Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.

As a result, the post install script from the mariadb-server-. package will try to run a query such as :

UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';

Which is invalid and will throw an incorrect error such as :

ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1

The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.

Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.

Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.

– This bug was originally reported on IRC by rachie