1 |
patch is from http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26 |
2 |
|
3 |
this fixes an undisclosed security issue CVE-2012-5579. Upon disclosure, see |
4 |
https://mariadb.atlassian.net/browse/MDEV-3884 for more information. |
5 |
|
6 |
=== modified file 'mysql-test/r/information_schema.result' |
7 |
--- a/mysql-test/r/information_schema.result 2012-11-09 19:15:23 +0000 |
8 |
+++ b/mysql-test/r/information_schema.result 2012-11-12 18:56:51 +0000 |
9 |
@@ -1678,6 +1678,10 @@ |
10 |
length(CAST(b AS CHAR)) |
11 |
20 |
12 |
DROP TABLE ubig; |
13 |
+grant usage on *.* to mysqltest_1@localhost; |
14 |
+select 1 from information_schema.tables where table_schema=repeat('a', 2000); |
15 |
+1 |
16 |
+drop user mysqltest_1@localhost; |
17 |
End of 5.1 tests. |
18 |
# |
19 |
# Additional test for WL#3726 "DDL locking for all metadata objects" |
20 |
|
21 |
=== modified file 'mysql-test/t/information_schema.test' |
22 |
--- a/mysql-test/t/information_schema.test 2012-11-09 19:15:23 +0000 |
23 |
+++ b/mysql-test/t/information_schema.test 2012-11-12 18:56:51 +0000 |
24 |
@@ -1442,6 +1442,13 @@ |
25 |
|
26 |
DROP TABLE ubig; |
27 |
|
28 |
+grant usage on *.* to mysqltest_1@localhost; |
29 |
+connect (con1, localhost, mysqltest_1,,); |
30 |
+connection con1; |
31 |
+select 1 from information_schema.tables where table_schema=repeat('a', 2000); |
32 |
+connection default; |
33 |
+disconnect con1; |
34 |
+drop user mysqltest_1@localhost; |
35 |
|
36 |
--echo End of 5.1 tests. |
37 |
|
38 |
|
39 |
=== modified file 'sql/sql_acl.cc' |
40 |
--- a/sql/sql_acl.cc 2011-11-21 17:13:14 +0000 |
41 |
+++ b/sql/sql_acl.cc 2012-11-12 18:56:51 +0000 |
42 |
@@ -1631,14 +1631,20 @@ |
43 |
acl_entry *entry; |
44 |
DBUG_ENTER("acl_get"); |
45 |
|
46 |
- mysql_mutex_lock(&acl_cache->lock); |
47 |
- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); |
48 |
+ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1; |
49 |
+ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db); |
50 |
+ |
51 |
+ if (end >= key + sizeof(key)) // db name was truncated |
52 |
+ DBUG_RETURN(0); // no privileges for an invalid db name |
53 |
+ |
54 |
if (lower_case_table_names) |
55 |
{ |
56 |
my_casedn_str(files_charset_info, tmp_db); |
57 |
db=tmp_db; |
58 |
} |
59 |
key_length= (size_t) (end-key); |
60 |
+ |
61 |
+ mysql_mutex_lock(&acl_cache->lock); |
62 |
if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key, |
63 |
key_length))) |
64 |
{ |
65 |
@@ -4952,11 +4958,17 @@ |
66 |
bool check_grant_db(THD *thd,const char *db) |
67 |
{ |
68 |
Security_context *sctx= thd->security_ctx; |
69 |
- char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2]; |
70 |
+ char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end; |
71 |
uint len; |
72 |
bool error= TRUE; |
73 |
|
74 |
- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; |
75 |
+ end= strmov(helping, sctx->priv_user) + 1; |
76 |
+ end= strnmov(end, db, helping + sizeof(helping) - end); |
77 |
+ |
78 |
+ if (end >= helping + sizeof(helping)) // db name was truncated |
79 |
+ return 1; // no privileges for an invalid db name |
80 |
+ |
81 |
+ len= (uint) (end - helping) + 1; |
82 |
|
83 |
mysql_rwlock_rdlock(&LOCK_grant); |
84 |
|
85 |
|