From a4ffee2fbc0166945269bf8dc89b51bcd6256ab4 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Fri, 25 Jul 2025 10:50:41 +0200
Subject: [PATCH 1/2] mysql80: 8.0.42 -> 8.0.43

Fixes CVE-2025-50078, CVE-2025-50082, CVE-2025-50083, CVE-2025-50085,
CVE-2025-50077, CVE-2025-50092, CVE-2025-50099, CVE-2025-50086,
CVE-2025-50093, CVE-2025-50094, CVE-2025-50079, CVE-2025-50084,
CVE-2025-50087, CVE-2025-50091, CVE-2025-50101, CVE-2025-50102,
CVE-2025-53023, CVE-2025-50097, CVE-2025-50080, CVE-2025-50096,
CVE-2025-50081, CVE-2025-50104, CVE-2025-50098 and CVE-2025-50100.
https://www.oracle.com/security-alerts/cpujul2025.html#AppendixMSQL

Changes:
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-43.html
(cherry picked from commit 00ac980af1112162e1b7ebf174cc6cc2b18f0352)
---
 pkgs/servers/sql/mysql/8.0.x.nix          |  12 +-
 pkgs/servers/sql/mysql/libcpp-fixes.patch | 183 ----------------------
 2 files changed, 2 insertions(+), 193 deletions(-)
 delete mode 100644 pkgs/servers/sql/mysql/libcpp-fixes.patch

diff --git a/pkgs/servers/sql/mysql/8.0.x.nix b/pkgs/servers/sql/mysql/8.0.x.nix
index 5bf46145cb65..3345c368a6da 100644
--- a/pkgs/servers/sql/mysql/8.0.x.nix
+++ b/pkgs/servers/sql/mysql/8.0.x.nix
@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchurl,
-  fetchpatch,
   bison,
   cmake,
   pkg-config,
@@ -31,11 +30,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "mysql";
-  version = "8.0.42";
+  version = "8.0.43";
 
   src = fetchurl {
     url = "https://dev.mysql.com/get/Downloads/MySQL-${lib.versions.majorMinor finalAttrs.version}/mysql-${finalAttrs.version}.tar.gz";
-    hash = "sha256-XrIsIMILdlxYlMkBBIW9B9iptuv7YovP0wYHAXFVJv4=";
+    hash = "sha256-diUKgQFch49iUhz68w3/DqmyUJeNKx3/AHQIo5jV25M=";
   };
 
   nativeBuildInputs = [
@@ -48,13 +47,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   patches = [
     ./no-force-outline-atomics.patch # Do not force compilers to turn on -moutline-atomics switch
-    # Fix compilation with LLVM 19, adapted from https://github.com/mysql/mysql-server/commit/3a51d7fca76e02257f5c42b6a4fc0c5426bf0421
-    # in https://github.com/NixOS/nixpkgs/pull/374591#issuecomment-2615855076
-    ./libcpp-fixes.patch
-    (fetchpatch {
-      url = "https://github.com/mysql/mysql-server/commit/4a5c00d26f95faa986ffed7a15ee15e868e9dcf2.patch";
-      hash = "sha256-MEl1lQlDYtFjHk0+S02RQFnxMr+YeFxAyNjpDtVHyeE=";
-    })
   ];
 
