Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.
As a result, the post install script from the mariadb-server-. package will try to run a query such as :
Which is invalid and will throw an incorrect error such as :
The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.
Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points :
Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.
– This bug was originally reported on IRC by rachie