[Pkg-mysql-commits] r1055 - in branches/etch-5.0/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Sun Dec 9 14:39:51 UTC 2007 

tags 455010 pending
thanks

Author: nobse
Date: 2007-12-09 14:39:51 +0000 (Sun, 09 Dec 2007)
New Revision: 1055

Added:
   branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
Modified:
   branches/etch-5.0/debian/changelog
   branches/etch-5.0/debian/patches/00list
Log:
CVE-2007-5969 fix for etch

Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog	2007-12-09 11:42:43 UTC (rev 1054)
+++ branches/etch-5.0/debian/changelog	2007-12-09 14:39:51 UTC (rev 1055)
@@ -1,3 +1,13 @@
+mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
+
+  * SECURITY:
+    Fix for CVE-2007-5969: Using RENAME TABLE against a table with explicit
+    DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system
+    table information by replacing the file to which the symlink points.
+    (closes: #455010)
+
+ -- Norbert Tretkowski <nobse at debian.org>  Sun, 09 Dec 2007 15:37:22 +0100
+
 mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
 
   * SECURITY:

Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list	2007-12-09 11:42:43 UTC (rev 1054)
+++ branches/etch-5.0/debian/patches/00list	2007-12-09 14:39:51 UTC (rev 1055)
@@ -24,3 +24,4 @@
 93_SECURITY_CVE-2007-3780.dpatch
 93_SECURITY_CVE-2007-3782.dpatch
 94_SECURITY_CVE-2007-5925.dpatch
+95_SECURITY_CVE-2007-5969.dpatch

Added: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch	2007-12-09 14:39:51 UTC (rev 1055)
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 92_SECURITY_CVE-2007-5969.dpatch by  <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-5969: The convert_search_mode_to_innobase function in
+## DP: ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
+## DP: remote authenticated users to cause a denial of service (database crash)
+## DP: via a certain CONTAINS operation on an indexed column, which triggers an
+## DP: assertion error. (closes: #451235)
+
+ at DPATCH@
+diff -Nrup a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result
+--- a/mysql-test/r/symlink.result	2007-07-13 15:32:27 +02:00
++++ b/mysql-test/r/symlink.result	2007-11-15 10:55:43 +01:00
+@@ -99,6 +99,12 @@ t1	CREATE TABLE `t1` (
+   `b` int(11) default NULL
+ ) ENGINE=MyISAM DEFAULT CHARSET=latin1
+ drop table t1;
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/master-data/mysql'
++INDEX DIRECTORY='TEST_DIR/master-data/mysql';
++RENAME TABLE t1 TO user;
++ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
++DROP TABLE t1;
+ show create table t1;
+ Table	Create Table
+ t1	CREATE TABLE `t1` (
+diff -Nrup a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test
+--- a/mysql-test/t/symlink.test	2007-07-13 15:32:27 +02:00
++++ b/mysql-test/t/symlink.test	2007-11-15 10:55:43 +01:00
+@@ -125,6 +125,18 @@ show create table t1;
+ drop table t1;
+ 
+ #
++# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
++#
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
++INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++--error 1
++RENAME TABLE t1 TO user;
++DROP TABLE t1;
++
++#
+ # Test specifying DATA DIRECTORY that is the same as what would normally
+ # have been chosen. (Bug #8707)
+ #
+diff -Nrup a/mysys/my_symlink2.c b/mysys/my_symlink2.c
+--- a/mysys/my_symlink2.c	2007-07-18 14:33:39 +02:00
++++ b/mysys/my_symlink2.c	2007-11-15 10:55:43 +01:00
+@@ -126,6 +126,7 @@ int my_rename_with_symlink(const char *f
+   int was_symlink= (!my_disable_symlinks &&
+ 		    !my_readlink(link_name, from, MYF(0)));
+   int result=0;
++  int name_is_different;
+   DBUG_ENTER("my_rename_with_symlink");
+ 
+   if (!was_symlink)
+@@ -134,6 +135,14 @@ int my_rename_with_symlink(const char *f
+   /* Change filename that symlink pointed to */
+   strmov(tmp_name, to);
+   fn_same(tmp_name,link_name,1);		/* Copy dir */
++  name_is_different= strcmp(link_name, tmp_name);
++  if (name_is_different && !access(tmp_name, F_OK))
++  {
++    my_errno= EEXIST;
++    if (MyFlags & MY_WME)
++      my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
++    DBUG_RETURN(1);
++  }
+ 
+   /* Create new symlink */
+   if (my_symlink(tmp_name, to, MyFlags))
+@@ -145,7 +154,7 @@ int my_rename_with_symlink(const char *f
+     the same basename and different directories.
+    */
+ 
+-  if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
++  if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
+   {
+     int save_errno=my_errno;
+     my_delete(to, MyFlags);			/* Remove created symlink */

More information about the Pkg-mysql-commits mailing list