Sun Jan 20 18:22:10 2019 UTC ()
mysql57-client: change the default configuration to avoid information
disclosure to a malicious server.

Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be

Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/


(maya)
diff -r1.18 -r1.19 pkgsrc/databases/mysql57-client/Makefile
diff -r1.26 -r1.27 pkgsrc/databases/mysql57-client/distinfo
diff -r1.1 -r1.2 pkgsrc/databases/mysql57-client/patches/patch-CMakeLists.txt
diff -r0 -r1.1 pkgsrc/databases/mysql57-client/patches/patch-cmake_build__configurations_mysql__release.cmake
diff -r0 -r1.1 pkgsrc/databases/mysql57-client/patches/patch-sql_sys__vars.cc
cvs diff -r1.18 -r1.19 pkgsrc/databases/mysql57-client/Makefile (expand / switch to unified diff)

--- pkgsrc/databases/mysql57-client/Makefile 2018/12/13 19:51:45 1.18
+++ pkgsrc/databases/mysql57-client/Makefile 2019/01/20 18:22:10 1.19
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.18 2018/12/13 19:51:45 adam Exp $ 1# $NetBSD: Makefile,v 1.19 2019/01/20 18:22:10 maya Exp $
2 2
3PKGNAME= ${DISTNAME:S/-/-client-/} 3PKGNAME= ${DISTNAME:S/-/-client-/}
4PKGREVISION= 1 4PKGREVISION= 2
5COMMENT= MySQL 5, a free SQL database (client) 5COMMENT= MySQL 5, a free SQL database (client)
6 6
7CONFLICTS= mysql3-client-[0-9]* 7CONFLICTS= mysql3-client-[0-9]*
8 8
9.include "Makefile.common" 9.include "Makefile.common"
10 10
11CMAKE_ARGS+= -DWITHOUT_SERVER=ON 11CMAKE_ARGS+= -DWITHOUT_SERVER=ON
12UNWRAP_FILES+= scripts/mysql_config 12UNWRAP_FILES+= scripts/mysql_config
13INFO_FILES= yes 13INFO_FILES= yes
14INSTALL_DIRS+= client include libmysql man scripts testclients 14INSTALL_DIRS+= client include libmysql man scripts testclients
15 15
16.include "../../mk/bsd.pkg.mk" 16.include "../../mk/bsd.pkg.mk"
cvs diff -r1.26 -r1.27 pkgsrc/databases/mysql57-client/distinfo (expand / switch to unified diff)

