Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1548007489271080"
MIME-Version: 1.0
Date: Sun, 20 Jan 2019 18:04:49 +0000
From: "Maya Rashish" <maya@netbsd.org>
Subject: CVS commit: pkgsrc/databases/mysql56-client
To: pkgsrc-changes@NetBSD.org
Reply-To: maya@netbsd.org
Message-Id: <20190120180449.E654CFB16@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1548007489271080
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	maya
Date:		Sun Jan 20 18:04:49 UTC 2019

Modified Files:
	pkgsrc/databases/mysql56-client: Makefile distinfo
	pkgsrc/databases/mysql56-client/patches: patch-CMakeLists.txt
Added Files:
	pkgsrc/databases/mysql56-client/patches:
	    patch-cmake_build__configurations_mysql__release.cmake
	    patch-sql_sys__vars.cc

Log Message:
mysql56-client: change the default configuration to avoid information
disclosure to a malicious server.

Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be

Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/databases/mysql56-client/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/databases/mysql56-client/distinfo
cvs rdiff -u -r1.5 -r1.6 \
    pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake
cvs rdiff -u -r0 -r1.3 \
    pkgsrc/databases/mysql56-client/patches/patch-sql_sys__vars.cc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1548007489271080
Content-Disposition: inline
Content-Length: 7462
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/databases/mysql56-client/Makefile
diff -u pkgsrc/databases/mysql56-client/Makefile:1.27 pkgsrc/databases/mysql56-client/Makefile:1.28
--- pkgsrc/databases/mysql56-client/Makefile:1.27	Thu Nov 22 11:53:33 2018
+++ pkgsrc/databases/mysql56-client/Makefile	Sun Jan 20 18:04:49 2019
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.27 2018/11/22 11:53:33 adam Exp $
+# $NetBSD: Makefile,v 1.28 2019/01/20 18:04:49 maya Exp $
 
 PKGNAME=	${DISTNAME:S/-/-client-/}
+PKGREVISION=	1
 COMMENT=	MySQL 5, a free SQL database (client)
 
 CONFLICTS=	mysql3-client-[0-9]*

Index: pkgsrc/databases/mysql56-client/distinfo
diff -u pkgsrc/databases/mysql56-client/distinfo:1.48 pkgsrc/databases/mysql56-client/distinfo:1.49
--- pkgsrc/databases/mysql56-client/distinfo:1.48	Thu Nov 22 11:53:33 2018
+++ pkgsrc/databases/mysql56-client/distinfo	Sun Jan 20 18:04:49 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2018/11/22 11:53:33 adam Exp $
+$NetBSD: distinfo,v 1.49 2019/01/20 18:04:49 maya Exp $
 
 SHA1 (mysql-5.6.42.tar.gz) = 536ca4899d49222d2c105e827f3a366a57a55b0e
 RMD160 (mysql-5.6.42.tar.gz) = ffbe4ceed2e751999077d089819ceb6a27dbeaaa
@@ -8,10 +8,11 @@ SHA1 (sphinx-2.2.11-release.tar.gz) = 34
 RMD160 (sphinx-2.2.11-release.tar.gz) = 5804b4cce64bc03fa20bac26c7391cd661cecc77
 SHA512 (sphinx-2.2.11-release.tar.gz) = cf1a262a5b0fbf0bd2827ec6ec629edeaf709ce855a6e7b509b65342baaeb26c02717ca63f1578d32c83d21e2fd6d1e92dceb34660e6351b93cd96fd4e623689
 Size (sphinx-2.2.11-release.tar.gz) = 3061998 bytes
-SHA1 (patch-CMakeLists.txt) = cc14caabcb6ca55eba33595f98ad4b3db14504da
+SHA1 (patch-CMakeLists.txt) = f3dc26d34730533c26f4496311767d774a72c5c4
 SHA1 (patch-client_completion_hash.cc) = b86ec80beac624b2aa21c7587e351ff126400ecb
 SHA1 (patch-client_mysqladmin.cc) = e1650ef3695675bcc01375bacdebcb7318218b93
 SHA1 (patch-client_sql_string.h) = f26aff4ce4cf6dfef44c85ef95120331ca8fef52
+SHA1 (patch-cmake_build__configurations_mysql__release.cmake) = f6ddee05e028df9d4fdb4228a7e687b825fea1b3
 SHA1 (patch-cmake_dtrace.cmake) = d953fdf976f3a7e7f0c2c16a9a2d2615f2777396
 SHA1 (patch-cmake_libutils.cmake) = c3e5ab66d2bef43dc2308369e27550553e0f5356
 SHA1 (patch-cmake_os_SunOS.cmake) = 60ba9f81c28bbb78295b8a12fe6cd3b176c03f91
@@ -36,6 +37,7 @@ SHA1 (patch-sql-common_client__authentic
 SHA1 (patch-sql_CMakeLists.txt) = 83c1e50de6b53a0af5ff010f248dd595745b3eb5
 SHA1 (patch-sql_log_event.h) = a413038ffa29103c75e1d243864615ccb3d9621e
 SHA1 (patch-sql_sql_string.h) = 1ce4d4db59310ea45e384f34e33c0d61935059bf
+SHA1 (patch-sql_sys__vars.cc) = 355b17dac8da6f94c9996ae406df304113a1f8f5
 SHA1 (patch-storage_archive_CMakeLists.txt) = e739ef4884a154d7e33e8aae24234fd6855119b7
 SHA1 (patch-storage_blackhole_CMakeLists.txt) = b9c526783cabd04ea7859d62cb1930ff35f905f8
 SHA1 (patch-storage_csv_CMakeLists.txt) = 739accd1fb85b051e28f5c3f16a6c3c0f77d6dae

