[Medium] Patch mysql for CVE-2025-0838 and updated patch for CVE-2024-2410 (#15874)

Author: v-aaditya

SPECS/mysql/CVE-2024-2410.patch

@@ -4,18 +4,20 @@ Date: Fri, 13 Oct 2023 15:20:54 -0700
 Subject: [PATCH] Internal change
 
 PiperOrigin-RevId: 573332237
+
+Upstream Patch Reference: https://github.com/protocolbuffers/protobuf/commit/b955165ebdcc5a8ba9c267230d6305f4e3d9c118.patch
 ---
  .../protobuf/io/test_zero_copy_stream.h       | 22 ++++++++++++-------
- src/google/protobuf/json/BUILD.bazel          |  1 +
- src/google/protobuf/json/internal/parser.cc   |  2 +-
- src/google/protobuf/json/json_test.cc         | 20 +++++++++++++++++
+ .../src/google/protobuf/json/BUILD.bazel      |  1 +
+ .../google/protobuf/json/internal/parser.cc   |  2 +-
+ .../src/google/protobuf/json/json_test.cc     | 20 +++++++++++++++++
  4 files changed, 36 insertions(+), 9 deletions(-)
 
-diff --git a/src/google/protobuf/io/test_zero_copy_stream.h b/src/google/protobuf/io/test_zero_copy_stream.h
-index 4c5a06db400e..1a56d7038c96 100644
+diff --git a/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h b/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h
+index db2c87ad..06fb8d84 100644
 --- a/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h
 +++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h
-@@ -9,12 +9,12 @@
+@@ -32,12 +32,12 @@
  #define GOOGLE_PROTOBUF_IO_TEST_ZERO_COPY_STREAM_H__
 
  #include <deque>
@@ -29,7 +31,7 @@ index 4c5a06db400e..1a56d7038c96 100644
  #include "google/protobuf/io/zero_copy_stream.h"
 
  // Must be included last.
-@@ -37,18 +37,22 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+@@ -60,18 +60,22 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
    TestZeroCopyInputStream(const TestZeroCopyInputStream& other)
        : ZeroCopyInputStream(),
          buffers_(other.buffers_),
@@ -55,7 +57,7 @@ index 4c5a06db400e..1a56d7038c96 100644
      buffers_.pop_front();
      *data = last_returned_buffer_->data();
      *size = static_cast<int>(last_returned_buffer_->size());
-@@ -58,19 +62,19 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+@@ -81,19 +85,19 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
 
    void BackUp(int count) override {
      ABSL_CHECK_GE(count, 0) << "count must not be negative";
@@ -78,7 +80,7 @@ index 4c5a06db400e..1a56d7038c96 100644
      while (true) {
        if (count == 0) return true;
        if (buffers_.empty()) return false;
-@@ -96,7 +100,9 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+@@ -119,7 +123,9 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
    // move them to `last_returned_buffer_`. It makes it simpler to keep track of
    // the state of the object. The extra cost is not relevant for testing.
    std::deque<std::string> buffers_;
@@ -89,8 +91,8 @@ index 4c5a06db400e..1a56d7038c96 100644
    int64_t byte_count_ = 0;
  };
 
-diff --git a/src/google/protobuf/json/BUILD.bazel b/src/google/protobuf/json/BUILD.bazel
-index dece74e4d0f0..6ec8184e0e09 100644
+diff --git a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel
+index d6019f93..22c8802a 100644
 --- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel
 +++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel
 @@ -41,6 +41,7 @@ cc_test(
@@ -101,11 +103,11 @@ index dece74e4d0f0..6ec8184e0e09 100644
          "//src/google/protobuf/util:json_format_cc_proto",
          "//src/google/protobuf/util:json_format_proto3_cc_proto",
          "//src/google/protobuf/util:type_resolver_util",
-diff --git a/src/google/protobuf/json/internal/parser.cc b/src/google/protobuf/json/internal/parser.cc
-index 17e8fcc07c42..fbf492afa715 100644
+diff --git a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc
+index af12372d..3cffba52 100644
 --- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc
 +++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc
-@@ -1273,7 +1273,7 @@ absl::Status ParseMessage(JsonLexer& lex, const Desc<Traits>& desc,
+@@ -1296,7 +1296,7 @@ absl::Status ParseMessage(JsonLexer& lex, const Desc<Traits>& desc,
            }
          }
 
