[Pkg-mysql-commits] r1323 - in trunk/debian: . patches

[Norbert Tretkowski]

Author: nobse
Date: 2008-10-22 10:11:46 +0000 (Wed, 22 Oct 2008)
New Revision: 1323

Removed:
   trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch
Modified:
   trunk/debian/changelog
Log:
Remove fix for CVE-2008-4456 for now, not approved from MySQL.

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2008-10-09 06:53:30 UTC (rev 1322)
+++ trunk/debian/changelog	2008-10-22 10:11:46 UTC (rev 1323)
@@ -1,10 +1,5 @@
-mysql-dfsg-5.0 (5.0.51a-16) UNRELEASED; urgency=high
+mysql-dfsg-5.0 (5.0.51a-16) unstable; urgency=low
 
-  * SECURITY:
-    Fix for CVE-2008-4456: Cross-site scripting (XSS) vulnerability in the
-    command-line client, when the --html option is enabled, allows attackers
-    to inject arbitrary web script or HTML by placing it in a database cell,
-    which might be accessed by this client when composing an HTML document. 
   * New patch 60_rpl_test_failure.dpatch from Michael Casadevall to fix a race
     condition with the rpl_packet test in some cases. (closes: #501413)
 

Deleted: trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch
===================================================================
--- trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch	2008-10-09 06:53:30 UTC (rev 1322)
+++ trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch	2008-10-22 10:11:46 UTC (rev 1323)
@@ -1,36 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 94_SECURITY_CVE-2008-4456.dpatch by Norbert Tretkowski <nobse at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2008-4456
-
- at DPATCH@
-=== modified file 'client/mysql.cc'
---- client/mysql.cc	2007-11-13 13:29:42 +0000
-+++ client/mysql.cc	2008-05-01 19:16:09 +0000
-@@ -2636,9 +2636,12 @@
-   {
-     while((field = mysql_fetch_field(result)))
-     {
--      tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? 
--					 (field->name[0] ? field->name : 
--					  " &nbsp; ") : "NULL"));
-+      tee_fputs("<TH>", PAGER);
-+      if (field->name && field->name[0])
-+        xmlencode_print(field->name, field->name_length);
-+      else
-+        tee_fputs(field->name ? " &nbsp; " : "NULL", PAGER);
-+      tee_fputs("</TH>", PAGER);
-     }
-     (void) tee_fputs("</TR>", PAGER);
-   }
-@@ -2651,7 +2654,7 @@
-     for (uint i=0; i < mysql_num_fields(result); i++)
-     {
-       (void) tee_fputs("<TD>", PAGER);
--      safe_put_field(cur[i],lengths[i]);
-+      xmlencode_print(cur[i], lengths[i]);
-       (void) tee_fputs("</TD>", PAGER);
-     }
-     (void) tee_fputs("</TR>", PAGER);
-