Index: pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt
diff -u pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt:1.5 pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt:1.6
--- pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt:1.5	Thu Aug  4 10:09:08 2016
+++ pkgsrc/databases/mysql56-client/patches/patch-CMakeLists.txt	Sun Jan 20 18:04:49 2019
@@ -1,8 +1,12 @@
-$NetBSD: patch-CMakeLists.txt,v 1.5 2016/08/04 10:09:08 adam Exp $
+$NetBSD: patch-CMakeLists.txt,v 1.6 2019/01/20 18:04:49 maya Exp $
 
 Split configuration between mysql-client and mysql-server.
 Build with newer DTrace.
 
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
 --- CMakeLists.txt.orig	2016-07-11 09:19:51.000000000 +0000
 +++ CMakeLists.txt
 @@ -202,6 +202,7 @@ IF(DISABLE_SHARED)
@@ -13,7 +17,16 @@ Build with newer DTrace.
  OPTION(CYBOZU "" OFF)
  OPTION(BACKUP_TEST "" OFF)
  OPTION(WITHOUT_SERVER OFF)
-@@ -462,7 +463,6 @@ ADD_SUBDIRECTORY(vio)
+@@ -345,7 +346,7 @@ IF(REPRODUCIBLE_BUILD)
+ ENDIF()
+ 
+ OPTION(ENABLED_LOCAL_INFILE
+- "If we should should enable LOAD DATA LOCAL by default" ${IF_WIN})
++"If we should should enable LOAD DATA LOCAL by default" OFF)
+ MARK_AS_ADVANCED(ENABLED_LOCAL_INFILE)
+ 
+ OPTION(WITH_FAST_MUTEXES "Compile with fast mutexes" OFF)
+@@ -495,7 +496,6 @@ ADD_SUBDIRECTORY(vio)
  ADD_SUBDIRECTORY(regex)
  ADD_SUBDIRECTORY(mysys)
  ADD_SUBDIRECTORY(mysys_ssl)
@@ -21,7 +34,7 @@ Build with newer DTrace.
  
  IF(WITH_UNIT_TESTS)
    # Visual Studio 11 needs this extra flag in order to compile gmock.
-@@ -480,16 +480,16 @@ IF(WITH_UNIT_TESTS)
+@@ -513,16 +513,16 @@ IF(WITH_UNIT_TESTS)
  ENDIF()
  
  ADD_SUBDIRECTORY(extra)
@@ -43,7 +56,7 @@ Build with newer DTrace.
    ADD_SUBDIRECTORY(sql)
    OPTION (WITH_EMBEDDED_SERVER "Compile MySQL with embedded server" OFF)
    IF(WITH_EMBEDDED_SERVER) 
-@@ -500,7 +500,6 @@ ENDIF()
+@@ -533,7 +533,6 @@ ENDIF()
  
  # scripts/mysql_config depends on client and server targets loaded above.
  # It is referenced by some of the directories below, so we insert it here.

Added files:

Index: pkgsrc/databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake
diff -u /dev/null pkgsrc/databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake:1.1
--- /dev/null	Sun Jan 20 18:04:49 2019
+++ pkgsrc/databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake	Sun Jan 20 18:04:49 2019
@@ -0,0 +1,17 @@
+$NetBSD: patch-cmake_build__configurations_mysql__release.cmake,v 1.1 2019/01/20 18:04:49 maya Exp $
+
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
+--- cmake/build_configurations/mysql_release.cmake.orig	2018-09-10 10:17:55.000000000 +0000
++++ cmake/build_configurations/mysql_release.cmake
+@@ -19,7 +19,7 @@ INCLUDE(CheckIncludeFiles)
+ INCLUDE(CheckLibraryExists)
+ 
+ OPTION(DEBUG_EXTNAME "" ON)
+-OPTION(ENABLED_LOCAL_INFILE "" ON)
++OPTION(ENABLED_LOCAL_INFILE "" OFF)
+ 
+ IF(NOT COMPILATION_COMMENT)
+   SET(COMPILATION_COMMENT "MySQL Community Server (GPL)")

Index: pkgsrc/databases/mysql56-client/patches/patch-sql_sys__vars.cc
diff -u /dev/null pkgsrc/databases/mysql56-client/patches/patch-sql_sys__vars.cc:1.3
--- /dev/null	Sun Jan 20 18:04:49 2019
+++ pkgsrc/databases/mysql56-client/patches/patch-sql_sys__vars.cc	Sun Jan 20 18:04:49 2019
@@ -0,0 +1,17 @@
+$NetBSD: patch-sql_sys__vars.cc,v 1.3 2019/01/20 18:04:49 maya Exp $
+
+Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
+Avoid disclosure of files from a client to a malicious server, described here:
+https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
+
+--- sql/sys_vars.cc.orig	2018-09-10 10:17:55.000000000 +0000
++++ sql/sys_vars.cc
+@@ -1485,7 +1485,7 @@ static Sys_var_charptr Sys_language(
+ 
+ static Sys_var_mybool Sys_local_infile(
+        "local_infile", "Enable LOAD DATA LOCAL INFILE",
+-       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(TRUE));
++       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(FALSE));
+ 
+ static Sys_var_ulong Sys_lock_wait_timeout(
+        "lock_wait_timeout",


--_----------=_1548007489271080--