@@ -114,27 +116,27 @@ index 17e8fcc07c42..fbf492afa715 100644
        });
  }
  }  // namespace
-diff --git a/src/google/protobuf/json/json_test.cc b/src/google/protobuf/json/json_test.cc
-index 48379ceeb5f9..2ff1e87a90fe 100644
+diff --git a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc
+index 88f7e6d5..c2ba0b8e 100644
 --- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc
 +++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc
-@@ -26,6 +26,7 @@
+@@ -49,6 +49,7 @@
  #include "absl/strings/string_view.h"
  #include "google/protobuf/descriptor_database.h"
  #include "google/protobuf/dynamic_message.h"
 +#include "google/protobuf/io/test_zero_copy_stream.h"
  #include "google/protobuf/io/zero_copy_stream.h"
  #include "google/protobuf/io/zero_copy_stream_impl_lite.h"
  #include "google/protobuf/util/json_format.pb.h"
-@@ -50,6 +51,7 @@ using ::proto3::TestMap;
+@@ -73,6 +74,7 @@ using ::proto3::TestMap;
  using ::proto3::TestMessage;
  using ::proto3::TestOneof;
  using ::proto3::TestWrapper;
 +using ::testing::ContainsRegex;
  using ::testing::ElementsAre;
  using ::testing::IsEmpty;
  using ::testing::Not;
-@@ -1331,6 +1333,24 @@ TEST_P(JsonTest, ClearPreExistingRepeatedInJsonValues) {
+@@ -1354,6 +1356,24 @@ TEST_P(JsonTest, ClearPreExistingRepeatedInJsonValues) {
    EXPECT_THAT(s.fields(), IsEmpty());
  }
 
@@ -159,4 +161,6 @@ index 48379ceeb5f9..2ff1e87a90fe 100644
  }  // namespace
  }  // namespace json
  }  // namespace protobuf
- 
+-- 
+2.45.4
+

