[Pkg-mysql-commits] r1641 - in mysql-dfsg-5.0/branches/lenny-security/debian: . patches
Christian Hammers
ch at alioth.debian.org
Tue Jul 21 23:19:48 UTC 2009
tags 536726 pending
thanks
Author: ch
Date: 2009-07-21 23:19:47 +0000 (Tue, 21 Jul 2009)
New Revision: 1641
Added:
mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
Modified:
mysql-dfsg-5.0/branches/lenny-security/debian/changelog
mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list
Log:
Preparing DSA
Modified: mysql-dfsg-5.0/branches/lenny-security/debian/changelog
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/changelog 2009-07-21 22:36:14 UTC (rev 1640)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/changelog 2009-07-21 23:19:47 UTC (rev 1641)
@@ -1,3 +1,15 @@
+mysql-dfsg-5.0 (5.0.51a-24+lenny2) stable-security; urgency=high
+
+ * SECURITY:
+ Fix for CVE-2009-2446: Multiple format string vulnerabilities in the
+ dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL
+ 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial
+ of service (daemon crash) and possibly have unspecified other impact via
+ format string specifiers in a database name in a (1) COM_CREATE_DB or
+ (2) COM_DROP_DB request. Closes: #536726
+
+ -- Christian Hammers <ch at debian.org> Wed, 22 Jul 2009 00:10:42 +0200
+
mysql-dfsg-5.0 (5.0.51a-24+lenny1) stable-security; urgency=high
* Non-maintainer upload by the security team.
Modified: mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list 2009-07-21 22:36:14 UTC (rev 1640)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list 2009-07-21 23:19:47 UTC (rev 1641)
@@ -30,3 +30,4 @@
92_SECURITY_CVE-2008-4098.dpatch
93_SECURITY_CVE-2008-3963.dpatch
94_SECURITY_CVE-2008-4456.dpatch
+95_SECURITY_CVE-2009-2446.dpatch
Added: mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch (rev 0)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch 2009-07-21 23:19:47 UTC (rev 1641)
@@ -0,0 +1,95 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99-unnamed.dpatch by Christian Hammers <ch at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch provided by Sergei Golubchik of MySQL.
+
+ at DPATCH@
+
+# From: Date: July 1 2009 2:09pm
+# Subject: bzr commit into mysql-5.0-bugteam branch (staale.smedseng:2789) Bug#45790
+# List-Archive: http://lists.mysql.com/commits/77649
+#
+# #At file:///export/home/tmp/ss156133/z/45790-50/ based on revid:staale.smedseng at stripped
+#
+# 2789 Staale Smedseng 2009-07-01
+# Bug #45790 Potential DoS vector: Writing of user input to log
+# without proper formatting
+#
+# The problem is that a suitably crafted database identifier
+# supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
+# and thereby a denial of service. The database name is printed
+# to the log without using a format string, so potential
+# attackers can control the behavior of my_b_vprintf() by
+# supplying their own format string. A CREATE or DROP privilege
+# would be required.
+#
+# This patch supplies a format string to the printing of the
+# database name. A test case is added to mysql_client_test.
+# @ sql/sql_parse.cc
+# Added format strings.
+# @ tests/mysql_client_test.c
+# Added new test case.
+#
+# modified:
+# sql/sql_parse.cc
+# tests/mysql_client_test.c
+--- old/sql/sql_parse.cc 2009-07-22 00:28:28.000000000 +0200
++++ new/sql/sql_parse.cc 2009-07-22 00:29:32.000000000 +0200
+@@ -1935,7 +1935,7 @@
+ }
+ if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
+ break;
+- mysql_log.write(thd,command,packet);
++ mysql_log.write(thd, command, "%s", db);
+ bzero(&create_info, sizeof(create_info));
+ mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
+ &create_info, 0);
+@@ -1960,7 +1960,7 @@
+ ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
+ break;
+ }
+- mysql_log.write(thd,command,db);
++ mysql_log.write(thd, command, "%s", db);
+ mysql_rm_db(thd, db, 0, 0);
+ break;
+ }
+--- old/tests/mysql_client_test.c 2009-05-05 09:07:11 +0000
++++ new/tests/mysql_client_test.c 2009-07-01 12:09:44 +0000
+@@ -12063,6 +12063,27 @@ static void test_bug6081()
+ }
+
+
++/*
++ Verify that bogus database names are handled properly with
++ COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
++ the use of printf specifiers in the database name.
++*/
++static void test_bug45790()
++{
++ const char* bogus_db = "%s%s%s%s%s%s%s";
++ int rc;
++
++ myheader("test_bug45790");
++ rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
++ (ulong)strlen(bogus_db), 0);
++ myquery(rc);
++
++ rc= simple_command(mysql, COM_DROP_DB, bogus_db,
++ (ulong)strlen(bogus_db), 0);
++ myquery(rc);
++}
++
++
+ static void test_bug6096()
+ {
+ MYSQL_STMT *stmt;
+@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
+ { "test_bug6059", test_bug6059 },
+ { "test_bug6046", test_bug6046 },
+ { "test_bug6081", test_bug6081 },
++ { "test_bug45790",test_bug45790 },
+ { "test_bug6096", test_bug6096 },
+ { "test_datetime_ranges", test_datetime_ranges },
+ { "test_bug4172", test_bug4172 },
+
Property changes on: mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
___________________________________________________________________
Added: svn:executable
+ *
More information about the Pkg-mysql-commits
mailing list