Patched CVE-2024-2410 in mysql. (#10876)

PawelWMS · jslobodzian · web-flow · commit 8ed9a402e239 · 2024-11-05T14:55:42.000-05:00
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/mysql/CVE-2024-2410.patch b/SPECS/mysql/CVE-2024-2410.patch
@@ -0,0 +1,162 @@
+From b955165ebdcc5a8ba9c267230d6305f4e3d9c118 Mon Sep 17 00:00:00 2001
+From: Adam Cozzette <acozzette@google.com>
+Date: Fri, 13 Oct 2023 15:20:54 -0700
+Subject: [PATCH] Internal change
+
+PiperOrigin-RevId: 573332237
+---
+ .../protobuf/io/test_zero_copy_stream.h       | 22 ++++++++++++-------
+ src/google/protobuf/json/BUILD.bazel          |  1 +
+ src/google/protobuf/json/internal/parser.cc   |  2 +-
+ src/google/protobuf/json/json_test.cc         | 20 +++++++++++++++++
+ 4 files changed, 36 insertions(+), 9 deletions(-)
+
+diff --git a/src/google/protobuf/io/test_zero_copy_stream.h b/src/google/protobuf/io/test_zero_copy_stream.h
+index 4c5a06db400e..1a56d7038c96 100644
+--- a/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h
++++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/io/test_zero_copy_stream.h
+@@ -9,12 +9,12 @@
+ #define GOOGLE_PROTOBUF_IO_TEST_ZERO_COPY_STREAM_H__
+ 
+ #include <deque>
++#include <memory>
+ #include <string>
+ #include <utility>
+ #include <vector>
+ 
+ #include "absl/log/absl_check.h"
+-#include "absl/types/optional.h"
+ #include "google/protobuf/io/zero_copy_stream.h"
+ 
+ // Must be included last.
+@@ -37,18 +37,22 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+   TestZeroCopyInputStream(const TestZeroCopyInputStream& other)
+       : ZeroCopyInputStream(),
+         buffers_(other.buffers_),
+-        last_returned_buffer_(other.last_returned_buffer_),
++        last_returned_buffer_(
++            other.last_returned_buffer_
++                ? std::make_unique<std::string>(*other.last_returned_buffer_)
++                : nullptr),
+         byte_count_(other.byte_count_) {}
+ 
+   bool Next(const void** data, int* size) override {
+     ABSL_CHECK(data) << "data must not be null";
+     ABSL_CHECK(size) << "size must not be null";
+-    last_returned_buffer_ = absl::nullopt;
++    last_returned_buffer_ = nullptr;
+ 
+     // We are done
+     if (buffers_.empty()) return false;
+ 
+-    last_returned_buffer_ = std::move(buffers_.front());
++    last_returned_buffer_ =
++        std::make_unique<std::string>(std::move(buffers_.front()));
+     buffers_.pop_front();
+     *data = last_returned_buffer_->data();
+     *size = static_cast<int>(last_returned_buffer_->size());
+@@ -58,19 +62,19 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+ 
+   void BackUp(int count) override {
+     ABSL_CHECK_GE(count, 0) << "count must not be negative";
+-    ABSL_CHECK(last_returned_buffer_.has_value())
++    ABSL_CHECK(last_returned_buffer_ != nullptr)
+         << "The last call was not a successful Next()";
+     ABSL_CHECK_LE(count, last_returned_buffer_->size())
+         << "count must be within bounds of last buffer";
+     buffers_.push_front(
+         last_returned_buffer_->substr(last_returned_buffer_->size() - count));
+-    last_returned_buffer_ = absl::nullopt;
++    last_returned_buffer_ = nullptr;
+     byte_count_ -= count;
+   }
+ 
+   bool Skip(int count) override {
+     ABSL_CHECK_GE(count, 0) << "count must not be negative";
+-    last_returned_buffer_ = absl::nullopt;
++    last_returned_buffer_ = nullptr;
+     while (true) {
+       if (count == 0) return true;
+       if (buffers_.empty()) return false;
+@@ -96,7 +100,9 @@ class TestZeroCopyInputStream final : public ZeroCopyInputStream {
+   // move them to `last_returned_buffer_`. It makes it simpler to keep track of
+   // the state of the object. The extra cost is not relevant for testing.
