[Pkg-mysql-commits] r1248 - in trunk/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Thu Jun 5 09:20:12 UTC 2008
tags 480292 pending
thanks
Author: nobse
Date: 2008-06-05 09:20:12 +0000 (Thu, 05 Jun 2008)
New Revision: 1248
Added:
trunk/debian/patches/92_SECURITY_CVE-2008-2079.dpatch
Modified:
trunk/debian/changelog
Log:
Add fix for CVE-2008-2079 from openSUSE.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2008-06-05 09:15:09 UTC (rev 1247)
+++ trunk/debian/changelog 2008-06-05 09:20:12 UTC (rev 1248)
@@ -1,6 +1,12 @@
mysql-dfsg-5.0 (5.0.51a-7) UNRELEASED; urgency=low
[ Norbert Tretkowski ]
+ * SECURITY:
+ Fix for CVE-2008-2079: It was possible to circumvent privileges through
+ the creation of MyISAM tables employing the DATA DIRECTORY and INDEX
+ DIRECTORY options to overwrite existing table files in the MySQL data
+ directory. Use of the MySQL data directory in DATA DIRECTORY and INDEX
+ DIRECTORY is now disallowed. (closes: #480292)
* Fix build on non-linux systems like hurd-i386. (closes: #480362)
* Include symlinks for mysqlcheck. (closes: #480647)
Added: trunk/debian/patches/92_SECURITY_CVE-2008-2079.dpatch
===================================================================
--- trunk/debian/patches/92_SECURITY_CVE-2008-2079.dpatch (rev 0)
+++ trunk/debian/patches/92_SECURITY_CVE-2008-2079.dpatch 2008-06-05 09:20:12 UTC (rev 1248)
@@ -0,0 +1,359 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 92_SECURITY_CVE-2008-2079.dpatch by Norbert Tretkowski <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-2079: It was possible to circumvent privileges through
+## DP: the creation of MyISAM tables employing the DATA DIRECTORY and INDEX
+## DP: DIRECTORY options to overwrite existing table files in the MySQL data
+## DP: directory. Use of the MySQL data directory in DATA DIRECTORY and INDEX
+## DP: DIRECTORY is now disallowed. (closes: #480292)
+
+ at DPATCH@
+--- mysql-test/r/symlink.result.orig
++++ mysql-test/r/symlink.result
+@@ -100,23 +100,15 @@ t1 CREATE TABLE `t1` (
+ ) ENGINE=MyISAM DEFAULT CHARSET=latin1
+ drop table t1;
+ CREATE TABLE t1(a INT)
+-DATA DIRECTORY='TEST_DIR/master-data/mysql'
+-INDEX DIRECTORY='TEST_DIR/master-data/mysql';
+-RENAME TABLE t1 TO user;
+-ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
+-DROP TABLE t1;
+-show create table t1;
+-Table Create Table
+-t1 CREATE TABLE `t1` (
+- `i` int(11) default NULL
+-) ENGINE=MyISAM DEFAULT CHARSET=latin1
+-drop table t1;
+-show create table t1;
+-Table Create Table
+-t1 CREATE TABLE `t1` (
+- `i` int(11) default NULL
+-) ENGINE=MyISAM DEFAULT CHARSET=latin1
+-drop table t1;
++DATA DIRECTORY='TEST_DIR/tmp'
++INDEX DIRECTORY='TEST_DIR/tmp';
++ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17)
++CREATE TABLE t2(a INT)
++DATA DIRECTORY='TEST_DIR/tmp'
++INDEX DIRECTORY='TEST_DIR/tmp';
++RENAME TABLE t2 TO t1;
++ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17)
++DROP TABLE t2;
+ show create table t1;
+ Table Create Table
+ t1 CREATE TEMPORARY TABLE `t1` (
+@@ -138,27 +130,38 @@ select * from t1;
+ a
+ 42
+ drop table t1;
++execute stmt;
++show create table t1;
++Table Create Table
++t1 CREATE TABLE `t1` (
++ `c` char(10) default NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/'
++drop table t1;
++execute stmt;
++show create table t1;
++Table Create Table
++t1 CREATE TABLE `t1` (
++ `c` char(10) default NULL
++) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/'
++drop table t1;
++deallocate prepare stmt;
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/var/master-data/test';
++Got one of the listed errors
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/var/master-data/';
++Got one of the listed errors
++CREATE TABLE t1(a INT)
++INDEX DIRECTORY='TEST_DIR/var/master-data';
++Got one of the listed errors
++CREATE TABLE t1(a INT)
++INDEX DIRECTORY='TEST_DIR/var/master-data_var';
++Got one of the listed errors
+ End of 4.1 tests
+-CREATE DATABASE db1;
+-CREATE DATABASE db2;
+-USE db2;
+-INSERT INTO db2.t1 VALUES (1);
+-SELECT * FROM db2.t1;
+-b
+-1
+-RESET QUERY CACHE;
+-USE db1;
+ SET SESSION keep_files_on_create = TRUE;
+ CREATE TABLE t1 (a INT) ENGINE MYISAM;