SPECS/mysql/CVE-2025-0838.patch

@@ -0,0 +1,178 @@
+From 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Thu, 23 Jan 2025 06:33:43 -0800
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize
+
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+
+The fix is in two parts:
+
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+
+PiperOrigin-RevId: 718841870
+Change-Id: Ic09dc9de140a35dbb45ab9d90f58383cf2de8286
+
+Upstream Patch Reference: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1.patch
+---
+ .../absl/container/internal/raw_hash_set.cc   |  5 +++
+ .../absl/container/internal/raw_hash_set.h    | 36 ++++++++++++++++++-
+ .../container/internal/raw_hash_set_test.cc   |  8 +++++
+ 3 files changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.cc b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.cc
+index 2ff95b61..58a516b6 100644
+--- a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.cc
++++ b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.cc
+@@ -23,6 +23,7 @@
+ #include "absl/base/config.h"
+ #include "absl/base/dynamic_annotations.h"
+ #include "absl/hash/hash.h"
++#include "absl/base/internal/raw_logging.h"
+ 
+ namespace absl {
+ ABSL_NAMESPACE_BEGIN
+@@ -258,6 +259,10 @@ void ClearBackingArray(CommonFields& c, const PolicyFunctions& policy,
+   }
+ }
+ 
++void HashTableSizeOverflow() {
++  ABSL_RAW_LOG(FATAL, "Hash table size overflow");
++}
++
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END
+ }  // namespace absl
+diff --git a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.h b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.h
+index 5f89d8ef..ba2d98d8 100644
+--- a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.h
++++ b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set.h
+@@ -236,6 +236,15 @@ namespace container_internal {
+ #define ABSL_SWISSTABLE_ENABLE_GENERATIONS
+ #endif
+ 
++#ifdef ABSL_SWISSTABLE_ASSERT
++#error ABSL_SWISSTABLE_ASSERT cannot be directly set
++#else
++// We use this macro for assertions that users may see when the table is in an
++// invalid state that sanitizers may help diagnose.
++#define ABSL_SWISSTABLE_ASSERT(CONDITION) \
++  assert((CONDITION) && "Try enabling sanitizers.")
++#endif
++
+ // We use uint8_t so we don't need to worry about padding.
+ using GenerationType = uint8_t;
+ 
+@@ -939,6 +948,9 @@ inline size_t SlotOffset(size_t capacity, size_t slot_align) {
+ // Given the capacity of a table, computes the total size of the backing
+ // array.
+ inline size_t AllocSize(size_t capacity, size_t slot_size, size_t slot_align) {
++  ABSL_SWISSTABLE_ASSERT(
++      slot_size <=
++      ((std::numeric_limits<size_t>::max)() - SlotOffset(capacity, slot_align)) / capacity);
+   return SlotOffset(capacity, slot_align) + capacity * slot_size;
+ }
+ 
+@@ -1076,6 +1088,15 @@ inline size_t NormalizeCapacity(size_t n) {
+   return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+ 
++template <size_t kSlotSize>
++size_t MaxValidCapacity() {
++  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
++                           kSlotSize);
++}
++
++// Use a non-inlined function to avoid code bloat.
++[[noreturn]] void HashTableSizeOverflow();
++
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ //   average of two empty slots per group.
+@@ -1717,6 +1738,10 @@ class raw_hash_set {
+       const allocator_type& alloc = allocator_type())
+       : settings_(CommonFields{}, hash, eq, alloc) {
+     if (bucket_count) {
++      if (ABSL_PREDICT_FALSE(bucket_count >
++                             MaxValidCapacity<sizeof(slot_type)>())) {
++        HashTableSizeOverflow();
++      }
+       common().set_capacity(NormalizeCapacity(bucket_count));
+       initialize_slots();
+     }
+@@ -1916,7 +1941,9 @@ class raw_hash_set {
+   bool empty() const { return !size(); }
+   size_t size() const { return common().size(); }
+   size_t capacity() const { return common().capacity(); }
+-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
++  size_t max_size() const {
++    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
++  }
+ 
+   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+     // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -2266,6 +2293,9 @@ class raw_hash_set {
+     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+     // n == 0 unconditionally rehashes as per the standard.
+     if (n == 0 || m > capacity()) {
++      if (ABSL_PREDICT_FALSE(m > MaxValidCapacity<sizeof(slot_type)>())) {
++        HashTableSizeOverflow();
++      }
+       resize(m);
+ 
+       // This is after resize, to ensure that we have completed the allocation
+@@ -2276,6 +2306,9 @@ class raw_hash_set {
+ 
+   void reserve(size_t n) {
+     if (n > size() + growth_left()) {
++      if (ABSL_PREDICT_FALSE(n > max_size())) {
++        HashTableSizeOverflow();
++      }
+       size_t m = GrowthToLowerboundCapacity(n);
+       resize(NormalizeCapacity(m));
+ 
+@@ -2882,5 +2915,6 @@ ABSL_NAMESPACE_END
+ }  // namespace absl
+ 
+ #undef ABSL_SWISSTABLE_ENABLE_GENERATIONS
++#undef ABSL_SWISSTABLE_ASSERT
+ 
+ #endif  // ABSL_CONTAINER_INTERNAL_RAW_HASH_SET_H_
+diff --git a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set_test.cc b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set_test.cc
+index 242a97cb..d5d5f393 100644
+--- a/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set_test.cc
++++ b/extra/abseil/abseil-cpp-20230802.1/absl/container/internal/raw_hash_set_test.cc
+@@ -2510,6 +2510,14 @@ TEST(Iterator, InvalidComparisonDifferentTables) {
+                             "Invalid iterator comparison.*non-end");
+ }
+ 
++TEST(Table, MaxSizeOverflow) {
++  size_t overflow = (std::numeric_limits<size_t>::max)();
++  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
++  IntTable t;
++  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
++  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
++}
++
+ }  // namespace
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END
+-- 
+2.45.4
+

SPECS/mysql/mysql.spec

@@ -1,7 +1,7 @@
 Summary:        MySQL.
 Name:           mysql
 Version:        8.0.45
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -16,6 +16,7 @@ Patch1:         CVE-2024-2410.patch
 Patch2:         fix-tests-for-unsupported-chacha-ciphers.patch
 Patch3:         CVE-2025-62813.patch
 Patch4:         CVE-2026-0994.patch
+Patch5:         CVE-2025-0838.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
@@ -116,6 +117,9 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Mon Feb 16 2026 Aditya Singh <v-aditysing@microsoft.com> - 8.0.45-3
+- Patch for CVE-2025-0838
+
 * Mon Feb 09 2026 Jyoti Kanase <v-jykanase@microsoft.com> - 8.0.45-2
 - Patch for CVE-2026-0994