[Pkg-mysql-commits] r965 - in branches/etch-5.0/debian: . patches

Sat Oct 20 15:16:59 UTC 2007

Author: ch
Date: 2007-10-20 15:16:58 +0000 (Sat, 20 Oct 2007)
New Revision: 965

Added:
   branches/etch-5.0/debian/patches/91_CVE-2007-3780.dpatch
   branches/etch-5.0/debian/patches/91_CVE-2007-3782.dpatch
Modified:
   branches/etch-5.0/debian/changelog
   branches/etch-5.0/debian/patches/00list
Log:
preparing new release


Modified: branches/etch-5.0/debian/changelog
===================================================================

--- branches/etch-5.0/debian/changelog	2007-10-14 20:48:49 UTC (rev 964)
+++ branches/etch-5.0/debian/changelog	2007-10-20 15:16:58 UTC (rev 965)
@@ -1,3 +1,17 @@
+mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
+
+  * Security release prepared for the security team by the Debian MySQL
+    maintainers. The patches were taken from the Ubuntu project.
+  * It was discovered that MySQL could be made to overflow a signed char
+    during authentication. Remote attackers could use crafted authentication
+    requests to cause a denial of service. (CVE-2007-3780)
+  * Phil Anderton discovered that MySQL did not properly verify access
+    privileges when accessing external tables. As a result, authenticated
+    users could exploit this to obtain UPDATE privileges to external
+    tables. (CVE-2007-3782)
+
+ -- Christian Hammers <ch at debian.org>  Sat, 20 Oct 2007 16:39:32 +0200
+
 mysql-dfsg-5.0 (5.0.32-7etch3) stable-security; urgency=high
 
   * Upload prepared for the security team by the debian mysql maintainers

Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list	2007-10-14 20:48:49 UTC (rev 964)
+++ branches/etch-5.0/debian/patches/00list	2007-10-20 15:16:58 UTC (rev 965)
@@ -21,4 +21,6 @@
 90_tmp__limit_comma_bug.dpatch
 90_SECURITY_CVE-2007-2583_item_cmpfunc.dpatch
 91_SECURITY_CVE-2007-2691_alter-drop.dpatch
+91_CVE-2007-3780.dpatch
+91_CVE-2007-3782.dpatch
 92_SECURITY_CVE-2007-2691_thd_privs.dpatch

Added: branches/etch-5.0/debian/patches/91_CVE-2007-3780.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/91_CVE-2007-3780.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/91_CVE-2007-3780.dpatch	2007-10-20 15:16:58 UTC (rev 965)
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 91_CVE-2007-3780.dpatch by Jamie Strandboge <jamie at ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2007-3780
+
+ at DPATCH@
+
+diff -Nru mysql-dfsg-5.0-5.0.38.orig/sql/sql_parse.cc mysql-dfsg-5.0-5.0.38/sql/sql_parse.cc
+--- mysql-dfsg-5.0-5.0.38.orig/sql/sql_parse.cc	2007-10-02 10:27:41.000000000 -0400
++++ mysql-dfsg-5.0-5.0.38/sql/sql_parse.cc	2007-10-02 10:30:39.000000000 -0400
+@@ -1008,7 +1008,7 @@
+     password both send '\0'.
+   */
+   uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
+-    *passwd++ : strlen(passwd);
++    (uchar) (*passwd++) : strlen(passwd);
+   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
+     db + passwd_len + 1 : 0;
+   uint db_len= db ? strlen(db) : 0;

Added: branches/etch-5.0/debian/patches/91_CVE-2007-3782.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/91_CVE-2007-3782.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/91_CVE-2007-3782.dpatch	2007-10-20 15:16:58 UTC (rev 965)
@@ -0,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 91_CVE-2007-3782.dpatch by Jamie Strandboge <jamie at ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2007-3782
+## DP: (patches to mysql-test/ removed as they didn't apply cleanly --ch)
+
+ at DPATCH@
+
+diff -Nru mysql-dfsg-5.0-5.0.38.orig/sql/sql_prepare.cc mysql-dfsg-5.0-5.0.38/sql/sql_prepare.cc
+--- mysql-dfsg-5.0-5.0.38.orig/sql/sql_prepare.cc	2007-03-20 15:12:48.000000000 -0400
++++ mysql-dfsg-5.0-5.0.38/sql/sql_prepare.cc	2007-10-02 11:02:20.000000000 -0400
+@@ -1164,8 +1164,9 @@
+     goto error;
+ 
+ #ifndef NO_EMBEDDED_ACCESS_CHECKS
+-  /* TABLE_LIST contain right privilages request */
+-  want_privilege= table_list->grant.want_privilege;
++  /* Force privilege re-checking for views after they are being opened. */
++  want_privilege= (table_list->view ? UPDATE_ACL :
++                   table_list->grant.want_privilege);
+ #endif
+ 
+   if (mysql_prepare_update(thd, table_list, &select->where,
+diff -Nru mysql-dfsg-5.0-5.0.38.orig/sql/sql_update.cc mysql-dfsg-5.0-5.0.38/sql/sql_update.cc
+--- mysql-dfsg-5.0-5.0.38.orig/sql/sql_update.cc	2007-03-20 15:12:18.000000000 -0400
++++ mysql-dfsg-5.0-5.0.38/sql/sql_update.cc	2007-10-02 11:02:20.000000000 -0400
+@@ -173,8 +173,9 @@
+   table->quick_keys.clear_all();
+ 
+ #ifndef NO_EMBEDDED_ACCESS_CHECKS
+-  /* TABLE_LIST contain right privilages request */
+-  want_privilege= table_list->grant.want_privilege;
++  /* Force privilege re-checking for views after they are being opened. */
++  want_privilege= (table_list->view ? UPDATE_ACL :
++                   table_list->grant.want_privilege);
+ #endif
+   if (mysql_prepare_update(thd, table_list, &conds, order_num, order))
+     DBUG_RETURN(1);