+-ERROR HY000: Can't create/write to file './db1/t1.MYD' (Errcode: 17)
+-CREATE TABLE t3 (a INT) Engine=MyISAM;
+-INSERT INTO t3 VALUES (1),(2),(3);
+-TRUNCATE TABLE t3;
+-SELECT * from t3;
+-a
+-SET SESSION keep_files_on_create = DEFAULT;
+-DROP TABLE db2.t1, db1.t3;
+-DROP DATABASE db1;
+-DROP DATABASE db2;
+-USE test;
++ERROR HY000: Can't create/write to file './test/t1.MYD' (Errcode: 17)
++SET SESSION keep_files_on_create = FALSE;
++CREATE TABLE t1 (a INT) ENGINE MYISAM;
++DROP TABLE t1;
+ End of 5.0 tests
+--- mysql-test/t/symlink.test.orig
++++ mysql-test/t/symlink.test
+@@ -127,29 +127,22 @@ drop table t1;
+ #
+ # BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
+ #
++--write_file $MYSQLTEST_VARDIR/tmp/t1.MYI
++EOF
+ --replace_result $MYSQLTEST_VARDIR TEST_DIR
++--error 1
+ eval CREATE TABLE t1(a INT)
+-DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
+-INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
++DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp'
++INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp';
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++eval CREATE TABLE t2(a INT)
++DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp'
++INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp';
+ --replace_result $MYSQLTEST_VARDIR TEST_DIR
+ --error 1
+-RENAME TABLE t1 TO user;
+-DROP TABLE t1;
+-
+-#
+-# Test specifying DATA DIRECTORY that is the same as what would normally
+-# have been chosen. (Bug #8707)
+-#
+-disable_query_log;
+-eval create table t1 (i int) data directory = "$MYSQLTEST_VARDIR/master-data/test/";
+-enable_query_log;
+-show create table t1;
+-drop table t1;
+-disable_query_log;
+-eval create table t1 (i int) index directory = "$MYSQLTEST_VARDIR/master-data/test/";
+-enable_query_log;
+-show create table t1;
+-drop table t1;
++RENAME TABLE t2 TO t1;
++DROP TABLE t2;
++--remove_file $MYSQLTEST_VARDIR/tmp/t1.MYI
+
+ #
+ # Bug#8706 - temporary table with data directory option fails
+@@ -188,44 +181,61 @@ connection default;
+ select * from t1;
+ drop table t1;
+
+---echo End of 4.1 tests
+-
+ #
+-# Bug #29325: create table overwrites .MYD file of other table (datadir)
++# CREATE TABLE with DATA DIRECTORY option
+ #
+-
+-CREATE DATABASE db1;
+-CREATE DATABASE db2;
+-
+-USE db2;
++# Protect ourselves from data left in tmp/ by a previos possibly failed
++# test
++--system rm -f $MYSQLTEST_VARDIR/tmp/t1.*
+ --disable_query_log
+-eval CREATE TABLE t1 (b INT) ENGINE MYISAM
+-DATA DIRECTORY = '$MYSQLTEST_VARDIR/master-data/db1/';
++eval prepare stmt from "create table t1 (c char(10)) data directory='$MYSQLTEST_VARDIR/tmp'";
+ --enable_query_log
++execute stmt;
++--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
++show create table t1;
++drop table t1;
++execute stmt;
++--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
++show create table t1;
++drop table t1;
++deallocate prepare stmt;
+
+-INSERT INTO db2.t1 VALUES (1);
+-SELECT * FROM db2.t1;
+-RESET QUERY CACHE;
++#
++# Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
++#
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++--error 1,1210
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/test';
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++--error 1,1210
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/';
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++--error 1,1210
++eval CREATE TABLE t1(a INT)
++INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data';
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++--error 1,1210
++eval CREATE TABLE t1(a INT)
++INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data_var';
+
+-USE db1;
++--echo End of 4.1 tests
+
+-#no warning from create table
++#
++# Bug #29325: create table overwrites .MYD file of other table (datadir)
++#
+ SET SESSION keep_files_on_create = TRUE;
++--write_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD
++EOF
+ --disable_abort_on_error
++--error 1
+ CREATE TABLE t1 (a INT) ENGINE MYISAM;
++--error 0,1
++--remove_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD;
+ --enable_abort_on_error
+-
+-CREATE TABLE t3 (a INT) Engine=MyISAM;
+-INSERT INTO t3 VALUES (1),(2),(3);