   ## NOTE: MySQL upstream frequently twiddles the invocations of libtool. When updating, you might proactively grep for libtool references.
diff --git a/pkgs/servers/sql/mysql/libcpp-fixes.patch b/pkgs/servers/sql/mysql/libcpp-fixes.patch
deleted file mode 100644
index d7ba0740a42c..000000000000
--- a/pkgs/servers/sql/mysql/libcpp-fixes.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-diff --git a/include/my_char_traits.h b/include/my_char_traits.h
-new file mode 100644
-index 00000000..6336bc03
---- /dev/null
-+++ b/include/my_char_traits.h
-@@ -0,0 +1,65 @@
-+/* Copyright (c) 2024, Oracle and/or its affiliates.
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License, version 2.0,
-+   as published by the Free Software Foundation.
-+
-+   This program is designed to work with certain software (including
-+   but not limited to OpenSSL) that is licensed under separate terms,
-+   as designated in a particular file or component or in included license
-+   documentation.  The authors of MySQL hereby grant you an additional
-+   permission to link the program and your derivative works with the
-+   separately licensed software that they have either included with
-+   the program or referenced in the documentation.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License, version 2.0, for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program; if not, write to the Free Software
-+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
-+
-+#ifndef MY_CHAR_TRAITS_INCLUDED
-+#define MY_CHAR_TRAITS_INCLUDED
-+
-+#include <cstring>
-+
-+template <class CharT>
-+struct my_char_traits;
-+
-+/*
-+  This is a standards-compliant, drop-in replacement for
-+    std::char_traits<unsigned char>
-+  We need this because clang libc++ is removing support for it in clang 19.
-+  It is not a complete implementation. Rather we implement just enough to
-+  compile any usage of char_traits<uchar> we have in our codebase.
-+ */
-+template <>
-+struct my_char_traits<unsigned char> {
-+  using char_type = unsigned char;
-+  using int_type = unsigned int;
-+
-+  static void assign(char_type &c1, const char_type &c2) { c1 = c2; }
-+
-+  static char_type *assign(char_type *s, std::size_t n, char_type a) {
-+    return static_cast<char_type *>(memset(s, a, n));
-+  }
-+
-+  static int compare(const char_type *s1, const char_type *s2, std::size_t n) {
-+    return memcmp(s1, s2, n);
-+  }
-+
-+  static char_type *move(char_type *s1, const char_type *s2, std::size_t n) {
-+    if (n == 0) return s1;
-+    return static_cast<char_type *>(memmove(s1, s2, n));
-+  }
-+
-+  static char_type *copy(char_type *s1, const char_type *s2, std::size_t n) {
-+    if (n == 0) return s1;
-+    return static_cast<char_type *>(memcpy(s1, s2, n));
-+  }
-+};
-+
-+#endif  // MY_CHAR_TRAITS_INCLUDED
-diff --git a/sql/mdl_context_backup.h b/sql/mdl_context_backup.h
-index 89e7e23d..cf9c307e 100644
---- a/sql/mdl_context_backup.h
-+++ b/sql/mdl_context_backup.h
-@@ -28,6 +28,7 @@
- #include <map>
- #include <memory>
- 
-+#include "my_char_traits.h"
- #include "sql/malloc_allocator.h"
- #include "sql/mdl.h"
- 
-@@ -47,7 +48,8 @@ class MDL_context_backup_manager {
-   /**
-     Key for uniquely identifying MDL_context in the MDL_context_backup map.
-   */
--  typedef std::basic_string<uchar> MDL_context_backup_key;
-+  using MDL_context_backup_key =
-+      std::basic_string<uchar, my_char_traits<uchar>>;
- 
-   class MDL_context_backup;
- 
-diff --git a/sql/stream_cipher.h b/sql/stream_cipher.h
-index 606d4064..358fbb41 100644
---- a/sql/stream_cipher.h
-+++ b/sql/stream_cipher.h
-@@ -28,6 +28,8 @@
- #include <memory>
- #include <string>
- 
-+#include "my_char_traits.h"
-+
- /**
-   @file stream_cipher.h
- 
-@@ -35,7 +37,8 @@
-          binary log files.
- */
- 
--typedef std::basic_string<unsigned char> Key_string;
-+using Key_string =
-+    std::basic_string<unsigned char, my_char_traits<unsigned char>>;
- 
- /**
-   @class Stream_cipher
-diff --git a/unittest/gunit/binlogevents/transaction_compression-t.cc b/unittest/gunit/binlogevents/transaction_compression-t.cc
-index ba13f979..01af0e3a 100644
---- a/unittest/gunit/binlogevents/transaction_compression-t.cc
-+++ b/unittest/gunit/binlogevents/transaction_compression-t.cc
-@@ -23,6 +23,7 @@
- */
- 
- #include <array>
-+#include <string>
- 
- #include <gtest/gtest.h>
- #include "libbinlogevents/include/binary_log.h"
-@@ -51,14 +52,13 @@ class TransactionPayloadCompressionTest : public ::testing::Test {
-   using Managed_buffer_t = Decompressor_t::Managed_buffer_t;
-   using Size_t = Decompressor_t::Size_t;
-   using Char_t = Decompressor_t::Char_t;
--  using String_t = std::basic_string<Char_t>;
-   using Decompress_status_t =
-       binary_log::transaction::compression::Decompress_status;
-   using Compress_status_t =
-       binary_log::transaction::compression::Compress_status;
- 
--  static String_t constant_data(Size_t size) {
--    return String_t(size, (Char_t)'a');
-+  static std::string constant_data(Size_t size) {
-+    return std::string(size, (Char_t)'a');
-   }
- 
-  protected:
-@@ -69,7 +69,7 @@ class TransactionPayloadCompressionTest : public ::testing::Test {
-   void TearDown() override {}
- 
-   static void compression_idempotency_test(Compressor_t &c, Decompressor_t &d,
--                                           String_t data) {
-+                                           const std::string &data) {
-     auto debug_string = concat(
-         binary_log::transaction::compression::type_to_string(c.get_type_code()),
-         " ", data.size());
-@@ -104,8 +104,8 @@ class TransactionPayloadCompressionTest : public ::testing::Test {
- 
-     // Check decompressed data
-     ASSERT_EQ(managed_buffer.read_part().size(), data.size()) << debug_string;
--    ASSERT_EQ(data, String_t(managed_buffer.read_part().begin(),
--                             managed_buffer.read_part().end()))
-+    ASSERT_EQ(data, std::string(managed_buffer.read_part().begin(),
-+                                managed_buffer.read_part().end()))
-         << debug_string;
- 
-     // Check that we reached EOF
-@@ -118,7 +118,7 @@ TEST_F(TransactionPayloadCompressionTest, CompressDecompressZstdTest) {
-   for (auto size : buffer_sizes) {
-     binary_log::transaction::compression::Zstd_dec d;
-     binary_log::transaction::compression::Zstd_comp c;
--    String_t data{TransactionPayloadCompressionTest::constant_data(size)};
-+    std::string data{TransactionPayloadCompressionTest::constant_data(size)};
-     TransactionPayloadCompressionTest::compression_idempotency_test(c, d, data);
-     c.set_compression_level(22);
-     TransactionPayloadCompressionTest::compression_idempotency_test(c, d, data);
-@@ -129,7 +129,7 @@ TEST_F(TransactionPayloadCompressionTest, CompressDecompressNoneTest) {
-   for (auto size : buffer_sizes) {
-     binary_log::transaction::compression::None_dec d;
-     binary_log::transaction::compression::None_comp c;
--    String_t data{TransactionPayloadCompressionTest::constant_data(size)};
-+    std::string data{TransactionPayloadCompressionTest::constant_data(size)};
-     TransactionPayloadCompressionTest::compression_idempotency_test(c, d, data);
-   }
- }
\ No newline at end of file

