[Pkg-mysql-commits] r1055 - in branches/etch-5.0/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Sun Dec 9 14:39:51 UTC 2007
tags 455010 pending
thanks
Author: nobse
Date: 2007-12-09 14:39:51 +0000 (Sun, 09 Dec 2007)
New Revision: 1055
Added:
branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
Modified:
branches/etch-5.0/debian/changelog
branches/etch-5.0/debian/patches/00list
Log:
CVE-2007-5969 fix for etch
Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog 2007-12-09 11:42:43 UTC (rev 1054)
+++ branches/etch-5.0/debian/changelog 2007-12-09 14:39:51 UTC (rev 1055)
@@ -1,3 +1,13 @@
+mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
+
+ * SECURITY:
+ Fix for CVE-2007-5969: Using RENAME TABLE against a table with explicit
+ DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system
+ table information by replacing the file to which the symlink points.
+ (closes: #455010)
+
+ -- Norbert Tretkowski <nobse at debian.org> Sun, 09 Dec 2007 15:37:22 +0100
+
mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
* SECURITY:
Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list 2007-12-09 11:42:43 UTC (rev 1054)
+++ branches/etch-5.0/debian/patches/00list 2007-12-09 14:39:51 UTC (rev 1055)
@@ -24,3 +24,4 @@
93_SECURITY_CVE-2007-3780.dpatch
93_SECURITY_CVE-2007-3782.dpatch
94_SECURITY_CVE-2007-5925.dpatch
+95_SECURITY_CVE-2007-5969.dpatch
Added: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch 2007-12-09 14:39:51 UTC (rev 1055)
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 92_SECURITY_CVE-2007-5969.dpatch by <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-5969: The convert_search_mode_to_innobase function in
+## DP: ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
+## DP: remote authenticated users to cause a denial of service (database crash)
+## DP: via a certain CONTAINS operation on an indexed column, which triggers an
+## DP: assertion error. (closes: #451235)
+
+ at DPATCH@
+diff -Nrup a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result
+--- a/mysql-test/r/symlink.result 2007-07-13 15:32:27 +02:00
++++ b/mysql-test/r/symlink.result 2007-11-15 10:55:43 +01:00
+@@ -99,6 +99,12 @@ t1 CREATE TABLE `t1` (
+ `b` int(11) default NULL
+ ) ENGINE=MyISAM DEFAULT CHARSET=latin1
+ drop table t1;
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/master-data/mysql'
++INDEX DIRECTORY='TEST_DIR/master-data/mysql';
++RENAME TABLE t1 TO user;
++ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
++DROP TABLE t1;
+ show create table t1;
+ Table Create Table
+ t1 CREATE TABLE `t1` (
+diff -Nrup a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test
+--- a/mysql-test/t/symlink.test 2007-07-13 15:32:27 +02:00
++++ b/mysql-test/t/symlink.test 2007-11-15 10:55:43 +01:00
+@@ -125,6 +125,18 @@ show create table t1;
+ drop table t1;
+
+ #
++# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
++#
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
++INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++--error 1
++RENAME TABLE t1 TO user;
++DROP TABLE t1;
++
++#
+ # Test specifying DATA DIRECTORY that is the same as what would normally
+ # have been chosen. (Bug #8707)
+ #
+diff -Nrup a/mysys/my_symlink2.c b/mysys/my_symlink2.c
+--- a/mysys/my_symlink2.c 2007-07-18 14:33:39 +02:00
++++ b/mysys/my_symlink2.c 2007-11-15 10:55:43 +01:00
+@@ -126,6 +126,7 @@ int my_rename_with_symlink(const char *f
+ int was_symlink= (!my_disable_symlinks &&
+ !my_readlink(link_name, from, MYF(0)));
+ int result=0;
++ int name_is_different;
+ DBUG_ENTER("my_rename_with_symlink");
+
+ if (!was_symlink)
+@@ -134,6 +135,14 @@ int my_rename_with_symlink(const char *f
+ /* Change filename that symlink pointed to */
+ strmov(tmp_name, to);
+ fn_same(tmp_name,link_name,1); /* Copy dir */
++ name_is_different= strcmp(link_name, tmp_name);
++ if (name_is_different && !access(tmp_name, F_OK))
++ {
++ my_errno= EEXIST;
++ if (MyFlags & MY_WME)
++ my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
++ DBUG_RETURN(1);
++ }
+
+ /* Create new symlink */
+ if (my_symlink(tmp_name, to, MyFlags))
+@@ -145,7 +154,7 @@ int my_rename_with_symlink(const char *f
+ the same basename and different directories.
+ */
+
+- if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
++ if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
+ {
+ int save_errno=my_errno;
+ my_delete(to, MyFlags); /* Remove created symlink */
More information about the Pkg-mysql-commits
mailing list