--- pkgsrc/databases/mysql57-client/distinfo 2018/12/13 19:51:45 1.26
+++ pkgsrc/databases/mysql57-client/distinfo 2019/01/20 18:22:10 1.27
@@ -1,24 +1,25 @@ @@ -1,24 +1,25 @@
1$NetBSD: distinfo,v 1.26 2018/12/13 19:51:45 adam Exp $ 1$NetBSD: distinfo,v 1.27 2019/01/20 18:22:10 maya Exp $
2 2
3SHA1 (mysql-5.7.24.tar.gz) = e2f73a243659075d0100a71b8338c752c0c65de8 3SHA1 (mysql-5.7.24.tar.gz) = e2f73a243659075d0100a71b8338c752c0c65de8
4RMD160 (mysql-5.7.24.tar.gz) = 67fc0207cb6fae76af0b6e18bb1f6e14d190ac4c 4RMD160 (mysql-5.7.24.tar.gz) = 67fc0207cb6fae76af0b6e18bb1f6e14d190ac4c
5SHA512 (mysql-5.7.24.tar.gz) = c3a00788b91c243696cf140d2e3a374c3154ace97413ba09bc85c2d4325ec7bf476cd7eb5bff5c33e0407fc345f12b73d4cce19894c0f8ab9e1853f6a6cfa351 5SHA512 (mysql-5.7.24.tar.gz) = c3a00788b91c243696cf140d2e3a374c3154ace97413ba09bc85c2d4325ec7bf476cd7eb5bff5c33e0407fc345f12b73d4cce19894c0f8ab9e1853f6a6cfa351
6Size (mysql-5.7.24.tar.gz) = 52052796 bytes 6Size (mysql-5.7.24.tar.gz) = 52052796 bytes
7SHA1 (patch-CMakeLists.txt) = b47592cf8801538375da3df2990fde4d292fc365 7SHA1 (patch-CMakeLists.txt) = 1409a98380c999c6973fa3106dc35684b7c3b3cc
8SHA1 (patch-client_CMakeLists.txt) = 990d6df52380981f11a4ac5aafe48f34a3b2097f 8SHA1 (patch-client_CMakeLists.txt) = 990d6df52380981f11a4ac5aafe48f34a3b2097f
9SHA1 (patch-client_completion_hash.cc) = b86ec80beac624b2aa21c7587e351ff126400ecb 9SHA1 (patch-client_completion_hash.cc) = b86ec80beac624b2aa21c7587e351ff126400ecb
10SHA1 (patch-client_mysqladmin.cc) = e1650ef3695675bcc01375bacdebcb7318218b93 10SHA1 (patch-client_mysqladmin.cc) = e1650ef3695675bcc01375bacdebcb7318218b93
11SHA1 (patch-cmake_boost.cmake) = cab30ebdff1e773d6970f541f96fce8ed51257f8 11SHA1 (patch-cmake_boost.cmake) = cab30ebdff1e773d6970f541f96fce8ed51257f8
 12SHA1 (patch-cmake_build__configurations_mysql__release.cmake) = 7a1fb8c686f187db8fd9d8ad203c1f764d6e55a6
12SHA1 (patch-cmake_os_SunOS.cmake) = 06e290820a75d68931fce6dfd70a0b5edd548320 13SHA1 (patch-cmake_os_SunOS.cmake) = 06e290820a75d68931fce6dfd70a0b5edd548320
13SHA1 (patch-cmake_plugin.cmake) = 92267182d4ec559a312a5a38826b9047c99b122f 14SHA1 (patch-cmake_plugin.cmake) = 92267182d4ec559a312a5a38826b9047c99b122f
14SHA1 (patch-cmake_readline.cmake) = fb79ed969240ae2984098f72c2d3fb501154902c 15SHA1 (patch-cmake_readline.cmake) = fb79ed969240ae2984098f72c2d3fb501154902c
15SHA1 (patch-cmd-line-utils_libedit_chartype.h) = 6b1453df648001ed1fc81190106e15872a69a04c 16SHA1 (patch-cmd-line-utils_libedit_chartype.h) = 6b1453df648001ed1fc81190106e15872a69a04c
16SHA1 (patch-cmd-line-utils_libedit_vi.c) = 7c5ce1d07f650815d028e435a59e5d078ec74c2f 17SHA1 (patch-cmd-line-utils_libedit_vi.c) = 7c5ce1d07f650815d028e435a59e5d078ec74c2f
17SHA1 (patch-include_CMakeLists.txt) = 944991702f046ea7a5e2b6ea4dc390f17426e55a 18SHA1 (patch-include_CMakeLists.txt) = 944991702f046ea7a5e2b6ea4dc390f17426e55a
18SHA1 (patch-include_my__compare.h) = f45bac4b488332a668b0005751856279b67401f5 19SHA1 (patch-include_my__compare.h) = f45bac4b488332a668b0005751856279b67401f5
19SHA1 (patch-include_my__global.h) = 3870266cb1dd2cd0d58417dfe21bab19b62100e2 20SHA1 (patch-include_my__global.h) = 3870266cb1dd2cd0d58417dfe21bab19b62100e2
20SHA1 (patch-include_my__thread.h) = 0f095acf94f8d130516dc4d858de1c64dd2bc127 21SHA1 (patch-include_my__thread.h) = 0f095acf94f8d130516dc4d858de1c64dd2bc127
21SHA1 (patch-include_my__thread__os__id.h) = a51861b791086a0eeb9cb4d64892c5033da8c8eb 22SHA1 (patch-include_my__thread__os__id.h) = a51861b791086a0eeb9cb4d64892c5033da8c8eb
22SHA1 (patch-libmysql_CMakeLists.txt) = 306c73384226e07bf2a45af5d92b6f05d6044cbe 23SHA1 (patch-libmysql_CMakeLists.txt) = 306c73384226e07bf2a45af5d92b6f05d6044cbe
23SHA1 (patch-mysql-test_CMakeLists.txt) = 8a8e846792077101a01731c4577c37161f70264d 24SHA1 (patch-mysql-test_CMakeLists.txt) = 8a8e846792077101a01731c4577c37161f70264d
24SHA1 (patch-mysys__ssl_CMakeLists.txt) = 4750125b2e98d11c9efb653beda2d4d5166adc02 25SHA1 (patch-mysys__ssl_CMakeLists.txt) = 4750125b2e98d11c9efb653beda2d4d5166adc02
@@ -28,23 +29,24 @@ SHA1 (patch-mysys_my__symlink.c) = 23b57 @@ -28,23 +29,24 @@ SHA1 (patch-mysys_my__symlink.c) = 23b57
28SHA1 (patch-mysys_stacktrace.c) = 3e0794f544f0e35f44a694330885478247657842 29SHA1 (patch-mysys_stacktrace.c) = 3e0794f544f0e35f44a694330885478247657842
29SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_sock__probe__ix.c) = 1a389fca13ada1be74d96276e11baee16bbc2363 30SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_sock__probe__ix.c) = 1a389fca13ada1be74d96276e11baee16bbc2363
30SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_xcom__memory.c) = 7077900830f904c74c79439b856d9d176fc27f15 31SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_xcom__memory.c) = 7077900830f904c74c79439b856d9d176fc27f15
31SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_xcom__transport.c) = d7f87bff5a41ff6a130fcf74dc520b38cedf5924 32SHA1 (patch-rapid_plugin_group__replication_libmysqlgcs_src_bindings_xcom_xcom_xcom__transport.c) = d7f87bff5a41ff6a130fcf74dc520b38cedf5924
32SHA1 (patch-rapid_plugin_group__replication_rpcgen.cmake) = ff0679ed644d79abe52b208f6b60b5a4e480ed3f 33SHA1 (patch-rapid_plugin_group__replication_rpcgen.cmake) = ff0679ed644d79abe52b208f6b60b5a4e480ed3f
33SHA1 (patch-rapid_plugin_x_CMakeLists.txt) = 4f548abab6917c2bedd970abdffe4e87c460667e 34SHA1 (patch-rapid_plugin_x_CMakeLists.txt) = 4f548abab6917c2bedd970abdffe4e87c460667e
34SHA1 (patch-rapid_unittest_gunit_xplugin_CMakeLists.txt) = c0ae4570e138869a3203f7d4704a0b6b5c19e517 35SHA1 (patch-rapid_unittest_gunit_xplugin_CMakeLists.txt) = c0ae4570e138869a3203f7d4704a0b6b5c19e517
35SHA1 (patch-scripts_CMakeLists.txt) = b149f40f65c4ce8f6f4a7adf75f5ec4be44319f1 36SHA1 (patch-scripts_CMakeLists.txt) = b149f40f65c4ce8f6f4a7adf75f5ec4be44319f1
36SHA1 (patch-scripts_mysqld_safe.sh) = 0784314227657aa0bc3f4a0b4e21c173a86fa94b 37SHA1 (patch-scripts_mysqld_safe.sh) = 0784314227657aa0bc3f4a0b4e21c173a86fa94b
37SHA1 (patch-sql_CMakeLists.txt) = 697add15adb66bf55cf561a6e43e0bf514d1e068 38SHA1 (patch-sql_CMakeLists.txt) = 697add15adb66bf55cf561a6e43e0bf514d1e068
38SHA1 (patch-sql_conn__handler_socket__connection.cc) = 12cf83e061edbe59eb073037b1036903b7ba4b00 39SHA1 (patch-sql_conn__handler_socket__connection.cc) = 12cf83e061edbe59eb073037b1036903b7ba4b00
39SHA1 (patch-sql_item__geofunc__internal.cc) = 752862c3a30231e694e508ced1a215a610649fc6 40SHA1 (patch-sql_item__geofunc__internal.cc) = 752862c3a30231e694e508ced1a215a610649fc6
40SHA1 (patch-sql_log_event.h) = 311dc7fb04ea832df229dc2a28bcfbf263670ebf 41SHA1 (patch-sql_log_event.h) = 311dc7fb04ea832df229dc2a28bcfbf263670ebf
 42SHA1 (patch-sql_sys__vars.cc) = 202b8756c20549393d0e2a14952e1f060037b88a
41SHA1 (patch-storage_archive_CMakeLists.txt) = 4cf5ed97a226a3844e184c46958b5202eefb9dd5 43SHA1 (patch-storage_archive_CMakeLists.txt) = 4cf5ed97a226a3844e184c46958b5202eefb9dd5
42SHA1 (patch-storage_blackhole_CMakeLists.txt) = 1d066d686172657ce9f812a505c7323a76111a63 44SHA1 (patch-storage_blackhole_CMakeLists.txt) = 1d066d686172657ce9f812a505c7323a76111a63
43SHA1 (patch-storage_csv_CMakeLists.txt) = 6208989a32805f8b107cd9de96e3ff0490ec9000 45SHA1 (patch-storage_csv_CMakeLists.txt) = 6208989a32805f8b107cd9de96e3ff0490ec9000
44SHA1 (patch-storage_example_CMakeLists.txt) = 206fbd4dc9efaaf209ee20cd56bf5556cc1c402c 46SHA1 (patch-storage_example_CMakeLists.txt) = 206fbd4dc9efaaf209ee20cd56bf5556cc1c402c
45SHA1 (patch-storage_federated_CMakeLists.txt) = ef0eb2797c5ff0c7da9e234e013230b262761868 47SHA1 (patch-storage_federated_CMakeLists.txt) = ef0eb2797c5ff0c7da9e234e013230b262761868
46SHA1 (patch-storage_heap_CMakeLists.txt) = 038be371238eab52708a1eba164541fea7b4b848 48SHA1 (patch-storage_heap_CMakeLists.txt) = 038be371238eab52708a1eba164541fea7b4b848
47SHA1 (patch-storage_myisam_CMakeLists.txt) = debeb74ec2d4a7d2e8a1166595a1deb384b03a7a 49SHA1 (patch-storage_myisam_CMakeLists.txt) = debeb74ec2d4a7d2e8a1166595a1deb384b03a7a
48SHA1 (patch-storage_myisammrg_CMakeLists.txt) = e4755536adfb6e837f997061690244da9aa7a6d3 50SHA1 (patch-storage_myisammrg_CMakeLists.txt) = e4755536adfb6e837f997061690244da9aa7a6d3
49SHA1 (patch-storage_ndb_mcc_frontend_dojo_dojox_mobile_build_build.sh) = e6939ef781054b4bff006038905e28f7c5cd8d7e 51SHA1 (patch-storage_ndb_mcc_frontend_dojo_dojox_mobile_build_build.sh) = e6939ef781054b4bff006038905e28f7c5cd8d7e
50SHA1 (patch-strings_decimal.c) = 069c9d930c735f74510702baa9bef38aec425903 52SHA1 (patch-strings_decimal.c) = 069c9d930c735f74510702baa9bef38aec425903
cvs diff -r1.1 -r1.2 pkgsrc/databases/mysql57-client/patches/patch-CMakeLists.txt (expand / switch to unified diff)

