[Medium] Patch mysql for CVE-2025-0838

[v-aaditya]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch mysql for CVE-2025-0838

• Upstream patch has been backported manually.
• Defined ABSL_SWISSTABLE_ASSERT macro, referred upstream source.
• SlotOffset() has been used in place of slot_offset_ from upstream patch, as its already being used in the current source.
• Upstream Patch reference: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1.patch

Change Log

• modified: SPECS/mysql/mysql.spec
• added: SPECS/mysql/CVE-2025-0838.patch

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-0838

Test Methodology

• Local build could not be completed due to resource limitation.

[v-aaditya]

Buddy Build has been triggered - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1050450&view=results

[Kanishk-Bansal]

as the ptest is known failure and we have skipped it in 2.0 as well. Can you skip it here as well? Even fedora has skipped the tests.

[v-aaditya]

as the ptest is known failure and we have skipped it in 2.0 as well. Can you skip it here as well? Even fedora has skipped the tests.
Skipped the ptests by updating the spec file.

[Kanishk-Bansal]

After skipping the known failure cases - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1050530&view=results

[v-aaditya]

After skipping the known failure cases - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1050530&view=results

The Buddy Build has passed on arm64 but failed on amd64 due to test case failure. The test cases which are getting failed are similar to the ones which were failed in the 1st Buddy Build, although SPEC file is updated as per 2.0 branch.

I am looking into it.

[v-aaditya]

After skipping the known failure cases - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1050530&view=results

The Buddy Build has passed on arm64 but failed on amd64 due to test case failure. The test cases which are getting failed are similar to the ones which were failed in the 1st Buddy Build, although SPEC file is updated as per 2.0 branch.

I am looking into it.

Hi @Kanishk-Bansal

Till now my observations are as follows -

1. The test cases which are getting failed are actually failing in earlier builds as well, referred past build test logs.
2. "merge_large_tests" test-suite which is skipped in latest Buddy build, is actually getting passed in 1st buddy build of this PR.

Now I am investigating, how these test cases are getting passed on 2.0 branch, but getting failed here on 3.0 branch.

[Kanishk-Bansal]

Buddy Build

[v-aaditya]

Buddy Build

Buddy Build has failed again and similar cases failing here as well when compared to 2nd Buddy build. Although when I tried to build locally using containerized rpm build for mysql with latest spec file, only 3 cases were getting failed due to timeout and other reasons.

I am looking into it.

[v-aaditya]

Buddy Build has been triggered again - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1058494&view=results

[v-aaditya]

Buddy Build has been triggered again - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1058494&view=results

The latest buddy build has failed due to some dead code related to GTEST is present in the file, from where the ptests have been removed. Once the dead code is removed, the Buddy build will pass. Patch file need to be updated.

Kindly note, that no such issues came while executing containerized RPM build locally.

[v-aaditya]

Again, triggered the Buddy Build - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1061155&view=results

[v-aaditya]

Again, triggered the Buddy Build - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1061155&view=results

The latest Buddy Build has passed.
CC: @Kanishk-Bansal

[v-aaditya]

Again, triggered the Buddy Build with updated patch file - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1063464&view=results

[v-aaditya]

Again, triggered the Buddy Build with updated patch file - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1063464&view=results

The Buddy Build has failed due to reasons unrelated to this PR. All the Buddy builds which have been triggered today, have same issue.

It has to be re-triggered once the Buddy Build issue is resolved.

[Kanishk-Bansal]

Buddy Build

[mfrw]

• Patches apply cleanly
• Patch looks good w.r.t upstream
• Test Build passes

Signed-Off by: @mfrw

[mfrw]

Patch looks good w.r.t upstream

[kgodara912]

Please don't skip test cases which are only failing for one architecture instead, the tests can be conditionally included or excluded. Only large tests was the one which was having issue. Include other test for arm testing. You may apply changes conditionally based on arch, so when arch is not x86, then don't apply the patch so all other architectures can be tested.

[v-aaditya]

Please don't skip test cases which are only failing for one architecture instead, the tests can be conditionally included or excluded. Only large tests was the one which was having issue. Include other test for arm testing. You may apply changes conditionally based on arch, so when arch is not x86, then don't apply the patch so all other architectures can be tested.

Sure, I will update the spec file accordingly and confirm.

[v-aaditya]

Updated the spec file.
@Kanishk-Bansal Could you please re-trigger the Buddy Build.

[v-aaditya]

Please don't skip test cases which are only failing for one architecture instead, the tests can be conditionally included or excluded. Only large tests was the one which was having issue. Include other test for arm testing. You may apply changes conditionally based on arch, so when arch is not x86, then don't apply the patch so all other architectures can be tested.

Hi @kgodara912
I have updated the spec file and now the patch only applies on x86_64 arch.
The latest Buddy Build has been triggered and has passed !
I have also referred the same in generated logs and verified that the patch only applies on amd64 and it does not apply on arm64.

[kgodara912]

Upstream patch is backported with adaptation to the existing version. Buddy build is successful. The test failures were specific to x86 and are addressed in this along with flaky merge_large_tests test . LGTM.