+   std::deque<std::string> buffers_;
+-  absl::optional<std::string> last_returned_buffer_;
++  // absl::optional could work here, but std::unique_ptr makes it more likely
++  // for sanitizers to detect if the string is used after it is destroyed.
++  std::unique_ptr<std::string> last_returned_buffer_;
+   int64_t byte_count_ = 0;
+ };
+ 
+diff --git a/src/google/protobuf/json/BUILD.bazel b/src/google/protobuf/json/BUILD.bazel
+index dece74e4d0f0..6ec8184e0e09 100644
+--- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel
++++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/BUILD.bazel
+@@ -41,6 +41,7 @@ cc_test(
+         "//src/google/protobuf:cc_test_protos",
+         "//src/google/protobuf:port_def",
+         "//src/google/protobuf/io",
++        "//src/google/protobuf/io:test_zero_copy_stream",
+         "//src/google/protobuf/util:json_format_cc_proto",
+         "//src/google/protobuf/util:json_format_proto3_cc_proto",
+         "//src/google/protobuf/util:type_resolver_util",
+diff --git a/src/google/protobuf/json/internal/parser.cc b/src/google/protobuf/json/internal/parser.cc
+index 17e8fcc07c42..fbf492afa715 100644
+--- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc
++++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/internal/parser.cc
+@@ -1273,7 +1273,7 @@ absl::Status ParseMessage(JsonLexer& lex, const Desc<Traits>& desc,
+           }
+         }
+ 
+-        return ParseField<Traits>(lex, desc, name.value.AsView(), msg);
++        return ParseField<Traits>(lex, desc, name.value.ToString(), msg);
+       });
+ }
+ }  // namespace
+diff --git a/src/google/protobuf/json/json_test.cc b/src/google/protobuf/json/json_test.cc
+index 48379ceeb5f9..2ff1e87a90fe 100644
+--- a/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc
++++ b/extra/protobuf/protobuf-24.4/src/google/protobuf/json/json_test.cc
+@@ -26,6 +26,7 @@
+ #include "absl/strings/string_view.h"
+ #include "google/protobuf/descriptor_database.h"
+ #include "google/protobuf/dynamic_message.h"
++#include "google/protobuf/io/test_zero_copy_stream.h"
+ #include "google/protobuf/io/zero_copy_stream.h"
+ #include "google/protobuf/io/zero_copy_stream_impl_lite.h"
+ #include "google/protobuf/util/json_format.pb.h"
+@@ -50,6 +51,7 @@ using ::proto3::TestMap;
+ using ::proto3::TestMessage;
+ using ::proto3::TestOneof;
+ using ::proto3::TestWrapper;
++using ::testing::ContainsRegex;
+ using ::testing::ElementsAre;
+ using ::testing::IsEmpty;
+ using ::testing::Not;
+@@ -1331,6 +1333,24 @@ TEST_P(JsonTest, ClearPreExistingRepeatedInJsonValues) {
+   EXPECT_THAT(s.fields(), IsEmpty());
+ }
+ 
++TEST(JsonErrorTest, FieldNameAndSyntaxErrorInSeparateChunks) {
++  std::unique_ptr<TypeResolver> resolver{
++      google::protobuf::util::NewTypeResolverForDescriptorPool(
++          "type.googleapis.com", DescriptorPool::generated_pool())};
++  io::internal::TestZeroCopyInputStream input_stream(
++      {"{\"bool_value\":", "5}"});
++  std::string result;
++  io::StringOutputStream output_stream(&result);
++  absl::Status s = JsonToBinaryStream(
++      resolver.get(), "type.googleapis.com/proto3.TestMessage", &input_stream,
++      &output_stream, ParseOptions{});
++  ASSERT_FALSE(s.ok());
++  EXPECT_THAT(
++      s.message(),
++      ContainsRegex("invalid *JSON *in *type.googleapis.com/proto3.TestMessage "
++                    "*@ *bool_value"));
++}
++
+ }  // namespace
+ }  // namespace json
+ }  // namespace protobuf
+ 
diff --git a/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch b/SPECS/mysql/fix-tests-for-unsupported-chacha-ciphers.patch
@@ -0,0 +1,52 @@
+From 540814076995de6bcb119a68fa4cce9e7214b3c0 Mon Sep 17 00:00:00 2001
+From: Pawel Winogrodzki <pawelwi@microsoft.com>
+Date: Tue, 29 Oct 2024 15:37:51 -0700
+Subject: [PATCH] Remove ciphers unsupported by AZL.
