[Pkg-mysql-commits] r1105 - in branches/etch-5.0/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Sat Dec 22 19:32:52 UTC 2007


Author: nobse
Date: 2007-12-22 19:32:51 +0000 (Sat, 22 Dec 2007)
New Revision: 1105

Added:
   branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch
   branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch
Removed:
   branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch
Modified:
   branches/etch-5.0/debian/changelog
   branches/etch-5.0/debian/patches/00list
   branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
Log:
Fix CVE-2007-3781.

Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog	2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/changelog	2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,6 +1,9 @@
 mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
 
   * SECURITY:
+    Fix for CVE-2007-3781: CREATE TABLE LIKE did not require any privileges on
+    the source table. Now it requires the SELECT privilege.
+  * SECURITY:
     Fix for CVE-2007-5969: Using RENAME TABLE against a table with explicit
     DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system
     table information by replacing the file to which the symlink points.
@@ -10,7 +13,7 @@
     be forced to crash if the remote server returns a result with fewer columns
     than expected. (closes: #455737)
 
- -- Norbert Tretkowski <nobse at debian.org>  Tue, 11 Dec 2007 23:26:23 +0100
+ -- Norbert Tretkowski <nobse at debian.org>  Sat, 22 Dec 2007 19:20:38 +0100
 
 mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
 

Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list	2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/00list	2007-12-22 19:32:51 UTC (rev 1105)
@@ -24,6 +24,6 @@
 93_SECURITY_CVE-2007-3780.dpatch
 93_SECURITY_CVE-2007-3782.dpatch
 94_SECURITY_CVE-2007-5925.dpatch
+95_SECURITY_CVE-2007-3781.dpatch
 95_SECURITY_CVE-2007-5969.dpatch
-96_SECURITY_CVE-2007-6303.dpatch
-97_SECURITY_CVE-2007-6304.dpatch
+95_SECURITY_CVE-2007-6304.dpatch

