[Pkg-mysql-commits] r1065 - in branches/etch-5.0/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Tue Dec 11 22:27:21 UTC 2007 

tags 455737 pending
thanks

Author: nobse
Date: 2007-12-11 22:27:21 +0000 (Tue, 11 Dec 2007)
New Revision: 1065

Added:
   branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6303.dpatch
   branches/etch-5.0/debian/patches/97_SECURITY_CVE-2007-6304.dpatch
Modified:
   branches/etch-5.0/debian/changelog
   branches/etch-5.0/debian/patches/00list
Log:
Add patches for CVE-2007-6303 and CVE-2007-6304.

Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog	2007-12-11 21:55:08 UTC (rev 1064)
+++ branches/etch-5.0/debian/changelog	2007-12-11 22:27:21 UTC (rev 1065)
@@ -5,8 +5,17 @@
     DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system
     table information by replacing the file to which the symlink points.
     (closes: #455010)
+  * SECURITY:
+    Fix for CVE-2007-6303: ALTER VIEW retained the original DEFINER value,
+    even when altered by another user, which could allow that user to gain the
+    access rights of the view. Now ALTER VIEW is allowed only to the original
+    definer or users with the SUPER privilege. (closes: #455737)
+  * SECURITY:
+    Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
+    be forced to crash if the remote server returns a result with fewer columns
+    than expected.
 
- -- Norbert Tretkowski <nobse at debian.org>  Sun, 09 Dec 2007 15:37:22 +0100
+ -- Norbert Tretkowski <nobse at debian.org>  Tue, 11 Dec 2007 23:26:23 +0100
 
 mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
 

Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list	2007-12-11 21:55:08 UTC (rev 1064)
+++ branches/etch-5.0/debian/patches/00list	2007-12-11 22:27:21 UTC (rev 1065)
@@ -25,3 +25,5 @@
 93_SECURITY_CVE-2007-3782.dpatch
 94_SECURITY_CVE-2007-5925.dpatch
 95_SECURITY_CVE-2007-5969.dpatch
+96_SECURITY_CVE-2007-6303.dpatch
+97_SECURITY_CVE-2007-6304.dpatch

