[Pkg-mysql-commits] r1105 - in branches/etch-5.0/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Sat Dec 22 19:32:52 UTC 2007
Author: nobse
Date: 2007-12-22 19:32:51 +0000 (Sat, 22 Dec 2007)
New Revision: 1105
Added:
branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch
branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch
Removed:
branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch
Modified:
branches/etch-5.0/debian/changelog
branches/etch-5.0/debian/patches/00list
branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
Log:
Fix CVE-2007-3781.
Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog 2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/changelog 2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,6 +1,9 @@
mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
* SECURITY:
+ Fix for CVE-2007-3781: CREATE TABLE LIKE did not require any privileges on
+ the source table. Now it requires the SELECT privilege.
+ * SECURITY:
Fix for CVE-2007-5969: Using RENAME TABLE against a table with explicit
DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system
table information by replacing the file to which the symlink points.
@@ -10,7 +13,7 @@
be forced to crash if the remote server returns a result with fewer columns
than expected. (closes: #455737)
- -- Norbert Tretkowski <nobse at debian.org> Tue, 11 Dec 2007 23:26:23 +0100
+ -- Norbert Tretkowski <nobse at debian.org> Sat, 22 Dec 2007 19:20:38 +0100
mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list 2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/00list 2007-12-22 19:32:51 UTC (rev 1105)
@@ -24,6 +24,6 @@
93_SECURITY_CVE-2007-3780.dpatch
93_SECURITY_CVE-2007-3782.dpatch
94_SECURITY_CVE-2007-5925.dpatch
+95_SECURITY_CVE-2007-3781.dpatch
95_SECURITY_CVE-2007-5969.dpatch
-96_SECURITY_CVE-2007-6303.dpatch
-97_SECURITY_CVE-2007-6304.dpatch
+95_SECURITY_CVE-2007-6304.dpatch
Added: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch 2007-12-22 19:32:51 UTC (rev 1105)
@@ -0,0 +1,216 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 95_SECURITY_CVE-2007-3781.dpatch by <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-3781: CREATE TABLE LIKE did not require any privileges
+## DP: on the source table. Now it requires the SELECT privilege.
+
+ at DPATCH@
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result
+--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result 2006-12-20 12:30:57.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result 2007-12-22 20:15:32.290837909 +0100
+@@ -380,3 +380,27 @@
+ drop table t2;
+ REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
+ drop user `a@`@localhost;
++drop database if exists mysqltest_1;
++drop database if exists mysqltest_2;
++drop user mysqltest_u1 at localhost;
++create database mysqltest_1;
++create database mysqltest_2;
++grant all on mysqltest_1.* to mysqltest_u1 at localhost;
++use mysqltest_2;
++create table t1 (i int);
++show create table mysqltest_2.t1;
++ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
++create table t1 like mysqltest_2.t1;
++ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
++grant select on mysqltest_2.t1 to mysqltest_u1 at localhost;
++show create table mysqltest_2.t1;
++Table Create Table
++t1 CREATE TABLE `t1` (
++ `i` int(11) default NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1
++create table t1 like mysqltest_2.t1;
++use test;
++drop database mysqltest_1;
++drop database mysqltest_2;
++drop user mysqltest_u1 at localhost;
++End of 5.0 tests
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test
+--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test 2006-12-20 12:30:57.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test 2007-12-22 20:15:32.790866404 +0100
+@@ -509,3 +509,47 @@
+ connection default;
+ REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
+ drop user `a@`@localhost;
++
++
++#
++# Bug#25578 "CREATE TABLE LIKE does not require any privileges on source table"
++#
++--disable_warnings
++drop database if exists mysqltest_1;
++drop database if exists mysqltest_2;
++--enable_warnings
++--error 0,ER_CANNOT_USER
++drop user mysqltest_u1 at localhost;
++
++create database mysqltest_1;
++create database mysqltest_2;
++grant all on mysqltest_1.* to mysqltest_u1 at localhost;
++use mysqltest_2;
++create table t1 (i int);
++
++# Connect as user with all rights on mysqltest_1 but with no rights on mysqltest_2.
++connect (user1,localhost,mysqltest_u1,,mysqltest_1);
++connection user1;
++# As expected error is emitted
++--error ER_TABLEACCESS_DENIED_ERROR
++show create table mysqltest_2.t1;
++# This should emit error as well
++--error ER_TABLEACCESS_DENIED_ERROR
++create table t1 like mysqltest_2.t1;
++
++# Now let us check that SELECT privilege on the source is enough
++connection default;
++grant select on mysqltest_2.t1 to mysqltest_u1 at localhost;
++connection user1;
++show create table mysqltest_2.t1;
++create table t1 like mysqltest_2.t1;
++
++# Clean-up
++connection default;
++use test;
++drop database mysqltest_1;
++drop database mysqltest_2;
++drop user mysqltest_u1 at localhost;
++
++--echo End of 5.0 tests
++
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/handler.h mysql-dfsg-5.0-5.0.32/sql/handler.h
+--- mysql-dfsg-5.0-5.0.32.orig/sql/handler.h 2006-12-20 12:14:37.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/handler.h 2007-12-22 20:15:32.790866404 +0100
+@@ -163,6 +163,7 @@
+
+ #define HA_LEX_CREATE_TMP_TABLE 1
+ #define HA_LEX_CREATE_IF_NOT_EXISTS 2
++#define HA_LEX_CREATE_TABLE_LIKE 4
+ #define HA_OPTION_NO_CHECKSUM (1L << 17)
+ #define HA_OPTION_NO_DELAY_KEY_WRITE (1L << 18)
+ #define HA_MAX_REC_LENGTH 65535
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc 2006-12-20 12:14:48.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc 2007-12-22 20:15:49.291806739 +0100
+@@ -76,6 +76,7 @@
+ static void remove_escape(char *name);
+ static bool append_file_to_dir(THD *thd, const char **filename_ptr,
+ const char *table_name);
++static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
+
+ const char *any_db="*any*"; // Special symbol for check_access
+
+@@ -3005,7 +3006,7 @@
+ else
+ {
+ /* regular create */
+- if (lex->name)
++ if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
+ res= mysql_create_like_table(thd, create_table, &lex->create_info,
+ (Table_ident *)lex->name);
+ else
+@@ -3201,11 +3202,7 @@
+ first_table->skip_temporary= 1;
+
+ if (check_db_used(thd, all_tables) ||
+- check_access(thd, SELECT_ACL | EXTRA_ACL, first_table->db,
+- &first_table->grant.privilege, 0, 0,
+- test(first_table->schema_table)))
+- goto error;
+- if (grant_option && check_grant(thd, SELECT_ACL, all_tables, 2, UINT_MAX, 0))
++ check_show_create_table_access(thd, first_table))
+ goto error;
+ res= mysqld_show_create(thd, first_table);
+ break;
+@@ -7337,6 +7334,25 @@
+ }
+
+
++/**
++ @brief Check privileges for SHOW CREATE TABLE statement.
