Details
Description
Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.
As a result, the post install script from the mariadb-server-. package will try to run a query such as :
UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';
Which is invalid and will throw an incorrect error such as :
ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1
The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.
Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.
Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.
– This bug was originally reported on IRC by rachie
Gliffy Diagrams
Attachments
Issue Links
- relates to
-
MDEV-4664 mysql_upgrade crashes if root's password contains an apostrophe/single quotation mark
-
- Open
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions