gnu: perl-dbd-mysql: Update to 4.046.

* gnu/packages/databases.scm (perl-dbd-mysql): Update to 4.046.
[source]: Update URL. Remove 'perl-dbd-mysql-CVE-2017-10788.patch'.
* gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
This commit is contained in:
Leo Famulari 2018-08-22 15:39:14 -04:00
parent 414f620fbb
commit 58927996d9
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 3 additions and 67 deletions

View file

@ -1018,7 +1018,6 @@ dist_patch_DATA = \
%D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \ %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \ %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
%D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \ %D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \

View file

@ -1472,16 +1472,15 @@ (define-public perl-dbd-pg
(define-public perl-dbd-mysql (define-public perl-dbd-mysql
(package (package
(name "perl-dbd-mysql") (name "perl-dbd-mysql")
(version "4.043") (version "4.046")
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
(uri (string-append "mirror://cpan/authors/id/M/MI/MICHIELB/" (uri (string-append "mirror://cpan/authors/id/C/CA/CAPTTOFU/"
"DBD-mysql-" version ".tar.gz")) "DBD-mysql-" version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"16bg7l28n65ngi1abjxvwk906a80i2vd5vzjn812dx8phdg8d7v2")) "1xziv9w87cl3fbl1mqkdrx28mdqly3gs6gs1ynbmpl2rr4p6arb1"))))
(patches (search-patches "perl-dbd-mysql-CVE-2017-10788.patch"))))
(build-system perl-build-system) (build-system perl-build-system)
;; Tests require running MySQL server ;; Tests require running MySQL server
(arguments `(#:tests? #f)) (arguments `(#:tests? #f))

View file

@ -1,62 +0,0 @@
Fix CVE-2017-10788:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
Patch written to match corrected documentation specifications:
Old: http://web.archive.org/web/20161220021610/https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html
New: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html
The patch itself is from https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-312420660.
From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
From: Pali <pali@cpan.org>
Date: Sun, 25 Jun 2017 10:07:39 +0200
Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
Ignore return value from mysql_stmt_close() and also its error message
because it points to freed memory after mysql_stmt_close() was called.
---
dbdimp.c | 8 ++------
mysql.xs | 7 ++-----
2 files changed, 4 insertions(+), 11 deletions(-)
diff --git a/dbdimp.c b/dbdimp.c
index c60a5f6..a6410e5 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) {
if (imp_sth->stmt)
{
- if (mysql_stmt_close(imp_sth->stmt))
- {
- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt),
- mysql_stmt_error(imp_sth->stmt),
- mysql_stmt_sqlstate(imp_sth->stmt));
- }
+ mysql_stmt_close(imp_sth->stmt);
+ imp_sth->stmt= NULL;
}
#endif
diff --git a/mysql.xs b/mysql.xs
index 55376e1..affde59 100644
--- a/mysql.xs
+++ b/mysql.xs
@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...)
if (bind)
Safefree(bind);
- if(mysql_stmt_close(stmt))
- {
- fprintf(stderr, "\n failed while closing the statement");
- fprintf(stderr, "\n %s", mysql_stmt_error(stmt));
- }
+ mysql_stmt_close(stmt);
+ stmt= NULL;
if (retval == -2) /* -2 means error */
{
--
1.7.9.5