/[packages]/updates/1/mysql/current/SOURCES/mariadb-5.5-buffer-overflow.patch
ViewVC logotype

Contents of /updates/1/mysql/current/SOURCES/mariadb-5.5-buffer-overflow.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 393865 - (show annotations) (download)
Fri Feb 1 01:38:41 2013 UTC (11 years, 2 months ago) by luigiwalser
File size: 7250 byte(s) 
- Add MariaDB patches to fix:
  - CVE-2012-5627
  - MDEV-4029
  - a buffer overflow (similar to CVE-2012-5611)
1 === added file 'mysql-test/r/grant_lowercase.result'
2 --- a/mysql-test/r/grant_lowercase.result 1970-01-01 00:00:00 +0000
3 +++ b/mysql-test/r/grant_lowercase.result 2012-12-04 16:08:02 +0000
4 @@ -0,0 +1,20 @@
5 +grant file on *.* to user1@localhost with grant option;
6 +grant select on `a%`.* to user1@localhost with grant option;
7 +grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret';
8 +ERROR 42000: Incorrect database name 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
9 +drop user user1@localhost;
10 +call mtr.add_suppression("Incorrect database name");
11 +alter table mysql.host modify Db varchar(200);
12 +alter table mysql.db modify Db varchar(200);
13 +insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200));
14 +Warnings:
15 +Warning 1265 Data truncated for column 'Db' at row 1
16 +insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200));
17 +Warnings:
18 +Warning 1265 Data truncated for column 'Db' at row 1
19 +flush privileges;
20 +delete from mysql.host where db like '=>%';
21 +delete from mysql.db where db like '=>%';
22 +alter table mysql.host modify Db char(64);
23 +alter table mysql.db modify Db char(64);
24 +flush privileges;
25
26 === added file 'mysql-test/t/grant_lowercase.opt'
27 --- a/mysql-test/t/grant_lowercase.opt 1970-01-01 00:00:00 +0000
28 +++ b/mysql-test/t/grant_lowercase.opt 2012-12-04 16:08:02 +0000
29 @@ -0,0 +1,1 @@
30 +--lower-case-table-names=1
31
32 === added file 'mysql-test/t/grant_lowercase.test'
33 --- a/mysql-test/t/grant_lowercase.test 1970-01-01 00:00:00 +0000
34 +++ b/mysql-test/t/grant_lowercase.test 2012-12-04 16:08:02 +0000
35 @@ -0,0 +1,30 @@
36 +# test cases for strmov(tmp_db, db) -> strnmov replacement in sql_acl.cc
37 +
38 +#
39 +# http://seclists.org/fulldisclosure/2012/Dec/4
40 +#
41 +
42 +# in acl_get(), check_grant_db(), mysql_grant()
43 +grant file on *.* to user1@localhost with grant option;
44 +grant select on `a%`.* to user1@localhost with grant option;
45 +connect (conn1,localhost,user1,,);
46 +connection conn1;
47 +--error ER_WRONG_DB_NAME
48 +grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret';
49 +connection default;
50 +disconnect conn1;
51 +drop user user1@localhost;
52 +
53 +# in acl_load()
54 +call mtr.add_suppression("Incorrect database name");
55 +alter table mysql.host modify Db varchar(200);
56 +alter table mysql.db modify Db varchar(200);
57 +insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200));
58 +insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200));
59 +flush privileges; # shouldn't crash here
60 +delete from mysql.host where db like '=>%';
61 +delete from mysql.db where db like '=>%';
62 +alter table mysql.host modify Db char(64);
63 +alter table mysql.db modify Db char(64);
64 +flush privileges;
65 +
66
67 === modified file 'sql/sql_acl.cc'
68 --- a/sql/sql_acl.cc 2012-11-12 18:56:51 +0000
69 +++ b/sql/sql_acl.cc 2012-12-04 16:08:02 +0000
70 @@ -341,7 +341,12 @@
71 convert db to lower case and give a warning if the db wasn't
72 already in lower case
73 */
74 - (void) strmov(tmp_name, host.db);
75 + char *end = strnmov(tmp_name, host.db, sizeof(tmp_name));
76 + if (end >= tmp_name + sizeof(tmp_name))
77 + {
78 + sql_print_warning(ER(ER_WRONG_DB_NAME), host.db);
79 + continue;
80 + }
81 my_casedn_str(files_charset_info, host.db);
82 if (strcmp(host.db, tmp_name) != 0)
83 sql_print_warning("'host' entry '%s|%s' had database in mixed "
84 @@ -595,7 +600,12 @@
85 convert db to lower case and give a warning if the db wasn't
86 already in lower case
87 */
88 - (void)strmov(tmp_name, db.db);
89 + char *end = strnmov(tmp_name, db.db, sizeof(tmp_name));
90 + if (end >= tmp_name + sizeof(tmp_name))
91 + {
92 + sql_print_warning(ER(ER_WRONG_DB_NAME), db.db);
93 + continue;
94 + }
95 my_casedn_str(files_charset_info, db.db);
96 if (strcmp(db.db, tmp_name) != 0)
97 {
98 @@ -2474,15 +2484,23 @@
99 const char *user, const char *tname,
100 bool exact, bool name_tolower)
101 {
102 - char helping [NAME_LEN*2+USERNAME_LENGTH+3], *name_ptr;
103 + char helping[NAME_LEN*2+USERNAME_LENGTH+3];
104 + char *hend = helping + sizeof(helping);
105 uint len;
106 GRANT_NAME *grant_name,*found=0;
107 HASH_SEARCH_STATE state;
108
109 - name_ptr= strmov(strmov(helping, user) + 1, db) + 1;
110 - len = (uint) (strmov(name_ptr, tname) - helping) + 1;
111 + char *db_ptr= strmov(helping, user) + 1;
112 + char *tname_ptr= strnmov(db_ptr, db, hend - db_ptr) + 1;
113 + if (tname_ptr > hend)
114 + return 0; // invalid name = not found
115 + char *end= strnmov(tname_ptr, tname, hend - tname_ptr) + 1;
116 + if (end > hend)
117 + return 0; // invalid name = not found
118 +
119 + len = (uint) (end - helping);
120 if (name_tolower)
121 - my_casedn_str(files_charset_info, name_ptr);
122 + my_casedn_str(files_charset_info, tname_ptr);
123 for (grant_name= (GRANT_NAME*) my_hash_first(name_hash, (uchar*) helping,
124 len, &state);
125 grant_name ;
126 @@ -3466,7 +3484,12 @@
127
128 if (lower_case_table_names && db)
129 {
130 - strmov(tmp_db,db);
131 + char *end= strnmov(tmp_db,db, sizeof(tmp_db));
132 + if (end >= tmp_db + sizeof(tmp_db))
133 + {
134 + my_error(ER_WRONG_DB_NAME ,MYF(0), db);
135 + DBUG_RETURN(TRUE);
136 + }
137 my_casedn_str(files_charset_info, tmp_db);
138 db=tmp_db;
139 }
140
  ViewVC Help
Powered by ViewVC 1.1.30