[Pkg-mysql-commits] r1805 - in mysql-dfsg-5.1/branches/unstable/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Wed Jan 13 18:06:07 UTC 2010
Author: nobse
Date: 2010-01-13 18:05:54 +0000 (Wed, 13 Jan 2010)
New Revision: 1805
Added:
mysql-dfsg-5.1/branches/unstable/debian/patches/96_SECURITY_CVE-2009-4484.dpatch
Modified:
mysql-dfsg-5.1/branches/unstable/debian/changelog
mysql-dfsg-5.1/branches/unstable/debian/patches/00list
Log:
Fix CVE-2009-4484.
Modified: mysql-dfsg-5.1/branches/unstable/debian/changelog
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/changelog 2010-01-13 12:22:42 UTC (rev 1804)
+++ mysql-dfsg-5.1/branches/unstable/debian/changelog 2010-01-13 18:05:54 UTC (rev 1805)
@@ -1,11 +1,14 @@
-mysql-dfsg-5.1 (5.1.42-1) UNRELEASED; urgency=low
+mysql-dfsg-5.1 (5.1.41-4) unstable; urgency=high
- * New upstream release.
+ * SECURITY:
+ Fix for CVE-2009-4484: Copying issuer's (or subject's) name tags into an
+ internal buffer from incoming stream we didn't check the buffer overflow.
+ That may lead to memory overrun, crash etc.
* New patch 11_binlog_wrong_offset.dpatch to fix an undefined behaviour
when building with gcc 4.4.x. (closes: #554207)
* Include symlinks for mysqlcheck manpages. (closes: #558760)
- -- Norbert Tretkowski <nobse at debian.org> Fri, 01 Jan 2010 13:37:54 +0100
+ -- Norbert Tretkowski <nobse at debian.org> Fri, 01 Jan 2010 19:03:25 +0100
mysql-dfsg-5.1 (5.1.41-3) unstable; urgency=low
Modified: mysql-dfsg-5.1/branches/unstable/debian/patches/00list
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/00list 2010-01-13 12:22:42 UTC (rev 1804)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/00list 2010-01-13 18:05:54 UTC (rev 1805)
@@ -8,3 +8,4 @@
41_scripts__mysql_install_db.sh__no_test.dpatch
44_scripts__mysql_config__libs.dpatch
50_mysql-test__db_test.dpatch
+96_SECURITY_CVE-2009-4484.dpatch
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/96_SECURITY_CVE-2009-4484.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/96_SECURITY_CVE-2009-4484.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/96_SECURITY_CVE-2009-4484.dpatch 2010-01-13 18:05:54 UTC (rev 1805)
@@ -0,0 +1,245 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 96_SECURITY_CVE-2009-4484.dpatch by Norbert Tretkowski <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2009-4484: Copying issuer's (or subject's) name tags into an
+## DP: internal buffer from incoming stream we didn't check the buffer overflow.
+## DP: That may lead to memory overrun, crash etc.
+
+
+ at DPATCH@
+=== modified file 'extra/yassl/taocrypt/include/asn.hpp'
+--- a/extra/yassl/taocrypt/include/asn.hpp 2007-01-29 15:54:40 +0000
++++ b/extra/yassl/taocrypt/include/asn.hpp 2010-01-13 05:20:45 +0000
+@@ -305,6 +305,7 @@ private:
+ bool ValidateSignature(SignerList*);
+ bool ConfirmSignature(Source&);
+ void GetKey();
++ char* AddTag(char*, const char*, const char*, word32, word32);
+ void GetName(NameType);
+ void GetValidity();
+ void GetDate(DateType);
+
+=== modified file 'extra/yassl/taocrypt/src/asn.cpp'
+--- a/extra/yassl/taocrypt/src/asn.cpp 2009-06-29 13:17:01 +0000
++++ b/extra/yassl/taocrypt/src/asn.cpp 2010-01-13 05:20:45 +0000
+@@ -652,6 +652,23 @@ word32 CertDecoder::GetDigest()
+ }
+
+
++char *CertDecoder::AddTag(char *ptr, const char *buf_end,
++ const char *tag_name, word32 tag_name_length,
++ word32 tag_value_length)
++{
++ if (ptr + tag_name_length + tag_value_length > buf_end)
++ return 0;
++
++ memcpy(ptr, tag_name, tag_name_length);
++ ptr+= tag_name_length;
++
++ memcpy(ptr, source_.get_current(), tag_value_length);
++ ptr+= tag_value_length;
++
++ return ptr;
++}
++
++
+ // process NAME, either issuer or subject
+ void CertDecoder::GetName(NameType nt)
+ {
+@@ -659,11 +676,21 @@ void CertDecoder::GetName(NameType nt)