Added: branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6303.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6303.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6303.dpatch	2007-12-11 22:27:21 UTC (rev 1065)
@@ -0,0 +1,166 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 96_SECURITY_CVE-2007-6303.dpatch by  <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6303: ALTER VIEW retained the original DEFINER value,
+## DP: even when altered by another user, which could allow that user to gain
+## DP: the access rights of the view. Now ALTER VIEW is allowed only to the
+## DP: original definer or users with the SUPER privilege. (closes: #455737)
+
+ at DPATCH@
+diff -Nrup a/mysql-test/r/view_grant.result b/mysql-test/r/view_grant.result
+--- a/mysql-test/r/view_grant.result	2007-06-05 22:17:58 +04:00
++++ b/mysql-test/r/view_grant.result	2007-09-20 17:48:10 +04:00
+@@ -776,15 +776,59 @@ GRANT CREATE VIEW ON db26813.v2 TO u2681
+ GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813 at localhost;
+ GRANT SELECT ON db26813.t1 TO u26813 at localhost;
+ ALTER VIEW v1 AS SELECT f2 FROM t1;
+-ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1'
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ ALTER VIEW v2 AS SELECT f2 FROM t1;
+-ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ ALTER VIEW v3 AS SELECT f2 FROM t1;
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ SHOW CREATE VIEW v3;
+ View	Create View
+-v3	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1`
++v3	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1`
+ DROP USER u26813 at localhost;
+ DROP DATABASE db26813;
++#
++# Bug#29908: A user can gain additional access through the ALTER VIEW.
++#
++CREATE DATABASE mysqltest_29908;
++USE mysqltest_29908;
++CREATE TABLE t1(f1 INT, f2 INT);
++CREATE USER u29908_1 at localhost;
++CREATE DEFINER = u29908_1 at localhost VIEW v1 AS SELECT f1 FROM t1;
++CREATE DEFINER = u29908_1 at localhost SQL SECURITY INVOKER VIEW v2 AS
++SELECT f1 FROM t1;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1 at localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1 at localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1 at localhost;
++CREATE USER u29908_2 at localhost;
++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2 at localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2 at localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2 at localhost;
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v1;
++View	Create View
++v1	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1`
++ALTER VIEW v2 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
++ALTER VIEW v1 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v1;
++View	Create View
++v1	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1`
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
++DROP USER u29908_1 at localhost;
++DROP USER u29908_2 at localhost;
++DROP DATABASE mysqltest_29908;
++#######################################################################
+ DROP DATABASE IF EXISTS mysqltest1;
+ DROP DATABASE IF EXISTS mysqltest2;
+ CREATE DATABASE mysqltest1;
+diff -Nrup a/mysql-test/t/view_grant.test b/mysql-test/t/view_grant.test
+--- a/mysql-test/t/view_grant.test	2007-03-23 18:56:41 +03:00
++++ b/mysql-test/t/view_grant.test	2007-09-20 17:46:26 +04:00
+@@ -1034,10 +1034,11 @@ GRANT SELECT ON db26813.t1 TO u26813 at loc
+ 
+ connect (u1,localhost,u26813,,db26813);
+ connection u1;
+---error 1142
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v1 AS SELECT f2 FROM t1;
+---error 1142
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v2 AS SELECT f2 FROM t1;
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v3 AS SELECT f2 FROM t1;
+ 
+ connection root;
+@@ -1046,6 +1047,50 @@ SHOW CREATE VIEW v3;
+ DROP USER u26813 at localhost;
+ DROP DATABASE db26813;
+ disconnect u1;
++
++--echo #
++--echo # Bug#29908: A user can gain additional access through the ALTER VIEW.
++--echo #
++connection root;
++CREATE DATABASE mysqltest_29908;
++USE mysqltest_29908;
++CREATE TABLE t1(f1 INT, f2 INT);
++CREATE USER u29908_1 at localhost;
++CREATE DEFINER = u29908_1 at localhost VIEW v1 AS SELECT f1 FROM t1;
++CREATE DEFINER = u29908_1 at localhost SQL SECURITY INVOKER VIEW v2 AS
++  SELECT f1 FROM t1;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1 at localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1 at localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1 at localhost;
++CREATE USER u29908_2 at localhost;
++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2 at localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2 at localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2 at localhost;
++
++connect (u2,localhost,u29908_2,,mysqltest_29908);
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++
++connect (u1,localhost,u29908_1,,mysqltest_29908);
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v1;
++ALTER VIEW v2 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v2;
++
++connection root;
++ALTER VIEW v1 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v1;
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++
++DROP USER u29908_1 at localhost;
++DROP USER u29908_2 at localhost;
++DROP DATABASE mysqltest_29908;
++disconnect u1;
++disconnect u2;
++--echo #######################################################################
+ 
+ #
+ # BUG#24040: Create View don't succed with "all privileges" on a database.
+diff -Nrup a/sql/sql_view.cc b/sql/sql_view.cc
+--- a/sql/sql_view.cc	2007-09-03 11:22:54 +04:00
++++ b/sql/sql_view.cc	2007-09-20 18:03:16 +04:00
+@@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_L
+ {
+   LEX *lex= thd->lex;
+   bool link_to_local;
+-#ifndef NO_EMBEDDED_ACCESS_CHECKS
+-  bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
+-#endif
+   /* first table in list is target VIEW name => cut off it */
+   TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
+   TABLE_LIST *tables= lex->query_tables;
+@@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_L
+       - same as current user
+       - current user has SUPER_ACL
+   */
+-  if (definer_check_is_needed &&
++  if (lex->definer &&
+       (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
+        my_strcasecmp(system_charset_info,
+                      lex->definer->host.str,

Copied: branches/etch-5.0/debian/patches/97_SECURITY_CVE-2007-6304.dpatch (from rev 1063, branches/sid-5.0/debian/patches/94_SECURITY_CVE-2007-6304.dpatch)
===================================================================
--- branches/etch-5.0/debian/patches/97_SECURITY_CVE-2007-6304.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/97_SECURITY_CVE-2007-6304.dpatch	2007-12-11 22:27:21 UTC (rev 1065)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 97_SECURITY_CVE-2007-6304.dpatch by  <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
+## DP: be forced to crash if the remote server returns a result with fewer columns
+## DP: than expected. (closes: #455737)
+
+ at DPATCH@
+diff -Nrup a/sql/ha_federated.cc b/sql/ha_federated.cc
+--- a/sql/ha_federated.cc	2007-07-26 05:22:50 +05:00
++++ b/sql/ha_federated.cc	2007-10-15 10:11:50 +05:00
+@@ -2528,7 +2528,12 @@ int ha_federated::info(uint flag)
+     status_query_string.length(0);
+ 
+     result= mysql_store_result(mysql);
+-    if (!result)
++
++    /*
++      We're going to use fields num. 4, 12 and 13 of the resultset,
++      so make sure we have these fields.
++    */
++    if (!result || (mysql_num_fields(result) < 14))
+       goto error;
+ 
+     if (!mysql_num_rows(result))

More information about the Pkg-mysql-commits mailing list