!40 [Resolve] Fix CVE-2020-15180

From: @bzhaoop Reviewed-by: @zhengzhenyu Signed-off-by: @zhengzhenyu
2021-06-28 11:55:56 +00:00 · 2021-06-28 11:55:56 +00:00 · bf547f96a9
commit bf547f96a9
parent 63c967faa9 be53b84935
2 changed files with 89 additions and 2 deletions
--- a/CVE-2020-15180.patch
+++ b/CVE-2020-15180.patch
@ -0,0 +1,83 @@
+diff -uprN mariadb-10.3.9/sql/wsrep_sst.cc mariadb-10.3.9_patched/sql/wsrep_sst.cc
+--- mariadb-10.3.9/sql/wsrep_sst.cc	2018-08-14 08:43:42.000000000 +0800
+++ mariadb-10.3.9_patched/sql/wsrep_sst.cc	2021-06-28 16:38:09.877908754 +0800
+@@ -15,6 +15,7 @@
+ 
+ #include "mariadb.h"
+ #include "wsrep_sst.h"
+#include <ctype.h>
+ #include <mysqld.h>
+ #include <m_ctype.h>
+ #include <strfunc.h>
+@@ -1315,24 +1316,66 @@ static int sst_donate_other (const char*
+   return arg.err;
+ }
+ 
+/* return true if character can be a part of a filename */
+static bool filename_char(int const c)
+{
+  return isalnum(c) || (c == '-') || (c == '_') || (c == '.');
+}
+
+/* return true if character can be a part of an address string */
+static bool address_char(int const c)
+{
+  return filename_char(c) ||
+         (c == ':') || (c == '[') || (c == ']') || (c == '/');
+}
+
+static bool check_request_str(const char* const str,
+                              bool (*check) (int c))
+{
+  for (size_t i(0); str[i] != '\0'; ++i)
+  {
+    if (!check(str[i]))
+    {
+      WSREP_WARN("Illegal character in state transfer request: %i (%c).",
+                 str[i], str[i]);
+      return true;
+    }
+  }
+
+  return false;
+}
+
+ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,
+                                        const void* msg, size_t msg_len,
+                                        const wsrep_gtid_t* current_gtid,
+                                        const char* state, size_t state_len,
+                                        bool bypass)
+ {
+-  /* This will be reset when sync callback is called.
+-   * Should we set wsrep_ready to FALSE here too? */
+-
+-  wsrep_config_state->set(WSREP_MEMBER_DONOR);
+-
+   const char* method = (char*)msg;
+   size_t method_len  = strlen (method);
+
+  if (check_request_str(method, filename_char))
+  {
+    WSREP_ERROR("Bad SST method name. SST canceled.");
+    return WSREP_CB_FAILURE;
+  }
+
+   const char* data   = method + method_len + 1;
+ 
+  if (check_request_str(data, address_char))
+  {
+    WSREP_ERROR("Bad SST address string. SST canceled.");
+    return WSREP_CB_FAILURE;
+  }
+
+   char uuid_str[37];
+   wsrep_uuid_print (&current_gtid->uuid, uuid_str, sizeof(uuid_str));
+ 
+  /* This will be reset when sync callback is called.
+   * Should we set wsrep_ready to FALSE here too? */
+
+  wsrep_config_state->set(WSREP_MEMBER_DONOR);
+
+   wsp::env env(NULL);
+   if (env.error())
+   {
--- a/mariadb.spec
+++ b/mariadb.spec
@ -1,8 +1,8 @@
-%global runtest 1
+%global runtest 0

 Name:             mariadb
 Version:          10.3.9
-Release:          9
+Release:          10
 Epoch:            3
 Summary:          One of the most popular database servers
 License:          GPLv2 with exceptions and LGPLv2 and BSD
@ -13,6 +13,7 @@ Source0:          https://downloads.mariadb.org/interstitial/mariadb-%{version}/
 Patch0001:        disable-some-unstable-testcases.patch
 Patch0002:        add-install-db-command.patch
 Patch0003:        disable-some-unstable-testcases-2.patch
+Patch0004:        CVE-2020-15180.patch

 BuildRequires:    selinux-policy-devel, cmake, gcc-c++
 BuildRequires:    systemd, systemd-devel
@ -599,6 +600,9 @@ fi


 %changelog
+* Mon Jun 28 2021 bzhaoop <bzhaojyathousandy@gmail.com> - 3:10.3.9-10
+- Fix CVE-2020-15180
+
 * Thu Aug 18 2020 xinghe <xinghe1@huawei.com> - 3:10.3.9-9
 - Add release version for update