROP TABLE t1;
++# end of 10.11 tests
+ CREATE TABLE t5 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b));
+ CREATE TABLE t6 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b));
+ CREATE TABLE t7 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b));
+diff --git a/sql/sql_select.cc b/sql/sql_select.cc
+index b88e8b4c..b8e15264 100644
+--- a/sql/sql_select.cc
++++ b/sql/sql_select.cc
+@@ -18544,6 +18544,8 @@ simplify_joins(JOIN *join, List<TABLE_LIST> *join_list, COND *conds, bool top,
+         prev_table->dep_tables|= used_tables;
+       if (prev_table->on_expr)
+       {
++        /* If the ON expression is still there, it's an outer join */
++        DBUG_ASSERT(prev_table->outer_join);
+         prev_table->dep_tables|= table->on_expr_dep_tables;
+         table_map prev_used_tables= prev_table->nested_join ?
+ 	                            prev_table->nested_join->used_tables :
+@@ -18558,11 +18560,59 @@ simplify_joins(JOIN *join, List<TABLE_LIST> *join_list, COND *conds, bool top,
+           prevents update of inner table dependences.
+           For example it might happen if RAND() function
+           is used in JOIN ON clause.
+-	*/  
+-        if (!((prev_table->on_expr->used_tables() &
+-               ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT)) &
+-              ~prev_used_tables))
++	*/
++        table_map prev_on_expr_deps= prev_table->on_expr->used_tables() &
++                                     ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT);
++        prev_on_expr_deps&= ~prev_used_tables;
++
++        if (!prev_on_expr_deps)
+           prev_table->dep_tables|= used_tables;
++        else
++        {
++          /*
++            Another possible case is when prev_on_expr_deps!=0 but it depends
++            on a table outside this join nest. SQL name resolution don't allow
++            this but it is possible when LEFT JOIN is inside a subquery which
++            is converted into a semi-join nest, Example:
++
++              t1 SEMI JOIN (
++                t2
++                LEFT JOIN (t3 LEFT JOIN t4 ON t4.col=t1.col) ON expr
++              ) ON ...
++
++            here, we would have prev_table=t4, table=t3.  The condition
++            "ON t4.col=t1.col" depends on tables {t1, t4}. To make sure the
++            optimizer puts t3 before t4 we need to make sure t4.dep_tables
++            includes t3.
++          */
++
++          DBUG_ASSERT(table->embedding == prev_table->embedding);
++          if (table->embedding)
++          {
++            /*
++              Find what are the "peers" of "table" in the join nest. Normally,
++              it is table->embedding->nested_join->used_tables, but here we are
++              in the process of recomputing that value.
++              So, we walk the join list and collect the bitmap of peers:
++            */
++            table_map peers= 0;
++            List_iterator_fast<TABLE_LIST> li(*join_list);
++            TABLE_LIST *peer;
++            while ((peer= li++))
++            {
++              table_map curmap= peer->nested_join
++                                    ? peer->nested_join->used_tables
++                                    : peer->get_map();
++              peers|= curmap;
++            }
++            /*
++              If prev_table doesn't depend on any of its peers, add a
++              dependency on nearest peer, that is, on 'table'.
++            */
++            if (!(prev_on_expr_deps & peers))
++              prev_table->dep_tables|= used_tables;
++          }
++        }
+       }
+     }
+     prev_table= table;
+-- 
+2.45.3
+

SPECS/mariadb/CVE-2023-52971.patch

@@ -0,0 +1,27 @@
+Copyright (c) 2012-2014, Olaf van Zandwijk
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+   may be used to endorse or promote products derived from this software without
+   specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

SPECS/mariadb/LICENSE.clustercheck

@@ -0,0 +1,9 @@
+MariaDB haven't yet made a document package available for offline.
+
+You can create your own copy with the instructions here:
+
+https://mariadb.com/kb/en/meta/mirroring-the-mariadb-knowledge-base/
+
+You can find view the on-line documentation at:
+
+https://mariadb.com/kb/en/documentation/

