current/SOURCES/mariadb-5.5-check-dbname.patch

patch is from http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26

this fixes an undisclosed security issue CVE-2012-5579. Upon disclosure, see
https://mariadb.atlassian.net/browse/MDEV-3884 for more information.

=== modified file 'mysql-test/r/information_schema.result'
--- a/mysql-test/r/information_schema.result    2012-11-09 19:15:23 +0000
+++ b/mysql-test/r/information_schema.result    2012-11-12 18:56:51 +0000
@@ -1678,6 +1678,10 @@
 length(CAST(b AS CHAR))
 20
 DROP TABLE ubig;
+grant usage on *.* to mysqltest_1@localhost;
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
+1
+drop user mysqltest_1@localhost;
 End of 5.1 tests.
 #
 # Additional test for WL#3726 "DDL locking for all metadata objects"

=== modified file 'mysql-test/t/information_schema.test'
--- a/mysql-test/t/information_schema.test      2012-11-09 19:15:23 +0000
+++ b/mysql-test/t/information_schema.test      2012-11-12 18:56:51 +0000
@@ -1442,6 +1442,13 @@
 
 DROP TABLE ubig;
 
+grant usage on *.* to mysqltest_1@localhost;
+connect (con1, localhost, mysqltest_1,,);
+connection con1;
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
+connection default;
+disconnect con1;
+drop user mysqltest_1@localhost;
 
 --echo End of 5.1 tests.
 

=== modified file 'sql/sql_acl.cc'
--- a/sql/sql_acl.cc    2011-11-21 17:13:14 +0000
+++ b/sql/sql_acl.cc    2012-11-12 18:56:51 +0000
@@ -1631,14 +1631,20 @@
   acl_entry *entry;
   DBUG_ENTER("acl_get");
 
-  mysql_mutex_lock(&acl_cache->lock);
-  end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
+  tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1;
+  end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db);
+
+  if (end >= key + sizeof(key)) // db name was truncated
+    DBUG_RETURN(0);             // no privileges for an invalid db name
+
   if (lower_case_table_names)
   {
     my_casedn_str(files_charset_info, tmp_db);
     db=tmp_db;
   }
   key_length= (size_t) (end-key);
+
+  mysql_mutex_lock(&acl_cache->lock);
   if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key,
                                                               key_length)))
   {
@@ -4952,11 +4958,17 @@
 bool check_grant_db(THD *thd,const char *db)
 {
   Security_context *sctx= thd->security_ctx;
-  char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2];
+  char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end;
   uint len;
   bool error= TRUE;
 
-  len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;
+  end= strmov(helping, sctx->priv_user) + 1;
+  end= strnmov(end, db, helping + sizeof(helping) - end);
+
+  if (end >= helping + sizeof(helping)) // db name was truncated
+    return 1;                           // no privileges for an invalid db name
+
+  len= (uint) (end - helping) + 1;
 
   mysql_rwlock_rdlock(&LOCK_grant);
 

1	patch is from http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26
2
3	this fixes an undisclosed security issue CVE-2012-5579. Upon disclosure, see
4	https://mariadb.atlassian.net/browse/MDEV-3884 for more information.
5
6	=== modified file 'mysql-test/r/information_schema.result'
7	--- a/mysql-test/r/information_schema.result 2012-11-09 19:15:23 +0000
8	+++ b/mysql-test/r/information_schema.result 2012-11-12 18:56:51 +0000
9	@@ -1678,6 +1678,10 @@
10	length(CAST(b AS CHAR))
11	20
12	DROP TABLE ubig;
13	+grant usage on . to mysqltest_1@localhost;
14	+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
15	+1
16	+drop user mysqltest_1@localhost;
17	End of 5.1 tests.
18	#
19	# Additional test for WL#3726 "DDL locking for all metadata objects"
20
21	=== modified file 'mysql-test/t/information_schema.test'
22	--- a/mysql-test/t/information_schema.test 2012-11-09 19:15:23 +0000
23	+++ b/mysql-test/t/information_schema.test 2012-11-12 18:56:51 +0000
24	@@ -1442,6 +1442,13 @@
25
26	DROP TABLE ubig;
27
28	+grant usage on . to mysqltest_1@localhost;
29	+connect (con1, localhost, mysqltest_1,,);
30	+connection con1;
31	+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
32	+connection default;
33	+disconnect con1;
34	+drop user mysqltest_1@localhost;
35
36	--echo End of 5.1 tests.
37
38
39	=== modified file 'sql/sql_acl.cc'
40	--- a/sql/sql_acl.cc 2011-11-21 17:13:14 +0000
41	+++ b/sql/sql_acl.cc 2012-11-12 18:56:51 +0000
42	@@ -1631,14 +1631,20 @@
43	acl_entry *entry;
44	DBUG_ENTER("acl_get");
45
46	- mysql_mutex_lock(&acl_cache->lock);
47	- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
48	+ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1;
49	+ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db);
50	+
51	+ if (end >= key + sizeof(key)) // db name was truncated
52	+ DBUG_RETURN(0); // no privileges for an invalid db name
53	+
54	if (lower_case_table_names)
55	{
56	my_casedn_str(files_charset_info, tmp_db);
57	db=tmp_db;
58	}
59	key_length= (size_t) (end-key);
60	+
61	+ mysql_mutex_lock(&acl_cache->lock);
62	if (!db_is_pattern && (entry=(acl_entry) acl_cache->search((uchar) key,
63	key_length)))
64	{
65	@@ -4952,11 +4958,17 @@
66	bool check_grant_db(THD thd,const char db)
67	{
68	Security_context *sctx= thd->security_ctx;
69	- char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2];
70	+ char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end;
71	uint len;
72	bool error= TRUE;
73
74	- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;
75	+ end= strmov(helping, sctx->priv_user) + 1;
76	+ end= strnmov(end, db, helping + sizeof(helping) - end);
77	+
78	+ if (end >= helping + sizeof(helping)) // db name was truncated
79	+ return 1; // no privileges for an invalid db name
80	+
81	+ len= (uint) (end - helping) + 1;
82
83	mysql_rwlock_rdlock(&LOCK_grant);
84
85