+
+---
+ .../src/harness/tests/test_tls_server_context.cc  | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/router/src/harness/tests/test_tls_server_context.cc b/router/src/harness/tests/test_tls_server_context.cc
+index 57859357..e7edb4fa 100644
+--- a/router/src/harness/tests/test_tls_server_context.cc
++++ b/router/src/harness/tests/test_tls_server_context.cc
+@@ -93,7 +93,6 @@ static const std::string acceptable_ciphers_test_data[] = {
+     // TLSv1.3
+     {"TLS_AES_128_GCM_SHA256"},
+     {"TLS_AES_256_GCM_SHA384"},
+-    {"TLS_CHACHA20_POLY1305_SHA256"},
+ #if 0  // embedded
+     {"TLS_AES_128_CCM_SHA256"},
+ #endif
+@@ -102,11 +101,6 @@ static const std::string acceptable_ciphers_test_data[] = {
+     {"ECDHE-RSA-AES256-GCM-SHA384"},
+     {"DHE-RSA-AES128-GCM-SHA256"},
+     {"DHE-RSA-AES256-GCM-SHA384"},
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
+-    {"ECDHE-ECDSA-CHACHA20-POLY1305"},
+-    {"ECDHE-RSA-CHACHA20-POLY1305"},
+-    {"DHE-RSA-CHACHA20-POLY1305"},
+-#endif
+ #if 0  // embedded
+     {"ECDHE-ECDSA-AES256-CCM"},
+     {"ECDHE-ECDSA-AES128-CCM"},
+@@ -336,7 +330,14 @@ static const std::string unacceptable_ciphers_test_data[] = {
+     {"ECDH-ECDSA-DES-CBC3-SHA"},
+     {"ECDHE-RSA-DES-CBC3-SHA"},
+     {"ECDHE-ECDSA-DES-CBC3-SHA"},
+-    {"DES-CBC3-SHA"},
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
++    {"TLS_CHACHA20_POLY1305_SHA256"},
++#endif
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
++    {"ECDHE-ECDSA-CHACHA20-POLY1305"},
++    {"ECDHE-RSA-CHACHA20-POLY1305"},
++    {"DHE-RSA-CHACHA20-POLY1305"},
++#endif
+ };
+ 
+ INSTANTIATE_TEST_SUITE_P(CiphersUnacceptableParam, CiphersUnacceptable,
+-- 
+2.34.1
+
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
@@ -1,19 +1,30 @@
 Summary:        MySQL.
 Name:           mysql
 Version:        8.0.40
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Databases
 URL:            https://www.mysql.com
 Source0:        https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
 Patch0:         CVE-2012-5627.nopatch
+# Patch can be removed after upgrading MySQL to 8.4+
+# or switching to system Protobuf 3.25+ with the 'WITH_PROTOBUF=system' option.
+Patch1:         CVE-2024-2410.patch
+# AZL's OpenSSL builds with the "no-chacha" option making all ChaCha
+# ciphers unavailable.
+Patch2:         fix-tests-for-unsupported-chacha-ciphers.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
 BuildRequires:  rpcsvc-proto-devel
 BuildRequires:  zlib-devel
+%if 0%{?with_check}
+BuildRequires:  shadow-utils
+BuildRequires:  sudo
+%endif
+
 Requires(postun): shadow-utils
 Requires(pre):  shadow-utils
 
@@ -50,7 +61,13 @@ make %{?_smp_mflags}
 make DESTDIR=%{buildroot} install
 
 %check
-make test
+# Tests expect to be run as a non-root user.
+groupadd test
+useradd test -g test -m
+chown -R test:test .
+
+# In case of failure, print the test log.
+sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; }
 
 %pre
 getent group  mysql  >/dev/null || groupadd -r mysql
@@ -97,6 +114,9 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Tue Oct 29 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0.40-2
+- Patched CVE-2024-2410.
+
 * Fri Oct 18 2024 Sudipta Pandit <sudpandit@microsoft.com> - 8.0.40-1
 - Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
   CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
