[Pkg-mysql-commits] r997 - in branches/etch-5.0/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Thu Nov 15 14:14:00 UTC 2007 

tags 451235 pending
thanks

Author: nobse
Date: 2007-11-15 14:14:00 +0000 (Thu, 15 Nov 2007)
New Revision: 997

Added:
   branches/etch-5.0/debian/patches/94_SECURITY_CVE-2007-5925.dpatch
Modified:
   branches/etch-5.0/debian/changelog
Log:
Fix for CVE-2007-5925

Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog	2007-11-15 14:06:30 UTC (rev 996)
+++ branches/etch-5.0/debian/changelog	2007-11-15 14:14:00 UTC (rev 997)
@@ -1,3 +1,14 @@
+mysql-dfsg-5.0 (5.0.32-7etch3) UNRELEASED; urgency=high
+
+  * SECURITY:
+    Fix for CVE-2007-5925: The convert_search_mode_to_innobase function in
+    ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
+    remote authenticated users to cause a denial of service (database crash)
+    via a certain CONTAINS operation on an indexed column, which triggers an
+    assertion error. (closes: #451235)
+
+ -- Norbert Tretkowski <nobse at debian.org>  Thu, 15 Nov 2007 15:12:28 +0100
+
 mysql-dfsg-5.0 (5.0.32-7etch2) stable-security; urgency=high
 
   * Security release prepared for the security team by the Debian MySQL

Added: branches/etch-5.0/debian/patches/94_SECURITY_CVE-2007-5925.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/94_SECURITY_CVE-2007-5925.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/94_SECURITY_CVE-2007-5925.dpatch	2007-11-15 14:14:00 UTC (rev 997)
@@ -0,0 +1,115 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -ru innobase/include/db0err.h.orig innobase/include/db0err.h
+--- innobase/include/db0err.h.orig	2007-07-04 16:06:59.000000000 +0300
++++ innobase/include/db0err.h	2007-11-15 10:23:51.000000000 +0200
+@@ -57,6 +57,18 @@
+ 					buffer pool (for big transactions,
+ 					InnoDB stores the lock structs in the
+ 					buffer pool) */
++#define DB_FOREIGN_DUPLICATE_KEY 46	/* foreign key constraints
++					activated by the operation would
++					lead to a duplicate key in some
++					table */
++#define DB_TOO_MANY_CONCURRENT_TRXS 47	/* when InnoDB runs out of the
++					preconfigured undo slots, this can
++					only happen when there are too many
++					concurrent transactions */
++#define DB_UNSUPPORTED		48	/* when InnoDB sees any artefact or
++					a feature that it can't recoginize or
++					work with e.g., FT indexes created by
++					a later version of the engine. */
+ 
+ /* The following are partial failure codes */
+ #define DB_FAIL 		1000
+diff -ru innobase/include/page0cur.h.orig innobase/include/page0cur.h
+--- innobase/include/page0cur.h.orig	2007-07-04 16:06:10.000000000 +0300
++++ innobase/include/page0cur.h	2007-11-15 10:23:51.000000000 +0200
+@@ -22,6 +22,7 @@
+ 
+ /* Page cursor search modes; the values must be in this order! */
+ 
++#define	PAGE_CUR_UNSUPP	0
+ #define	PAGE_CUR_G	1
+ #define	PAGE_CUR_GE	2
+ #define	PAGE_CUR_L	3
+diff -ru sql/ha_innodb.cc.orig sql/ha_innodb.cc
+--- sql/ha_innodb.cc.orig	2007-07-04 16:06:48.000000000 +0300
++++ sql/ha_innodb.cc	2007-11-15 10:25:55.000000000 +0200
+@@ -526,6 +526,9 @@
+  		}
+ 
+     		return(HA_ERR_LOCK_TABLE_FULL);
++ 	} else if (error == DB_UNSUPPORTED) {
++ 
++ 		return(HA_ERR_UNSUPPORTED);
+     	} else {
+     		return(-1);			// Unknown error
+     	}
+@@ -3689,11 +3692,21 @@
+ 		  and comparison of non-latin1 char type fields in
+ 		  innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to
+ 		  work correctly. */
+-
+-		default:			assert(0);
++		case HA_READ_MBR_CONTAIN:
++		case HA_READ_MBR_INTERSECT:
++		case HA_READ_MBR_WITHIN:
++		case HA_READ_MBR_DISJOINT:
++			my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0));
++			return(PAGE_CUR_UNSUPP);
++		/* do not use "default:" in order to produce a gcc warning:
++		enumeration value '...' not handled in switch
++		(if -Wswitch or -Wall is used)
++		*/
+ 	}
+ 
+-	return(0);
++	my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality");
++
++	return(PAGE_CUR_UNSUPP);
+ }
+ 
+ /*
+@@ -3831,11 +3844,18 @@
+ 
+ 	last_match_mode = (uint) match_mode;
+ 
+-	innodb_srv_conc_enter_innodb(prebuilt->trx);
++	if (mode != PAGE_CUR_UNSUPP) {
+ 
+-	ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0);
++		innodb_srv_conc_enter_innodb(prebuilt->trx);
+ 
+-	innodb_srv_conc_exit_innodb(prebuilt->trx);
++		ret = row_search_for_mysql((byte*) buf, mode, prebuilt,
++					   match_mode, 0);
++
++		innodb_srv_conc_exit_innodb(prebuilt->trx);
++	} else {
++
++		ret = DB_UNSUPPORTED;
++	}
+ 
+ 	if (ret == DB_SUCCESS) {
+ 		error = 0;
+@@ -5150,8 +5170,16 @@
+ 	mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag :
+                                                 HA_READ_KEY_EXACT);
+ 
+-	n_rows = btr_estimate_n_rows_in_range(index, range_start,
+-						mode1, range_end, mode2);
++	if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) {
++
++		n_rows = btr_estimate_n_rows_in_range(index, range_start,
++						      mode1, range_end,
++						      mode2);
++	} else {
++
++		n_rows = 0;
++	}
++
+ 	dtuple_free_for_mysql(heap1);
+ 	dtuple_free_for_mysql(heap2);
+

More information about the Pkg-mysql-commits mailing list