+-TRUNCATE TABLE t3;
+-SELECT * from t3;
+-
+-SET SESSION keep_files_on_create = DEFAULT;
+-
+-DROP TABLE db2.t1, db1.t3;
+-DROP DATABASE db1;
+-DROP DATABASE db2;
+-USE test;
+-
++SET SESSION keep_files_on_create = FALSE;
++CREATE TABLE t1 (a INT) ENGINE MYISAM;
++DROP TABLE t1;
+
+ --echo End of 5.0 tests
+--- sql/mysql_priv.h.orig
++++ sql/mysql_priv.h
+@@ -1255,6 +1255,7 @@ void my_dbopt_free(void);
+ extern time_t server_start_time, flush_status_time;
+ extern char *mysql_data_home,server_version[SERVER_VERSION_LENGTH],
+ mysql_real_data_home[], *opt_mysql_tmpdir, mysql_charsets_dir[],
++ mysql_unpacked_real_data_home[],
+ def_ft_boolean_syntax[sizeof(ft_boolean_syntax)];
+ #define mysql_tmpdir (my_tmpdir(&mysql_tmpdir_list))
+ extern MY_TMPDIR mysql_tmpdir_list;
+--- sql/mysqld.cc.orig
++++ sql/mysqld.cc
+@@ -453,14 +453,13 @@ char log_error_file[FN_REFLEN], glob_hos
+ char mysql_real_data_home[FN_REFLEN],
+ language[FN_REFLEN], reg_ext[FN_EXTLEN], mysql_charsets_dir[FN_REFLEN],
+ *opt_init_file, *opt_tc_log_file,
++ mysql_unpacked_real_data_home[FN_REFLEN],
+ def_ft_boolean_syntax[sizeof(ft_boolean_syntax)];
+-
++char *mysql_data_home= mysql_real_data_home;
+ const key_map key_map_empty(0);
+ key_map key_map_full(0); // Will be initialized later
+
+ const char *opt_date_time_formats[3];
+-
+-char *mysql_data_home= mysql_real_data_home;
+ char server_version[SERVER_VERSION_LENGTH];
+ char *mysqld_unix_port, *opt_mysql_tmpdir;
+ const char **errmesg; /* Error messages */
+@@ -7565,6 +7564,9 @@ static void fix_paths(void)
+ pos[1]= 0;
+ }
+ convert_dirname(mysql_real_data_home,mysql_real_data_home,NullS);
++ (void) fn_format(buff, mysql_real_data_home, "", "",
++ (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
++ (void) unpack_dirname(mysql_unpacked_real_data_home, buff);
+ convert_dirname(language,language,NullS);
+ (void) my_load_path(mysql_home,mysql_home,""); // Resolve current dir
+ (void) my_load_path(mysql_real_data_home,mysql_real_data_home,mysql_home);
+--- sql/sql_parse.cc.orig
++++ sql/sql_parse.cc
+@@ -76,6 +76,7 @@ static void remove_escape(char *name);
+ static bool append_file_to_dir(THD *thd, const char **filename_ptr,
+ const char *table_name);
+ static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
++static bool test_if_data_home_dir(const char *dir);
+
+ const char *any_db="*any*"; // Special symbol for check_access
+
+@@ -3001,6 +3002,20 @@ mysql_execute_command(THD *thd)
+ "INDEX DIRECTORY option ignored");
+ create_info.data_file_name= create_info.index_file_name= NULL;
+ #else
++
++ if (test_if_data_home_dir(lex->create_info.data_file_name))
++ {
++ my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
++ res= -1;
++ break;
++ }
++ if (test_if_data_home_dir(lex->create_info.index_file_name))
++ {
++ my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
++ res= -1;
++ break;
++ }
++
+ /* Fix names if symlinked tables */
+ if (append_file_to_dir(thd, &create_info.data_file_name,
+ create_table->table_name) ||
+@@ -7843,3 +7858,48 @@ bool check_string_length(LEX_STRING *str
+
+ return TRUE;
+ }
++
++
++/*
++ Check if path does not contain mysql data home directory
++
++ SYNOPSIS
++ test_if_data_home_dir()
++ dir directory
++ conv_home_dir converted data home directory
++ home_dir_len converted data home directory length
++
++ RETURN VALUES
++ 0 ok
++ 1 error
++*/
++
++static bool test_if_data_home_dir(const char *dir)
++{
++ char path[FN_REFLEN], conv_path[FN_REFLEN];
++ uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home);
++ DBUG_ENTER("test_if_data_home_dir");
++
++ if (!dir)
++ DBUG_RETURN(0);
++
++ (void) fn_format(path, dir, "", "",
++ (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
++ dir_len= unpack_dirname(conv_path, dir);
++
++ if (home_dir_len <= dir_len)
++ {
++ if (lower_case_file_system)
++ {
++ if (!my_strnncoll(default_charset_info, (const uchar*) conv_path,
++ home_dir_len,
++ (const uchar*) mysql_unpacked_real_data_home,
++ home_dir_len))
++ DBUG_RETURN(1);
++ }
++ else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
++ DBUG_RETURN(1);
++ }
++ DBUG_RETURN(0);
++}
++
+
More information about the Pkg-mysql-commits
mailing list