Bug #41728 Dropped symbol but no soname change
Submitted: 24 Dec 2008 11:21 Modified: 24 Nov 21:34
Reporter: Norbert Tretkowski
Status: Verified
Category:Server: Packaging Severity:S1 (Critical)
Version:5.0.67, 5.0.75 OS:Linux
Assigned to: Davi Arnaut Target Version:5.0+
Tags: regression
Triage: Triaged: D3 (Medium) / R2 (Low) / E2 (Low)

[24 Dec 2008 11:21] Norbert Tretkowski 
Description:
Between 5.0.51a and 5.0.67 the symbol mysql_odbc_escape_string was dropped, but the
soname wasn't changed.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505938
https://bugs.launchpad.net/ubuntu/+source/mysql-dfsg-5.0/+bug/280011

How to repeat:
Build myodbc 3.51.15r409 against mysql 5.0.67 or 5.0.75.
[24 Dec 2008 12:33] Valeriy Kravchuk 
Yes, this function was removed intentionally for security reasons. See bug #29592
(http://lists.mysql.com/commits/38505). Upgrade to Connector/ODBC 3.5.1.17 or newer. It
does NOT refer to this fucntion any more.
[24 Dec 2008 13:48] Norbert Tretkowski 
The binary compatibility got broken with this change, so it must get a bumped soname.

http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html#sonameapiabi
[24 Dec 2008 17:05] Valeriy Kravchuk 
OK, I agree that this should be fixed.
[17 Feb 9:33] Norbert Tretkowski 
Any progress here yet? It doesn't seem to be fixed in 5.0.77.
[17 Feb 10:21] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/66592

2739 Jonathan Perkin	2009-02-17
      bug#41728: mysql_odbc_escape_string symbol was removed.
      
      Bump 'current' SONAME according to libtool documentation.
[17 Feb 10:33] Norbert Tretkowski 
Jonathan, thanks for commiting the patch, but isn't 16 the ABI number used in MySQL 5.1?

If so, are libmysqlclient from 5.0 and 5.1 really ABI compatible?
[17 Feb 10:39] Jonathan Perkin 
Right, that was just pointed out to me, and causes a problem.  I don't yet know a correct
way to fix this which won't break someone somehow...
[17 Feb 10:57] Norbert Tretkowski 
Correct me if I'm wrong, but I only see one solution to fix it: Bump 5.0 to 17 and 5.1 to
18.
[17 Feb 11:20] Jonathan Perkin 
My concern with that approach is whether there are any issues with having a higher soname
for the new 5.0 client library than current existing 5.1+ libraries.  I think I'd prefer
putting the function back in and fixing it to avoid any security problems while retaining
the existing soname (and just ignoring that the ABI was broken during this period).  More
investigation required...
[18 Feb 14:35] Davi Arnaut 
We could put back in 5.0 a stub mysql_odbc_escape_string that always return failure
(NULL).
[5 Jul 22:17] Christian Hammers 
Any progress? The last proposal sounds ok, maybe write a warning to stderr in addition?
[27 Jul 0:03] Olaf van der Spek 
> We could put back in 5.0 a stub mysql_odbc_escape_string that always return failure
(NULL).

Why is that better than the old situation?
Yes, now your app links but it still doesn't run properly (if it calls that function).
[27 Jul 1:08] Davi Arnaut 
The function was never intended to be used expect by Connector/ODBC. Furthermore,
applications which relied on the function could be subject to security problems. On top
of that, the name of the function clearly indicates that its intended for Connector/ODBC
only and was/is not even documented.

We could probably re-implement it by using mysql_real_escape_string, but its probably not
worth the effort just because someone somewhere might be using a function that was
intended to be private.

So, unless someone can come up with a compelling argument to bring a fully capable
mysql_odbc_escape_string to life, let's just let it rest in piece. Otherwise, we also
accept patches.
[29 Sep 14:56] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84991

2819 Davi Arnaut	2009-09-29
      Bug#41728: Dropped symbol but no soname change
      
      Restore a stub of the removed mysql_odbc_escape_string function
      to fix a ABI breakage. The function was intended to be private
      and used only by Connector/ODBC, but, unfortunately, it was exported
      as part of the ABI. Nonetheless, only a stub is restored as the
      original function is inherently broken and shouldn't be used.
      
      This restoration only applies to MySQL 5.0. This will be addressed
      differently in later versions -- reworked library versioning.
     @ include/mysql.h
        Restore mysql_odbc_escape_string prototype.
     @ include/mysql_h.ic
        Update ABI check.
     @ libmysql/libmysql.c
        Restore a mysql_odbc_escape_string stub.
     @ libmysql/libmysql.def
        Restore mysql_odbc_escape_string.
     @ libmysqld/libmysqld.def
        Restore mysql_odbc_escape_string.
[2 Nov 11:59] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88917

2834 Davi Arnaut	2009-09-29
      Bug#41728: Dropped symbol but no soname change
      
      Restore a stub of the removed mysql_odbc_escape_string function
      to fix a ABI breakage. The function was intended to be private
      and used only by Connector/ODBC, but, unfortunately, it was exported
      as part of the ABI. Nonetheless, only a stub is restored as the
      original function is inherently broken and shouldn't be used.
      
      This restoration only applies to MySQL 5.0. This will be addressed
      differently in later versions -- reworked library versioning.
     @ include/mysql.h
        Restore mysql_odbc_escape_string prototype.
     @ include/mysql_h.ic
        Update ABI check.
     @ libmysql/libmysql.c
        Restore a mysql_odbc_escape_string stub.
     @ libmysql/libmysql.def
        Restore mysql_odbc_escape_string.
     @ libmysqld/libmysqld.def
        Restore mysql_odbc_escape_string.
[2 Nov 12:33] Davi Arnaut 
Queued to 5.0-bugteam
[4 Nov 10:16] Bugs System 
Pushed into 5.0.88 (revid:joro@sun.com-20091104091355-hpz6dwgkrfmokj3k) (version source
revid:davi.arnaut@sun.com-20090929125553-aar3jgiubpyszsvb) (merge vers: 5.0.88) (pib:13)
[4 Nov 10:24] Bugs System 
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source
revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41)
(pib:13)
[11 Nov 7:50] Bugs System 
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version
source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha)
(pib:13)
[11 Nov 7:57] Bugs System 
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version
source revid:alik@sun.com-20091105110316-pn162zoddxj89lbh) (merge vers: 5.5.0-beta)
(pib:13)
[24 Nov 21:34] Paul DuBois 
Noted in 5.0.88, 5.1.41 changelog entries.

A stub of the previously removed mysql_odbc_escape_string() function 
was restored to fix a ABI breakage. The function was intended to be
private and used only by Connector/ODBC, but, unfortunately, it was
exported as part of the ABI. Nonetheless, only a stub is restored as
the original function is inherently broken and shouldn't be used.

Setting report to Verified per Davi request..

Ignoring push to 5.5.0, 6.0.14 per Davi.
[24 Nov 22:16] Paul DuBois 
Correction, previous changelog entry is not in 5.1.41 changelog.