[Pkg-mysql-commits] r1316 - in trunk/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Sun Sep 14 16:34:18 UTC 2008 

tags 498362 pending
thanks

Author: nobse
Date: 2008-09-14 16:34:18 +0000 (Sun, 14 Sep 2008)
New Revision: 1316

Added:
   trunk/debian/patches/93_SECURITY_CVE-2008-3963.dpatch
Modified:
   trunk/debian/changelog
   trunk/debian/patches/00list
Log:
Fix for CVE-2008-3963

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2008-09-07 20:37:51 UTC (rev 1315)
+++ trunk/debian/changelog	2008-09-14 16:34:18 UTC (rev 1316)
@@ -1,3 +1,13 @@
+mysql-dfsg-5.0 (5.0.51a-15) unstable; urgency=high
+
+  * SECURITY:
+    Fix for CVE-2008-3963: An empty bit-string literal (b'') caused a server
+    crash. Now the value is parsed as an empty bit value (which is treated as
+    an empty string in string context or 0 in numeric context).
+    (closes: #498362)
+
+ -- Norbert Tretkowski <nobse at debian.org>  Sun, 14 Sep 2008 18:27:46 +0200
+
 mysql-dfsg-5.0 (5.0.51a-14) unstable; urgency=low
 
   * Update debconf translations:

Modified: trunk/debian/patches/00list
===================================================================
--- trunk/debian/patches/00list	2008-09-07 20:37:51 UTC (rev 1315)
+++ trunk/debian/patches/00list	2008-09-14 16:34:18 UTC (rev 1316)
@@ -22,3 +22,4 @@
 90_upstreamdebiandir.dpatch
 91_SECURITY_CVE-2007-5925.dpatch
 92_SECURITY_CVE-2008-2079.dpatch
+93_SECURITY_CVE-2008-3963.dpatch

Added: trunk/debian/patches/93_SECURITY_CVE-2008-3963.dpatch
===================================================================
--- trunk/debian/patches/93_SECURITY_CVE-2008-3963.dpatch	                        (rev 0)
+++ trunk/debian/patches/93_SECURITY_CVE-2008-3963.dpatch	2008-09-14 16:34:18 UTC (rev 1316)
@@ -0,0 +1,129 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 93_SECURITY_CVE-2008-3963.dpatch by Norbert Tretkowski <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-3963: An empty bit-string literal (b'') caused a server
+## DP: crash. Now the value is parsed as an empty bit value (which is treated
+## DP: as an empty string in string context or 0 in numeric context).
+## DP: (closes: #498362)
+
+ at DPATCH@
+=== modified file 'mysql-test/r/varbinary.result'
+--- a/mysql-test/r/varbinary.result	2007-03-09 21:29:02 +0000
++++ b/mysql-test/r/varbinary.result	2008-06-27 15:56:41 +0000
+@@ -78,3 +78,34 @@ alter table t1 modify a varchar(255);
+ select length(a) from t1;
+ length(a)
+ 6
++select 0b01000001;
++0b01000001
++A
++select 0x41;
++0x41
++A
++select b'01000001';
++b'01000001'
++A
++select x'41', 0+x'41';
++x'41'	0+x'41'
++A	65
++select N'abc', length(N'abc');
++abc	length(N'abc')
++abc	3
++select N'', length(N'');
++	length(N'')
++	0
++select '', length('');
++	length('')
++	0
++select b'', 0+b'';
++b''	0+b''
++	0
++select x'', 0+x'';
++x''	0+x''
++	0
++select 0x;
++ERROR 42S22: Unknown column '0x' in 'field list'
++select 0b;
++ERROR 42S22: Unknown column '0b' in 'field list'
+
+=== modified file 'mysql-test/t/varbinary.test'
+--- a/mysql-test/t/varbinary.test	2006-12-21 23:38:34 +0000
++++ b/mysql-test/t/varbinary.test	2008-06-27 15:56:41 +0000
+@@ -84,3 +84,31 @@ select length(a) from t1;
+ alter table t1 modify a varchar(255);
+ select length(a) from t1;
+ 
++#
++# Bug#35658 (An empty binary value leads to mysqld crash)
++#
++
++select 0b01000001;
++
++select 0x41;
++
++select b'01000001';
++
++select x'41', 0+x'41';
++
++select N'abc', length(N'abc');
++
++select N'', length(N'');
++
++select '', length('');
++
++select b'', 0+b'';
++
++select x'', 0+x'';
++
++--error ER_BAD_FIELD_ERROR
++select 0x;
++
++--error ER_BAD_FIELD_ERROR
++select 0b;
++
+
+=== modified file 'sql/item.cc'
+--- a/sql/item.cc	2008-04-21 22:53:12 +0000
++++ b/sql/item.cc	2008-06-27 15:56:41 +0000
+@@ -5013,21 +5013,28 @@ Item_bin_string::Item_bin_string(const c
+   if (!ptr)
+     return;
+   str_value.set(ptr, max_length, &my_charset_bin);
+-  ptr+= max_length - 1;
+-  ptr[1]= 0;                     // Set end null for string
+-  for (; end >= str; end--)
++
++  if (max_length > 0)
+   {
+-    if (power == 256)
++    ptr+= max_length - 1;
++    ptr[1]= 0;                     // Set end null for string
++    for (; end >= str; end--)
+     {
+-      power= 1;
+-      *ptr--= bits;
+-      bits= 0;     
++      if (power == 256)
++      {
++        power= 1;
++        *ptr--= bits;
++        bits= 0;
++      }
++      if (*end == '1')
++        bits|= power;
++      power<<= 1;
+     }
+-    if (*end == '1')
+-      bits|= power; 
+-    power<<= 1;
++    *ptr= (char) bits;
+   }
+-  *ptr= (char) bits;
++  else
++    ptr[0]= 0;
++
+   collation.set(&my_charset_bin, DERIVATION_COERCIBLE);
+   fixed= 1;
+ }
+

More information about the Pkg-mysql-commits mailing list