Added: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-3781.dpatch	2007-12-22 19:32:51 UTC (rev 1105)
@@ -0,0 +1,216 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 95_SECURITY_CVE-2007-3781.dpatch by  <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-3781: CREATE TABLE LIKE did not require any privileges
+## DP: on the source table. Now it requires the SELECT privilege.
+
+ at DPATCH@
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result
+--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result	2006-12-20 12:30:57.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result	2007-12-22 20:15:32.290837909 +0100
+@@ -380,3 +380,27 @@
+ drop table t2;
+ REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
+ drop user `a@`@localhost;
++drop database if exists mysqltest_1;
++drop database if exists mysqltest_2;
++drop user mysqltest_u1 at localhost;
++create database mysqltest_1;
++create database mysqltest_2;
++grant all on mysqltest_1.* to mysqltest_u1 at localhost;
++use mysqltest_2;
++create table t1 (i int);
++show create table mysqltest_2.t1;
++ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
++create table t1 like mysqltest_2.t1;
++ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
++grant select on mysqltest_2.t1 to mysqltest_u1 at localhost;
++show create table mysqltest_2.t1;
++Table	Create Table
++t1	CREATE TABLE `t1` (
++  `i` int(11) default NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1
++create table t1 like mysqltest_2.t1;
++use test;
++drop database mysqltest_1;
++drop database mysqltest_2;
++drop user mysqltest_u1 at localhost;
++End of 5.0 tests
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test
+--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test	2006-12-20 12:30:57.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test	2007-12-22 20:15:32.790866404 +0100
+@@ -509,3 +509,47 @@
+ connection default;
+ REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
+ drop user `a@`@localhost;
++
++
++#
++# Bug#25578 "CREATE TABLE LIKE does not require any privileges on source table"
++#
++--disable_warnings
++drop database if exists mysqltest_1;
++drop database if exists mysqltest_2;
++--enable_warnings
++--error 0,ER_CANNOT_USER
++drop user mysqltest_u1 at localhost;
++
++create database mysqltest_1;
++create database mysqltest_2;
++grant all on mysqltest_1.* to mysqltest_u1 at localhost;
++use mysqltest_2;
++create table t1 (i int);
++
++# Connect as user with all rights on mysqltest_1 but with no rights on mysqltest_2.
++connect (user1,localhost,mysqltest_u1,,mysqltest_1);
++connection user1;
++# As expected error is emitted
++--error ER_TABLEACCESS_DENIED_ERROR
++show create table mysqltest_2.t1;
++# This should emit error as well
++--error ER_TABLEACCESS_DENIED_ERROR
++create table t1 like mysqltest_2.t1;
++
++# Now let us check that SELECT privilege on the source is enough
++connection default;
++grant select on mysqltest_2.t1 to mysqltest_u1 at localhost;
++connection user1;
++show create table mysqltest_2.t1;
++create table t1 like mysqltest_2.t1;
++
++# Clean-up
++connection default;
++use test;
++drop database mysqltest_1;
++drop database mysqltest_2;
++drop user mysqltest_u1 at localhost;
++
++--echo End of 5.0 tests
++
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/handler.h mysql-dfsg-5.0-5.0.32/sql/handler.h
+--- mysql-dfsg-5.0-5.0.32.orig/sql/handler.h	2006-12-20 12:14:37.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/handler.h	2007-12-22 20:15:32.790866404 +0100
+@@ -163,6 +163,7 @@
+ 
+ #define HA_LEX_CREATE_TMP_TABLE	1
+ #define HA_LEX_CREATE_IF_NOT_EXISTS 2
++#define HA_LEX_CREATE_TABLE_LIKE 4
+ #define HA_OPTION_NO_CHECKSUM	(1L << 17)
+ #define HA_OPTION_NO_DELAY_KEY_WRITE (1L << 18)
+ #define HA_MAX_REC_LENGTH	65535
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc	2006-12-20 12:14:48.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc	2007-12-22 20:15:49.291806739 +0100
+@@ -76,6 +76,7 @@
+ static void remove_escape(char *name);
+ static bool append_file_to_dir(THD *thd, const char **filename_ptr,
+ 			       const char *table_name);
++static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
+ 
+ const char *any_db="*any*";	// Special symbol for check_access
+ 
+@@ -3005,7 +3006,7 @@
+     else
+     {
+       /* regular create */
+-      if (lex->name)
++      if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
+         res= mysql_create_like_table(thd, create_table, &lex->create_info, 
+                                      (Table_ident *)lex->name); 
+       else
+@@ -3201,11 +3202,7 @@
+         first_table->skip_temporary= 1;
+ 
+       if (check_db_used(thd, all_tables) ||
+-	  check_access(thd, SELECT_ACL | EXTRA_ACL, first_table->db,
+-		       &first_table->grant.privilege, 0, 0, 
+-                       test(first_table->schema_table)))
+-	goto error;
+-      if (grant_option && check_grant(thd, SELECT_ACL, all_tables, 2, UINT_MAX, 0))
++          check_show_create_table_access(thd, first_table))
+ 	goto error;
+       res= mysqld_show_create(thd, first_table);
+       break;
+@@ -7337,6 +7334,25 @@
+ }
+ 
+ 
++/**
++   @brief  Check privileges for SHOW CREATE TABLE statement.
++
++   @param  thd    Thread context
++   @param  table  Target table
++
++   @retval TRUE  Failure
++   @retval FALSE Success
++*/
++
++static bool check_show_create_table_access(THD *thd, TABLE_LIST *table)
++{
++  return check_access(thd, SELECT_ACL | EXTRA_ACL, table->db,
++                      &table->grant.privilege, 0, 0,
++                      test(table->schema_table)) ||
++         grant_option && check_grant(thd, SELECT_ACL, table, 2, UINT_MAX, 0);
++}
++
++
+ /*
+   CREATE TABLE query pre-check
+ 
+@@ -7402,6 +7418,11 @@
+     if (tables && check_table_access(thd, SELECT_ACL, tables,0))
+       goto err;
+   }
++  else if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
++  {
++    if (check_show_create_table_access(thd, tables))
++      goto err;
++  }
+   error= FALSE;
+ 
+ err:
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej	1970-01-01 01:00:00.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej	2007-12-22 20:15:32.790866404 +0100
+@@ -0,0 +1,17 @@
++***************
++*** 3061,3067 ****
++      else
++      {
++        /* regular create */
++-       if (lex->name)
++          res= mysql_create_like_table(thd, create_table, &create_info,
++                                       (Table_ident *)lex->name);
++        else
++--- 3062,3068 ----
++      else
++      {
++        /* regular create */
+++       if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
++          res= mysql_create_like_table(thd, create_table, &create_info,
++                                       (Table_ident *)lex->name);
++        else
+diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy
+--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy	2006-12-20 12:14:38.000000000 +0100
++++ mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy	2007-12-22 20:15:32.790866404 +0100
+@@ -2455,6 +2455,9 @@
+           {
+             LEX *lex=Lex;
+             THD *thd= lex->thd;
++            Lex->create_info.options|= HA_LEX_CREATE_TABLE_LIKE;
++            if (!Lex->select_lex.add_table_to_list(YYTHD, $2, NULL, 0, TL_READ))
++              YYABORT;
+             if (!(lex->name= (char *)$2))
+               YYABORT;
+             if ($2->db.str == NULL &&
+@@ -2467,6 +2470,9 @@
+           {
+             LEX *lex=Lex;
+             THD *thd= lex->thd;
++            Lex->create_info.options|= HA_LEX_CREATE_TABLE_LIKE;
++            if (!Lex->select_lex.add_table_to_list(YYTHD, $3, NULL, 0, TL_READ))
++              YYABORT;
+             if (!(lex->name= (char *)$3))
+               YYABORT;
+             if ($3->db.str == NULL &&

