Bug#1106790: bookworm-pu: package mydumper/0.10.1-1+deb12u2

Thu, 29 May 2025 13:25:13 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: mydum...@packages.debian.org, deb...@rocketjump.eu
Control: affects -1 + src:mydumper
User: release.debian....@packages.debian.org
Usertags: pu

This is a targeted fix for CVE-2025-30224. I have not been able to reproduce the
issue with the provided PoC against mysql-server 10 from unstable, which is the
only version that ships the rewriter plugin that's needed. Presumably a specific
mysql server version is needed to reproduce the issue.

It however does not break anything, as I added autopkgtests to the package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru mydumper-0.10.1/debian/changelog mydumper-0.10.1/debian/changelog
--- mydumper-0.10.1/debian/changelog    2021-02-09 21:49:25.000000000 +0100
+++ mydumper-0.10.1/debian/changelog    2025-05-29 22:11:53.000000000 +0200
@@ -1,3 +1,20 @@
+mydumper (0.10.1-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2025-30224:
+    - The MySQL C client library (libmysqlclient) allows authenticated remote
+      actors to read arbitrary files from client systems via a crafted server
+      response to LOAD LOCAL INFILE query, leading to sensitive information
+      disclosure when clients connect to untrusted MySQL servers without
+      explicitly disabling the local infile capability. Mydumper had the local
+      infile option enabled by default and does not have an option to disable
+      it. This can lead to an unexpected arbitrary file read if the Mydumper
+      tool connects to an untrusted server.
+  * Add autopkgtest integration tests
+  * Add debian/gbp.conf
+
+ -- Lee Garrett <deb...@rocketjump.eu>  Thu, 29 May 2025 22:11:53 +0200
+
 mydumper (0.10.1-1) unstable; urgency=medium
 
   * New upstream version 0.10.1
diff -Nru mydumper-0.10.1/debian/gbp.conf mydumper-0.10.1/debian/gbp.conf
--- mydumper-0.10.1/debian/gbp.conf     1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/gbp.conf     2025-05-29 22:09:54.000000000 +0200
@@ -0,0 +1,10 @@
+# Configuration for git-buildpackage and affiliated tools
+
+[DEFAULT]
+debian-branch = debian/bookworm
+pristine-tar = True
+sign-tags = True
+upstream-branch = upstream/bookworm
+
+[import-orig]
+merge-mode = replace
diff -Nru mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch 
mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch
--- mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch    1970-01-01 
01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch    2025-05-29 
22:02:21.000000000 +0200
@@ -0,0 +1,9 @@
+--- a/connection.c
++++ b/connection.c
+@@ -52,4 +52,6 @@
+   mysql_ssl_set(conn, key, cert, ca, capath, cipher);
+   mysql_options(conn, MYSQL_OPT_SSL_ENFORCE, &i);
+ #endif
++  /* unconditionally disable infile to fix CVE-2025-30224 */
++  mysql_options(conn, MYSQL_OPT_LOCAL_INFILE, NULL);
+ }
diff -Nru mydumper-0.10.1/debian/patches/series 
mydumper-0.10.1/debian/patches/series
--- mydumper-0.10.1/debian/patches/series       2021-02-09 21:46:48.000000000 
+0100
+++ mydumper-0.10.1/debian/patches/series       2025-05-29 21:23:34.000000000 
+0200
@@ -2,3 +2,4 @@
 0002-dont-install-documentation-source.patch
 0001-Link-mydumper-against-libm.patch
 0003-ssl-mariadb-connector.patch
+0005-CVE-2025-30224.patch
diff -Nru mydumper-0.10.1/debian/tests/control 
mydumper-0.10.1/debian/tests/control
--- mydumper-0.10.1/debian/tests/control        1970-01-01 01:00:00.000000000 
+0100
+++ mydumper-0.10.1/debian/tests/control        2025-05-29 21:23:17.000000000 
+0200
@@ -0,0 +1,6 @@
+Tests: integration-test.sh
+Depends: @,
+         default-mysql-server
+Restrictions:
+  isolation-machine,
+  needs-root,
diff -Nru mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql 
mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
--- mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql        
1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql        
2025-05-29 21:23:17.000000000 +0200
@@ -0,0 +1,7 @@
+/*!40101 SET NAMES binary*/;
+/*!40014 SET FOREIGN_KEY_CHECKS=0*/;
+/*!40103 SET TIME_ZONE='+00:00' */;
+INSERT INTO `itd` VALUES
+(1,"foo"),
+(2,"bar"),
+(3,"baz");
diff -Nru mydumper-0.10.1/debian/tests/integration-test.sh 
mydumper-0.10.1/debian/tests/integration-test.sh
--- mydumper-0.10.1/debian/tests/integration-test.sh    1970-01-01 
01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration-test.sh    2025-05-29 
21:23:17.000000000 +0200
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# This script will
+# - create a database
+# - dump this database with mydumper and compare it with the reference
+# - restore the dump to another database
+# - dump that other database with mydumper and compare it with the reference
+# - delete the database that were created.
+
+set -eu
+
+echo "pwd is $(pwd)"
+
+# check that it outputs something sensible and doesn't error out
+echo "### minimal functionality check of mydumper binary ###"
+mydumper -V | grep mydumper
+
+echo "### create a mariadb database, tables, and adding some values ###"
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian;'
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian2;'
+mysql -e 'CREATE TABLE itd (id INT AUTO_INCREMENT, words VARCHAR(50), PRIMARY 
KEY (id));' integration_test_debian
+mysql -e 'INSERT INTO itd (words) VALUES ("foo"), ("bar"), ("baz");' 
integration_test_debian
+
+echo "\n\n### Dump the database we just created ###"
+mydumper --database integration_test_debian -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+myloader --database integration_test_debian2 --directory $(ls -1td ./export-* 
| head -n 1)
+
+echo '\n\n### sleep for 2 seconds to make sure the export dir increments ###'
+sleep 2
+
+echo "\n\n### Dump the new database we just restored ###"
+mydumper --database integration_test_debian2 -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian2.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+echo "\n\n### Cleaning up databases ###"
+mysql -e 'drop database integration_test_debian;'
+mysql -e 'drop database integration_test_debian2;'

Reply via email to