[Pkg-mysql-commits] r1641 - in mysql-dfsg-5.0/branches/lenny-security/debian: . patches

Christian Hammers ch at alioth.debian.org
Tue Jul 21 23:19:48 UTC 2009


tags 536726 pending
thanks

Author: ch
Date: 2009-07-21 23:19:47 +0000 (Tue, 21 Jul 2009)
New Revision: 1641

Added:
   mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
Modified:
   mysql-dfsg-5.0/branches/lenny-security/debian/changelog
   mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list
Log:
Preparing DSA


Modified: mysql-dfsg-5.0/branches/lenny-security/debian/changelog
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/changelog	2009-07-21 22:36:14 UTC (rev 1640)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/changelog	2009-07-21 23:19:47 UTC (rev 1641)
@@ -1,3 +1,15 @@
+mysql-dfsg-5.0 (5.0.51a-24+lenny2) stable-security; urgency=high
+
+  * SECURITY:
+    Fix for CVE-2009-2446: Multiple format string vulnerabilities in the
+    dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 
+    4.0.0 through 5.0.83 allow remote authenticated users to cause a denial
+    of service (daemon crash) and possibly have unspecified other impact via
+    format string specifiers in a database name in a (1) COM_CREATE_DB or 
+    (2) COM_DROP_DB request. Closes: #536726
+
+ -- Christian Hammers <ch at debian.org>  Wed, 22 Jul 2009 00:10:42 +0200
+
 mysql-dfsg-5.0 (5.0.51a-24+lenny1) stable-security; urgency=high
 
   * Non-maintainer upload by the security team.

Modified: mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list	2009-07-21 22:36:14 UTC (rev 1640)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/patches/00list	2009-07-21 23:19:47 UTC (rev 1641)
@@ -30,3 +30,4 @@
 92_SECURITY_CVE-2008-4098.dpatch
 93_SECURITY_CVE-2008-3963.dpatch
 94_SECURITY_CVE-2008-4456.dpatch
+95_SECURITY_CVE-2009-2446.dpatch

Added: mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
===================================================================
--- mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch	                        (rev 0)
+++ mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch	2009-07-21 23:19:47 UTC (rev 1641)
@@ -0,0 +1,95 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99-unnamed.dpatch by Christian Hammers <ch at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch provided by Sergei Golubchik of MySQL.
+
+ at DPATCH@
+
+# From: Date: July 1 2009 2:09pm
+# Subject: bzr commit into mysql-5.0-bugteam branch (staale.smedseng:2789) Bug#45790
+# List-Archive: http://lists.mysql.com/commits/77649
+# 
+# #At file:///export/home/tmp/ss156133/z/45790-50/ based on revid:staale.smedseng at stripped
+# 
+#  2789 Staale Smedseng   2009-07-01
+#       Bug #45790 Potential DoS vector: Writing of user input to log
+#       without proper formatting
+#             
+#       The problem is that a suitably crafted database identifier
+#       supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
+#       and thereby a denial of service. The database name is printed
+#       to the log without using a format string, so potential
+#       attackers can control the behavior of my_b_vprintf() by
+#       supplying their own format string. A CREATE or DROP privilege
+#       would be required.
+#             
+#       This patch supplies a format string to the printing of the
+#       database name. A test case is added to mysql_client_test.
+#      @ sql/sql_parse.cc
+#         Added format strings.
+#      @ tests/mysql_client_test.c
+#         Added new test case.
+# 
+#     modified:
+#       sql/sql_parse.cc
+#       tests/mysql_client_test.c
+--- old/sql/sql_parse.cc   2009-07-22 00:28:28.000000000 +0200
++++ new/sql/sql_parse.cc    2009-07-22 00:29:32.000000000 +0200
+@@ -1935,7 +1935,7 @@
+       }
+       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
+ 	break;
+-      mysql_log.write(thd,command,packet);
++      mysql_log.write(thd, command, "%s", db);
+       bzero(&create_info, sizeof(create_info));
+       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
+                       &create_info, 0);
+@@ -1960,7 +1960,7 @@
+                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
+ 	break;
+       }
+-      mysql_log.write(thd,command,db);
++      mysql_log.write(thd, command, "%s", db);
+       mysql_rm_db(thd, db, 0, 0);
+       break;
+     }
+--- old/tests/mysql_client_test.c 2009-05-05 09:07:11 +0000
++++ new/tests/mysql_client_test.c 2009-07-01 12:09:44 +0000
+@@ -12063,6 +12063,27 @@ static void test_bug6081()
+ }
+ 
+ 
++/*
++  Verify that bogus database names are handled properly with
++  COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
++  the use of printf specifiers in the database name.
++*/
++static void test_bug45790()
++{
++  const char* bogus_db = "%s%s%s%s%s%s%s";
++  int rc;
++
++  myheader("test_bug45790");
++  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
++                     (ulong)strlen(bogus_db), 0);
++  myquery(rc);
++
++  rc= simple_command(mysql, COM_DROP_DB, bogus_db,
++                     (ulong)strlen(bogus_db), 0);
++  myquery(rc);
++}
++
++
+ static void test_bug6096()
+ {
+   MYSQL_STMT *stmt;
+@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
+   { "test_bug6059", test_bug6059 },
+   { "test_bug6046", test_bug6046 },
+   { "test_bug6081", test_bug6081 },
++  { "test_bug45790",test_bug45790 },
+   { "test_bug6096", test_bug6096 },
+   { "test_datetime_ranges", test_datetime_ranges },
+   { "test_bug4172", test_bug4172 },
+


Property changes on: mysql-dfsg-5.0/branches/lenny-security/debian/patches/95_SECURITY_CVE-2009-2446.dpatch
___________________________________________________________________
Added: svn:executable
   + *




More information about the Pkg-mysql-commits mailing list