--- pkgsrc/databases/mysql57-client/patches/patch-CMakeLists.txt 2016/09/16 06:49:11 1.1
+++ pkgsrc/databases/mysql57-client/patches/patch-CMakeLists.txt 2019/01/20 18:22:10 1.2
@@ -1,28 +1,41 @@ @@ -1,28 +1,41 @@
1$NetBSD: patch-CMakeLists.txt,v 1.1 2016/09/16 06:49:11 adam Exp $ 1$NetBSD: patch-CMakeLists.txt,v 1.2 2019/01/20 18:22:10 maya Exp $
2 2
3Split configuration between mysql-client and mysql-server. 3Split configuration between mysql-client and mysql-server.
4 4
5--- CMakeLists.txt.orig 2016-06-30 06:22:11.000000000 +0000 5Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
 6Avoid disclosure of files from a client to a malicious server, described here:
 7https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
 8
 9--- CMakeLists.txt.orig 2018-10-04 05:48:22.000000000 +0000
6+++ CMakeLists.txt 10+++ CMakeLists.txt
7@@ -584,7 +584,6 @@ ADD_SUBDIRECTORY(vio) 11@@ -408,7 +408,7 @@ IF(REPRODUCIBLE_BUILD)
 12 ENDIF()
 13
 14 OPTION(ENABLED_LOCAL_INFILE
 15- "If we should enable LOAD DATA LOCAL by default" ${IF_WIN})
 16+ "If we should enable LOAD DATA LOCAL by default" OFF)
 17 MARK_AS_ADVANCED(ENABLED_LOCAL_INFILE)
 18
 19 OPTION(OPTIMIZER_TRACE "Support tracing of Optimizer" ON)
 20@@ -636,7 +636,6 @@ ADD_SUBDIRECTORY(vio)
8 ADD_SUBDIRECTORY(regex) 21 ADD_SUBDIRECTORY(regex)
9 ADD_SUBDIRECTORY(mysys) 22 ADD_SUBDIRECTORY(mysys)
10 ADD_SUBDIRECTORY(mysys_ssl) 23 ADD_SUBDIRECTORY(mysys_ssl)
11-ADD_SUBDIRECTORY(libmysql) 24-ADD_SUBDIRECTORY(libmysql)
12 ADD_SUBDIRECTORY(libbinlogevents) 25 ADD_SUBDIRECTORY(libbinlogevents)
13 ADD_SUBDIRECTORY(libbinlogstandalone) 26 ADD_SUBDIRECTORY(libbinlogstandalone)
14  27
15@@ -613,12 +612,12 @@ ADD_SUBDIRECTORY(client) 28@@ -674,12 +673,12 @@ ADD_SUBDIRECTORY(client)
16 ADD_SUBDIRECTORY(sql/share) 29 ADD_SUBDIRECTORY(sql/share)
17 ADD_SUBDIRECTORY(libservices) 30 ADD_SUBDIRECTORY(libservices)
18  31
19-IF(UNIX) 32-IF(UNIX)
20+IF(WITHOUT_SERVER) 33+IF(WITHOUT_SERVER)
21+ ADD_SUBDIRECTORY(libmysql) 34+ ADD_SUBDIRECTORY(libmysql)
22 ADD_SUBDIRECTORY(man) 35 ADD_SUBDIRECTORY(man)
23-ENDIF() 36-ENDIF()
24- 37-
25-IF(NOT WITHOUT_SERVER) 38-IF(NOT WITHOUT_SERVER)
26 ADD_SUBDIRECTORY(testclients) 39 ADD_SUBDIRECTORY(testclients)
27+ELSE() 40+ELSE()
28+ ADD_SUBDIRECTORY(libmysql) 41+ ADD_SUBDIRECTORY(libmysql)
File Added: pkgsrc/databases/mysql57-client/patches/patch-cmake_build__configurations_mysql__release.cmake
$NetBSD: patch-cmake_build__configurations_mysql__release.cmake,v 1.1 2019/01/20 18:22:10 maya Exp $

Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
Avoid disclosure of files from a client to a malicious server, described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/

--- cmake/build_configurations/mysql_release.cmake.orig	2018-10-04 05:48:22.000000000 +0000
+++ cmake/build_configurations/mysql_release.cmake
@@ -19,7 +19,7 @@ INCLUDE(CheckIncludeFiles)
 INCLUDE(CheckLibraryExists)
 
 OPTION(DEBUG_EXTNAME "" ON)
-OPTION(ENABLED_LOCAL_INFILE "" ON)
+OPTION(ENABLED_LOCAL_INFILE "" OFF)
 
 IF(NOT COMPILATION_COMMENT)
   SET(COMPILATION_COMMENT "MySQL Community Server (GPL)")
File Added: pkgsrc/databases/mysql57-client/patches/patch-sql_sys__vars.cc
$NetBSD: patch-sql_sys__vars.cc,v 1.1 2019/01/20 18:22:10 maya Exp $

Backport of https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
Avoid disclosure of files from a client to a malicious server, described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/

--- sql/sys_vars.cc.orig	2018-10-04 05:48:22.000000000 +0000
+++ sql/sys_vars.cc
@@ -1809,7 +1809,7 @@ static Sys_var_charptr Sys_language(
 
 static Sys_var_mybool Sys_local_infile(
        "local_infile", "Enable LOAD DATA LOCAL INFILE",
-       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(TRUE));
+       GLOBAL_VAR(opt_local_infile), CMD_LINE(OPT_ARG), DEFAULT(FALSE));
 
 static Sys_var_ulong Sys_lock_wait_timeout(
        "lock_wait_timeout",