bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE)

[zimoun]

Hi Léo,

On Tue, 30 Mar 2021 at 02:26, Léo Le Bouter <lle-bout@zaclys.net> wrote:

> I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
> patch. Thank you for it. Let's watch for upstream zstd fix also.

Thanks.  It mitigates zstd, even if it does not solve MariaDB.  One
foot, then another. :-)

> I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.

Cool!  LTGM.

> Ubuntu released a patch in the mean time, so while we couldnt make such
> patch in a timely manner because the backport was non-trivial and
> security-sensitive also didnt want to risk failing to fix the flaw
> because I don't have much expertise on it, Ubuntu now has done that
> work and we can just use it.

Thanks for taking care.  And do not consider my concerns as a slowdown
but instead as a way to reach something better.  For instance
9feef62b73 seems The Right Thing (AFAIU), whereas 6f873731a0 and
2bcfb944bd are not (AFAIK).  On one hand, I agree that ~3 weeks
appears long through the lens of security vulnerabilities.  On the
other hand, it is usually worth to take the time; as here. :-)
Examine the various options and so the best move always takes time.

Well, thanks for pushing forward with security.

All the best,
simon