++
++ @param thd Thread context
++ @param table Target table
++
++ @retval TRUE Failure
++ @retval FALSE Success
++*/
++
++static bool check_show_create_table_access(THD *thd, TABLE_LIST *table)
++{
++ return check_access(thd, SELECT_ACL | EXTRA_ACL, table->db,
++ &table->grant.privilege, 0, 0,
++ test(table->schema_table)) ||
++ grant_option && check_grant(thd, SELECT_ACL, table, 2, UINT_MAX, 0);
++}
++
++
+ /*
+ CREATE TABLE query pre-check
+
+@@ -7402,6 +7418,11 @@
+ if (tables && check_table_access(thd, SELECT_ACL, tables,0))
+ goto err;
+ }
++ else if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
++ {
++ if (check_show_create_table_access(thd, tables))
++ goto err;
++ }
+ error= FALSE;
+
+ err:
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej 1970-01-01 01:00:00.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej 2007-12-22 20:15:32.790866404 +0100
+@@ -0,0 +1,17 @@
++***************
++*** 3061,3067 ****
++ else
++ {
++ /* regular create */
++- if (lex->name)
++ res= mysql_create_like_table(thd, create_table, &create_info,
++ (Table_ident *)lex->name);
++ else
++--- 3062,3068 ----
++ else
++ {
++ /* regular create */
+++ if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
++ res= mysql_create_like_table(thd, create_table, &create_info,
++ (Table_ident *)lex->name);
++ else
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy 2006-12-20 12:14:38.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy 2007-12-22 20:15:32.790866404 +0100
+@@ -2455,6 +2455,9 @@
+ {
+ LEX *lex=Lex;
+ THD *thd= lex->thd;
++ Lex->create_info.options|= HA_LEX_CREATE_TABLE_LIKE;
++ if (!Lex->select_lex.add_table_to_list(YYTHD, $2, NULL, 0, TL_READ))
++ YYABORT;
+ if (!(lex->name= (char *)$2))
+ YYABORT;
+ if ($2->db.str == NULL &&
+@@ -2467,6 +2470,9 @@
+ {
+ LEX *lex=Lex;
+ THD *thd= lex->thd;
++ Lex->create_info.options|= HA_LEX_CREATE_TABLE_LIKE;
++ if (!Lex->select_lex.add_table_to_list(YYTHD, $3, NULL, 0, TL_READ))
++ YYABORT;
+ if (!(lex->name= (char *)$3))
+ YYABORT;
+ if ($3->db.str == NULL &&
Modified: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch 2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch 2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,5 +1,5 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
-## 92_SECURITY_CVE-2007-5969.dpatch by <nobse at debian.org>
+## 95_SECURITY_CVE-2007-5969.dpatch by <nobse at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix for CVE-2007-5969: The convert_search_mode_to_innobase function in
Copied: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch (from rev 1104, branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch)
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch 2007-12-22 19:32:51 UTC (rev 1105)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 95_SECURITY_CVE-2007-6304.dpatch by <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
+## DP: be forced to crash if the remote server returns a result with fewer columns
+## DP: than expected. (closes: #455737)
+
+ at DPATCH@
+diff -Nrup a/sql/ha_federated.cc b/sql/ha_federated.cc
+--- a/sql/ha_federated.cc 2007-07-26 05:22:50 +05:00
++++ b/sql/ha_federated.cc 2007-10-15 10:11:50 +05:00
+@@ -2528,7 +2528,12 @@ int ha_federated::info(uint flag)
+ status_query_string.length(0);
+
+ result= mysql_store_result(mysql);
+- if (!result)
++
++ /*
++ We're going to use fields num. 4, 12 and 13 of the resultset,
++ so make sure we have these fields.
++ */
++ if (!result || (mysql_num_fields(result) < 14))
+ goto error;
+
+ if (!mysql_num_rows(result))
Deleted: branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch 2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch 2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,26 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 96_SECURITY_CVE-2007-6304.dpatch by <nobse at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
-## DP: be forced to crash if the remote server returns a result with fewer columns
-## DP: than expected. (closes: #455737)
-
- at DPATCH@
-diff -Nrup a/sql/ha_federated.cc b/sql/ha_federated.cc
---- a/sql/ha_federated.cc 2007-07-26 05:22:50 +05:00
-+++ b/sql/ha_federated.cc 2007-10-15 10:11:50 +05:00
-@@ -2528,7 +2528,12 @@ int ha_federated::info(uint flag)
- status_query_string.length(0);
-
- result= mysql_store_result(mysql);
-- if (!result)
-+
-+ /*
-+ We're going to use fields num. 4, 12 and 13 of the resultset,
-+ so make sure we have these fields.
-+ */
-+ if (!result || (mysql_num_fields(result) < 14))
- goto error;
-
- if (!mysql_num_rows(result))
More information about the Pkg-mysql-commits
mailing list