From f49d03ac7b772c2634e8ddbce186a8e9c1d1100c Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Fri, 25 Jul 2025 11:10:09 +0200
Subject: [PATCH 2/2] mysql84: 8.4.5 -> 8.4.6

Fixes CVE-2025-50078, CVE-2025-50082, CVE-2025-50083, CVE-2025-50085,
CVE-2025-50077, CVE-2025-50092, CVE-2025-50099, CVE-2025-50086,
CVE-2025-50093, CVE-2025-50094, CVE-2025-50079, CVE-2025-50084,
CVE-2025-50087, CVE-2025-50091, CVE-2025-50101, CVE-2025-50102,
CVE-2025-50097, CVE-2025-50080, CVE-2025-50096, CVE-2025-50081,
CVE-2025-50104, CVE-2025-50098 and CVE-2025-50100.
https://www.oracle.com/security-alerts/cpujul2025.html#AppendixMSQL

Changes:
https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-6.html
(cherry picked from commit 8608f6e7b3321d8319230cf869a0dad96255479b)
---
 pkgs/by-name/my/mysql84/package.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/by-name/my/mysql84/package.nix b/pkgs/by-name/my/mysql84/package.nix
index 02131a505d20..dfc07e36b6f7 100644
--- a/pkgs/by-name/my/mysql84/package.nix
+++ b/pkgs/by-name/my/mysql84/package.nix
@@ -27,11 +27,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "mysql";
-  version = "8.4.5";
+  version = "8.4.6";
 
   src = fetchurl {
     url = "https://dev.mysql.com/get/Downloads/MySQL-${lib.versions.majorMinor finalAttrs.version}/mysql-${finalAttrs.version}.tar.gz";
-    hash = "sha256-U2OVkqcgpxn9+t8skhuUfqyGwG4zMgLkdmeFKleBvRo=";
+    hash = "sha256-oeUj3IvpbRilreEGmYZhKFygG29bRsCLJlQRDkDfL7c=";
   };
 
   nativeBuildInputs = [