Modified: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch	2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-5969.dpatch	2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,5 +1,5 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
-## 92_SECURITY_CVE-2007-5969.dpatch by  <nobse at debian.org>
+## 95_SECURITY_CVE-2007-5969.dpatch by  <nobse at debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
 ## DP: Fix for CVE-2007-5969: The convert_search_mode_to_innobase function in

Copied: branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch (from rev 1104, branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch)
===================================================================
--- branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/95_SECURITY_CVE-2007-6304.dpatch	2007-12-22 19:32:51 UTC (rev 1105)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 95_SECURITY_CVE-2007-6304.dpatch by  <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
+## DP: be forced to crash if the remote server returns a result with fewer columns
+## DP: than expected. (closes: #455737)
+
+ at DPATCH@
+diff -Nrup a/sql/ha_federated.cc b/sql/ha_federated.cc
+--- a/sql/ha_federated.cc	2007-07-26 05:22:50 +05:00
++++ b/sql/ha_federated.cc	2007-10-15 10:11:50 +05:00
+@@ -2528,7 +2528,12 @@ int ha_federated::info(uint flag)
+     status_query_string.length(0);
+ 
+     result= mysql_store_result(mysql);
+-    if (!result)
++
++    /*
++      We're going to use fields num. 4, 12 and 13 of the resultset,
++      so make sure we have these fields.
++    */
++    if (!result || (mysql_num_fields(result) < 14))
+       goto error;
+ 
+     if (!mysql_num_rows(result))

Deleted: branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch	2007-12-22 17:58:26 UTC (rev 1104)
+++ branches/etch-5.0/debian/patches/96_SECURITY_CVE-2007-6304.dpatch	2007-12-22 19:32:51 UTC (rev 1105)
@@ -1,26 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 96_SECURITY_CVE-2007-6304.dpatch by  <nobse at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2007-6304: When using a FEDERATED table, the local server can
-## DP: be forced to crash if the remote server returns a result with fewer columns
-## DP: than expected. (closes: #455737)
-
- at DPATCH@
-diff -Nrup a/sql/ha_federated.cc b/sql/ha_federated.cc
---- a/sql/ha_federated.cc	2007-07-26 05:22:50 +05:00
-+++ b/sql/ha_federated.cc	2007-10-15 10:11:50 +05:00
-@@ -2528,7 +2528,12 @@ int ha_federated::info(uint flag)
-     status_query_string.length(0);
- 
-     result= mysql_store_result(mysql);
--    if (!result)
-+
-+    /*
-+      We're going to use fields num. 4, 12 and 13 of the resultset,
-+      so make sure we have these fields.
-+    */
-+    if (!result || (mysql_num_fields(result) < 14))
-       goto error;
- 
-     if (!mysql_num_rows(result))




More information about the Pkg-mysql-commits mailing list