mariadb: fix CVE-2023-52968

MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6
before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before
11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under
mysql_derived_prepare when derived is not yet prepared, leading
to a find_field_in_table crash.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-52968

Upstream patch:
https://github.com/MariaDB/server/commit/74883f5e2f4c0e09f4f4e9e272a8e5bfd91a9489

Fix indent issue in mariadb.inc file.

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 108 insertions, 1 deletions

diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 7c4b0a467f..6a8ff05039 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -22,7 +22,8 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://cross-compiling.patch \
            file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
            file://0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch \
-           file://CVE-2023-22084.patch \
+           file://CVE-2023-22084.patch \
+           file://CVE-2023-52968.patch \
           "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-52968.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-52968.patch
new file mode 100644
index 0000000000..bea473e4a3
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-52968.patch
@@ -0,0 +1,106 @@
+From 74883f5e2f4c0e09f4f4e9e272a8e5bfd91a9489 Mon Sep 17 00:00:00 2001
+From: Aleksey Midenkov <midenok@gmail.com>
+Date: Thu, 9 Nov 2023 16:26:11 +0300
+Subject: [PATCH] MDEV-32082 Server crash in find_field_in_table
+
+Attempt to resolve FOR SYSTEM_TIME expression as field for derived
+table is done before derived table is fully prepared, so we fail on
+assertion that table_list->table is missing.
+
+Actually Vers_history_point::resolve_unit() is done under the call of
+mysql_derived_prepare() itself (sql_derived.cc:824) and the table is
+assigned later at 867.
+
+The fix disables unit resolution for field type in FOR SYSTEM_TIME
+expression as it does a little sense in any case: making historical
+queries based on variable field values produces the result of multiple
+time points.
+
+fix_fields_if_needed() in resolve_units() was introduced by 46be31982a4
+
+CVE: CVE-2023-52968
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/74883f5e2f4c0e09f4f4e9e272a8e5bfd91a9489]
+
+Changes:
+-Use old my_error API instead of new bad_expression_data_type_error API.
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ mysql-test/suite/versioning/r/select.result | 11 ++++++++++-
+ mysql-test/suite/versioning/t/select.test   | 12 +++++++++++-
+ sql/table.cc                                |  6 ++++++
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/mysql-test/suite/versioning/r/select.result b/mysql-test/suite/versioning/r/select.result
+index 90c99d1b..714455b6 100644
+--- a/mysql-test/suite/versioning/r/select.result
++++ b/mysql-test/suite/versioning/r/select.result
+@@ -443,7 +443,7 @@ create or replace table t1 (x int) with system versioning;
+ select * from t1 for system_time as of current_timestamp;
+ x
+ select * from t1 for system_time as of now;
+-ERROR 42S22: Unknown column 'now' in 'FOR SYSTEM_TIME'
++ERROR HY000: Illegal parameter data type now for operation 'FOR SYSTEM_TIME'
+ ### Issue #405, NATURAL JOIN failure
+ create or replace table t1 (a int) with system versioning;
+ create or replace table t2 (b int);
+@@ -708,3 +708,12 @@ No A       B       C       D
+ 33     1       1       1       1
+ 34     1       1       1       1
+ SET GLOBAL innodb_stats_persistent = @saved_stats_persistent;
++#
++# MDEV-32082 Server crash in find_field_in_table
++#
++create table t0 (c0 int) with system versioning;
++select x0 from (
++select c0 x0 from t0
++) for system_time as of nowasdf deriv;
++ERROR HY000: Illegal parameter data type nowasdf for operation 'FOR SYSTEM_TIME'
++drop table t0;
+diff --git a/mysql-test/suite/versioning/t/select.test b/mysql-test/suite/versioning/t/select.test
+index 9142a8fa..5603d1a3 100644
+--- a/mysql-test/suite/versioning/t/select.test
++++ b/mysql-test/suite/versioning/t/select.test
+@@ -314,7 +314,7 @@ select * from t1 where (a, 2) in ((1, 1), (2, 2)) and b = 1;
+ --echo ### Issue #398, NOW is now non-magic
+ create or replace table t1 (x int) with system versioning;
+ select * from t1 for system_time as of current_timestamp;
+---error ER_BAD_FIELD_ERROR
++--error ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION
+ select * from t1 for system_time as of now;
+
+ --echo ### Issue #405, NATURAL JOIN failure
+@@ -487,4 +487,14 @@ call verify_trt_dummy(34);
+
+ SET GLOBAL innodb_stats_persistent = @saved_stats_persistent;
+
++--echo #
++--echo # MDEV-32082 Server crash in find_field_in_table
++--echo #
++create table t0 (c0 int) with system versioning;
++--error ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION
++select x0 from (
++  select c0 x0 from t0
++) for system_time as of nowasdf deriv;
++drop table t0;
++
+ -- source suite/versioning/common_finish.inc
+diff --git a/sql/table.cc b/sql/table.cc
+index e0e06702..81a5674a 100644
+--- a/sql/table.cc
++++ b/sql/table.cc
+@@ -10326,6 +10326,12 @@ bool Vers_history_point::check_unit(THD *thd)
+ {
+   if (!item)
+     return false;
++  if (item->real_type() == Item::FIELD_ITEM)
++  {
++    my_error(ER_ILLEGAL_PARAMETER_DATA_TYPE_FOR_OPERATION, MYF(0),
++             item->full_name(), "FOR SYSTEM_TIME");
++    return true;
++  }
+   if (item->fix_fields_if_needed(thd, &item))
+     return true;
+   const Type_handler *t= item->this_item()->real_type_handler();
+--
+2.40.0