SPECS/mariadb/README.mariadb-docs

@@ -0,0 +1,3 @@
+# mariadb10.11
+
+The mariadb10.11 package

SPECS/mariadb/README.md

@@ -0,0 +1,132 @@
+socat tunnel for encrypted rsync SST
+====================================
+
+`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
+implementation that ships with mariadb. Its purpose is to encrypt
+communication between the donor and the joiner during an SST.
+
+Encryption is implemented by means of a socat tunnel, using OPENSSL
+addresses. It can be configured via the regular openssl flags exposed
+by socat.
+
+
+## How to configure the script
+
+This SST script can configured by setting a few keys in your favorite
+mariadb option file in addition to the usual galera settings.
+
+    [mysqld]
+    ...
+    bind_address=<node-name>
+    wsrep_sst_method=rsync_tunnel
+    ...
+    
+    [sst]
+    tca=/path/to/your/ca-file.crt
+    tcert=/path/to/node/certificate.crt
+    tkey=/path/to/node/key.key
+    sockopt=<openssl-address-options-as-per-socat-manual>
+
+When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
+socat to listen to incoming SSL connections on port 4444 in lieu of
+the original rsync daemon. Received data will be forwarded to the
+rscynd daemon started locally to replicate the database.
+
+When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
+a series of rsync calls that target a locally started socat daemon.
+The daemon tunnels all rsync traffic into an encrypted SSL connection
+that targets the joiner's end of the socat tunnel.
+
+Encryption parameters are specified under the `[sst]` group in the
+mariadb option file, where `tkey` and `tcert` are respectively the key
+and the certificate that are used by both sides of the socat tunnel.
+Each node typically has a different key and cert. Both key and
+certificate can be combined into a single PEM file and referenced by
+`tcert`. Option `tca` holds a list of the trusted signing
+certificates.
+
+In case you need to tweak the creation of the SSL connection, you can
+pass valid socat options (as per socat manual) via the `sockopt` key.
+For debugging purpose, the exact socat command that is being executed
+shows up in the mariadb log file.
+
+Note that socat verifies that the certificate's commonName matches
+that of the host that is being targeted. The target name comes from
+the value configured in `bind_address`, so it's important that it
+matches the certificate's commonName. An IP address can be used for
+`bind_address`, but you may get into trouble in case different
+hostnames resolve to the same IP (e.g. multiple networks per host).
+
+
+## Examples of use
+
+Suppose you're running a 3-node galera cluster
+`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
+
+### Scenario: using self-signed certificates
+
+On each node, create a key and a certificate, and bundle them into a
+single PEM file. For instance on `node1.my.cluster`:
+
+    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
+    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
+    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
+
+Then, on each node, create a cafile that will contain all the certs to
+trust:
+
+    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
+       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
+    done
+
+Once you have those two files on each host, you can configure the SST
+appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+
+### Scenario: using self-signed certificates, without verification
+
+By default, when socat tries to establish a SSL connection to a peer,
+it also verifies that it can trust the peer's certificate. If for some
+reason you need to disable that feature, you can amend the previous
+configuration with a sockopt option:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+    sockopt="verify=0"
+
+The associated sockopt value is passed to socat when
+the donor or the joiner configures his part of the tunnel.
+
+Note: please do not do so in production, this is inherently insecure
+as you will not verify the identity of the peer you're connecting to!
+
+### Scenario: using certificates from a CA
+
+Suppose you have a FreeIPA service which generated a key file and a
+certificate file for the three galera nodes, respectively located at
+/tls/mysql.key and /tls/mysql.crt.
+
+Assuming that the certificate for the FreeIPA server is available at
+/etc/ipa/ca.crt, you can configure you galera servers as follows:
+
+    [sst]
+    tca=/etc/ipa/ca.crt
+    tcert=/tls/mysql.crt
+    tkey=/tls/mysql.key
+
+## License
+
+Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
+This work is derived from the original `wsrep_rsync_sst`, copyright
+© 2010-2014 [Codership Oy](https://github.com/codership).
+Released under the GNU GPLv2.