Bug #41728 Dropped symbol but no soname change
Submitted: 24 Dec 2008 10:21 Modified: 15 May 2013 11:53
Reporter: Norbert Tretkowski Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S1 (Critical)
Version:5.0.67, 5.0.75 OS:Linux
Assigned to: Assigned Account CPU Architecture:Any
Tags: regression

[24 Dec 2008 10:21] Norbert Tretkowski
Description:
Between 5.0.51a and 5.0.67 the symbol mysql_odbc_escape_string was dropped, but the soname wasn't changed.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505938
https://bugs.launchpad.net/ubuntu/+source/mysql-dfsg-5.0/+bug/280011

How to repeat:
Build myodbc 3.51.15r409 against mysql 5.0.67 or 5.0.75.
[24 Dec 2008 11:33] Valeriy Kravchuk
Yes, this function was removed intentionally for security reasons. See bug #29592 (http://lists.mysql.com/commits/38505). Upgrade to Connector/ODBC 3.5.1.17 or newer. It does NOT refer to this fucntion any more.
[24 Dec 2008 12:48] Norbert Tretkowski
The binary compatibility got broken with this change, so it must get a bumped soname.

http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html#sonameapiabi
[24 Dec 2008 16:05] Valeriy Kravchuk
OK, I agree that this should be fixed.
[17 Feb 2009 8:33] Norbert Tretkowski
Any progress here yet? It doesn't seem to be fixed in 5.0.77.
[17 Feb 2009 9:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/66592

2739 Jonathan Perkin	2009-02-17
      bug#41728: mysql_odbc_escape_string symbol was removed.
      
      Bump 'current' SONAME according to libtool documentation.
[17 Feb 2009 9:33] Norbert Tretkowski
Jonathan, thanks for commiting the patch, but isn't 16 the ABI number used in MySQL 5.1?

If so, are libmysqlclient from 5.0 and 5.1 really ABI compatible?
[17 Feb 2009 9:39] Jonathan Perkin
Right, that was just pointed out to me, and causes a problem.  I don't yet know a correct way to fix this which won't break someone somehow...
[17 Feb 2009 9:57] Norbert Tretkowski
Correct me if I'm wrong, but I only see one solution to fix it: Bump 5.0 to 17 and 5.1 to 18.
[17 Feb 2009 10:20] Jonathan Perkin
My concern with that approach is whether there are any issues with having a higher soname for the new 5.0 client library than current existing 5.1+ libraries.  I think I'd prefer putting the function back in and fixing it to avoid any security problems while retaining the existing soname (and just ignoring that the ABI was broken during this period).  More investigation required...
[18 Feb 2009 13:35] Davi Arnaut
We could put back in 5.0 a stub mysql_odbc_escape_string that always return failure (NULL).
[5 Jul 2009 20:17] Christian Hammers
Any progress? The last proposal sounds ok, maybe write a warning to stderr in addition?
[26 Jul 2009 22:03] Olaf van der Spek
> We could put back in 5.0 a stub mysql_odbc_escape_string that always return failure (NULL).

Why is that better than the old situation?
Yes, now your app links but it still doesn't run properly (if it calls that function).
[26 Jul 2009 23:08] Davi Arnaut
The function was never intended to be used expect by Connector/ODBC. Furthermore, applications which relied on the function could be subject to security problems. On top of that, the name of the function clearly indicates that its intended for Connector/ODBC only and was/is not even documented.

We could probably re-implement it by using mysql_real_escape_string, but its probably not worth the effort just because someone somewhere might be using a function that was intended to be private.

So, unless someone can come up with a compelling argument to bring a fully capable mysql_odbc_escape_string to life, let's just let it rest in piece. Otherwise, we also accept patches.
[29 Sep 2009 12:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84991

2819 Davi Arnaut	2009-09-29
      Bug#41728: Dropped symbol but no soname change
      
      Restore a stub of the removed mysql_odbc_escape_string function
      to fix a ABI breakage. The function was intended to be private
      and used only by Connector/ODBC, but, unfortunately, it was exported
      as part of the ABI. Nonetheless, only a stub is restored as the
      original function is inherently broken and shouldn't be used.
      
      This restoration only applies to MySQL 5.0. This will be addressed
      differently in later versions -- reworked library versioning.
     @ include/mysql.h
        Restore mysql_odbc_escape_string prototype.
     @ include/mysql_h.ic
        Update ABI check.
     @ libmysql/libmysql.c
        Restore a mysql_odbc_escape_string stub.
     @ libmysql/libmysql.def
        Restore mysql_odbc_escape_string.
     @ libmysqld/libmysqld.def
        Restore mysql_odbc_escape_string.
[2 Nov 2009 10:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88917

2834 Davi Arnaut	2009-09-29
      Bug#41728: Dropped symbol but no soname change
      
      Restore a stub of the removed mysql_odbc_escape_string function
      to fix a ABI breakage. The function was intended to be private
      and used only by Connector/ODBC, but, unfortunately, it was exported
      as part of the ABI. Nonetheless, only a stub is restored as the
      original function is inherently broken and shouldn't be used.
      
      This restoration only applies to MySQL 5.0. This will be addressed
      differently in later versions -- reworked library versioning.
     @ include/mysql.h
        Restore mysql_odbc_escape_string prototype.
     @ include/mysql_h.ic
        Update ABI check.
     @ libmysql/libmysql.c
        Restore a mysql_odbc_escape_string stub.
     @ libmysql/libmysql.def
        Restore mysql_odbc_escape_string.
     @ libmysqld/libmysqld.def
        Restore mysql_odbc_escape_string.
[2 Nov 2009 11:33] Davi Arnaut
Queued to 5.0-bugteam
[4 Nov 2009 9:16] Bugs System
Pushed into 5.0.88 (revid:joro@sun.com-20091104091355-hpz6dwgkrfmokj3k) (version source revid:davi.arnaut@sun.com-20090929125553-aar3jgiubpyszsvb) (merge vers: 5.0.88) (pib:13)
[4 Nov 2009 9:24] Bugs System
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41) (pib:13)
[11 Nov 2009 6:50] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha) (pib:13)
[11 Nov 2009 6:57] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version source revid:alik@sun.com-20091105110316-pn162zoddxj89lbh) (merge vers: 5.5.0-beta) (pib:13)
[24 Nov 2009 20:34] Paul DuBois
Noted in 5.0.88, 5.1.41 changelog entries.

A stub of the previously removed mysql_odbc_escape_string() function 
was restored to fix a ABI breakage. The function was intended to be
private and used only by Connector/ODBC, but, unfortunately, it was
exported as part of the ABI. Nonetheless, only a stub is restored as
the original function is inherently broken and shouldn't be used.

Setting report to Verified per Davi request..

Ignoring push to 5.5.0, 6.0.14 per Davi.
[24 Nov 2009 21:16] Paul DuBois
Correction, previous changelog entry is not in 5.1.41 changelog.
[18 Dec 2009 10:30] Bugs System
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:46] Bugs System
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:01] Bugs System
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:15] Bugs System
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)
[26 Jun 2011 16:19] Valeriy Kravchuk
Can anybody explain me why this bug is still "Verified"?
[15 May 2013 11:53] Yngve Svendsen
Spring cleaning. This was fixed a long time ago.