[AUTO-CHERRYPICK] Switched mysql to use AZL's version of protobuf to fix CVE-2024-2410. - branch 3.0-dev (#10893)

CBL-Mariner-Bot · PawelWMS · web-flow · commit bc236a19f259 · 2024-10-30T18:20:33.000-04:00
Co-authored-by: Pawel Winogrodzki &lt;pawelwi@microsoft.com&gt;
diff --git a/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch b/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch
@@ -0,0 +1,52 @@
+From 540814076995de6bcb119a68fa4cce9e7214b3c0 Mon Sep 17 00:00:00 2001
+From: Pawel Winogrodzki <pawelwi@microsoft.com>
+Date: Tue, 29 Oct 2024 15:37:51 -0700
+Subject: [PATCH] Remove ciphers unsupported by AZL.
+
+---
+ .../src/harness/tests/test_tls_server_context.cc  | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/router/src/harness/tests/test_tls_server_context.cc b/router/src/harness/tests/test_tls_server_context.cc
+index 57859357..e7edb4fa 100644
+--- a/router/src/harness/tests/test_tls_server_context.cc
++++ b/router/src/harness/tests/test_tls_server_context.cc
+@@ -93,7 +93,6 @@ static const std::string acceptable_ciphers_test_data[] = {
+     // TLSv1.3
+     {"TLS_AES_128_GCM_SHA256"},
+     {"TLS_AES_256_GCM_SHA384"},
+-    {"TLS_CHACHA20_POLY1305_SHA256"},
+ #if 0  // embedded
+     {"TLS_AES_128_CCM_SHA256"},
+ #endif
+@@ -102,11 +101,6 @@ static const std::string acceptable_ciphers_test_data[] = {
+     {"ECDHE-RSA-AES256-GCM-SHA384"},
+     {"DHE-RSA-AES128-GCM-SHA256"},
+     {"DHE-RSA-AES256-GCM-SHA384"},
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
+-    {"ECDHE-ECDSA-CHACHA20-POLY1305"},
+-    {"ECDHE-RSA-CHACHA20-POLY1305"},
+-    {"DHE-RSA-CHACHA20-POLY1305"},
+-#endif
+ #if 0  // embedded
+     {"ECDHE-ECDSA-AES256-CCM"},
+     {"ECDHE-ECDSA-AES128-CCM"},
+@@ -336,7 +330,14 @@ static const std::string unacceptable_ciphers_test_data[] = {
+     {"ECDH-ECDSA-DES-CBC3-SHA"},
+     {"ECDHE-RSA-DES-CBC3-SHA"},
+     {"ECDHE-ECDSA-DES-CBC3-SHA"},
+-    {"DES-CBC3-SHA"},
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
++    {"TLS_CHACHA20_POLY1305_SHA256"},
++#endif
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
++    {"ECDHE-ECDSA-CHACHA20-POLY1305"},
++    {"ECDHE-RSA-CHACHA20-POLY1305"},
++    {"DHE-RSA-CHACHA20-POLY1305"},
++#endif
+ };
+ 
+ INSTANTIATE_TEST_SUITE_P(CiphersUnacceptableParam, CiphersUnacceptable,
+-- 
+2.34.1
+
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
@@ -1,19 +1,29 @@
+%define majmin %(echo %{version} | cut -d. -f1-2)
+
 Summary:        MySQL.
 Name:           mysql
 Version:        8.0.40
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Databases
 URL:            https://www.mysql.com
-Source0:        https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
+Source0:        https://dev.mysql.com/get/Downloads/MySQL-%{majmin}/%{name}-boost-%{version}.tar.gz
 Patch0:         CVE-2012-5627.nopatch
+# AZL's OpenSSL builds with the "no-chacha" option making all ChaCha
+# ciphers unavailable.
+Patch1:         fix-tests-for-unsupported-chacha-ciphers.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
+BuildRequires:  protobuf-devel
 BuildRequires:  rpcsvc-proto-devel
 BuildRequires:  zlib-devel
+%if 0%{?with_check}
+BuildRequires:  shadow-utils
+BuildRequires:  sudo
+%endif
 
 %description
 MySQL is a free, widely used SQL engine. It can be used as a fast database as well as a rock-solid DBMS using a modular engine architecture.
@@ -28,10 +38,15 @@ Development headers for developing applications linking to maridb
 %prep
 %autosetup -p1
 
+# Remove unused, bundled version of protobuf.
+# We're building with the '-DWITH_PROTOBUF=system' option.
+rm -r extra/protobuf
+
 %build
 cmake . \
       -DCMAKE_INSTALL_PREFIX=%{_prefix}   \
       -DWITH_BOOST=boost/boost_1_77_0 \
+      -DWITH_PROTOBUF=system \
       -DINSTALL_MANDIR=share/man \
       -DINSTALL_DOCDIR=share/doc \
       -DINSTALL_DOCREADMEDIR=share/doc \
@@ -48,7 +63,13 @@ make %{?_smp_mflags}
 make DESTDIR=%{buildroot} install
 
 %check
-make test
+# Tests expect to be run as a non-root user.
+groupadd test
+useradd test -g test -m
+chown -R test:test .
+
+# In case of failure, print the test log.
+sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; }
 
 %files
 %defattr(-,root,root)
@@ -58,7 +79,6 @@ make test
 %{_libdir}/*.so.*
 %{_libdir}/mysqlrouter/*.so*
 %{_libdir}/mysqlrouter/private/*.so*
-%{_libdir}/private/*.so*
 %{_bindir}/*
 %{_mandir}/man1/*
 %{_mandir}/man8/*
@@ -83,6 +103,9 @@ make test
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Mon Oct 28 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0.40-2
+- Switch to ALZ version of protobuf instead of using the bundled one.
+
 * Fri Oct 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 8.0.40-1
 - Auto-upgrade to 8.0.40 - Fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
   CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