+
+ SHA sha;
+ word32 length = GetSequence(); // length of all distinguished names
+- assert (length < ASN_NAME_MAX);
++
++ if (length >= ASN_NAME_MAX)
++ goto err;
+ length += source_.get_index();
+
+- char* ptr = (nt == ISSUER) ? issuer_ : subject_;
+- word32 idx = 0;
++ char *ptr, *buf_end;
++
++ if (nt == ISSUER) {
++ ptr= issuer_;
++ buf_end= ptr + sizeof(issuer_) - 1; // 1 byte for trailing 0
++ }
++ else {
++ ptr= subject_;
++ buf_end= ptr + sizeof(subject_) - 1; // 1 byte for trailing 0
++ }
+
+ while (source_.get_index() < length) {
+ GetSet();
+@@ -685,47 +712,36 @@ void CertDecoder::GetName(NameType nt)
+ byte id = source_.next();
+ b = source_.next(); // strType
+ word32 strLen = GetLength(source_);
+- bool copy = false;
+
+- if (id == COMMON_NAME) {
+- memcpy(&ptr[idx], "/CN=", 4);
+- idx += 4;
+- copy = true;
+- }
+- else if (id == SUR_NAME) {
+- memcpy(&ptr[idx], "/SN=", 4);
+- idx += 4;
+- copy = true;
+- }
+- else if (id == COUNTRY_NAME) {
+- memcpy(&ptr[idx], "/C=", 3);
+- idx += 3;
+- copy = true;
+- }
+- else if (id == LOCALITY_NAME) {
+- memcpy(&ptr[idx], "/L=", 3);
+- idx += 3;
+- copy = true;
+- }
+- else if (id == STATE_NAME) {
+- memcpy(&ptr[idx], "/ST=", 4);
+- idx += 4;
+- copy = true;
+- }
+- else if (id == ORG_NAME) {
+- memcpy(&ptr[idx], "/O=", 3);
+- idx += 3;
+- copy = true;
+- }
+- else if (id == ORGUNIT_NAME) {
+- memcpy(&ptr[idx], "/OU=", 4);
+- idx += 4;
+- copy = true;
+- }
+-
+- if (copy) {
+- memcpy(&ptr[idx], source_.get_current(), strLen);
+- idx += strLen;
++ switch (id) {
++ case COMMON_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen)))
++ goto err;
++ break;
++ case SUR_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen)))
++ goto err;
++ break;
++ case COUNTRY_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen)))
++ goto err;
++ break;
++ case LOCALITY_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen)))
++ goto err;
++ break;
++ case STATE_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen)))
++ goto err;
++ break;
++ case ORG_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen)))
++ goto err;
++ break;
++ case ORGUNIT_NAME:
++ if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen)))
++ goto err;
++ break;
+ }
+
+ sha.Update(source_.get_current(), strLen);
+@@ -739,23 +755,20 @@ void CertDecoder::GetName(NameType nt)
+ source_.advance(oidSz + 1);
+ word32 length = GetLength(source_);
+
+- if (email) {
+- memcpy(&ptr[idx], "/emailAddress=", 14);
+- idx += 14;
+-
+- memcpy(&ptr[idx], source_.get_current(), length);
+- idx += length;
+- }
++ if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length)))
++ goto err;
+
+ source_.advance(length);
+ }
+ }
+- ptr[idx++] = 0;
++ *ptr= 0;
+
+- if (nt == ISSUER)
+- sha.Final(issuerHash_);
+- else
+- sha.Final(subjectHash_);
++ sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_);
++
++ return;
++
++err:
++ source_.SetError(CONTENT_E);
+ }
+
+
+
+
+--Boundary_(ID_+NCS5Ir28uUsrYRvF/Mg8g)
+MIME-version: 1.0
+Content-type: text/bzr-bundle; CHARSET=US-ASCII;
+ name="bzr/ramil at stripped"
+Content-transfer-encoding: 7BIT
+Content-disposition: inline;
+ filename="bzr/ramil at stripped"
+
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: ramil at stripped
+# target_branch: file:///home/ram/mysql/b50227-5.0-bugteam/
+# testament_sha1: efdd6cde5d04e8642a9e836e161402ebaf5659bd
+# timestamp: 2010-01-13 09:20:50 +0400
+# base_revision_id: gshchepa at stripped
+#
+# Begin bundle
+IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWc88VrsABGX/gFRVAQB5////
+/+/+YL////pgCQ+1o92KUFA1rWru46O7AOgAqGSjE0Uem1T1B6j1PU9NQMgaDT1AAAAeoDQAkkjU
+ZU9soyPUZENTamjJoNBhB6gPRAAA0DhoZNNDTI0NMjIMjI0MgMTRk0AZMjEMMhEU9DSbU0zKAYyg
+A9QANAAAADQOGhk00NMjQ0yMgyMjQyAxNGTQBkyMQwkkJoNAmmgCZBkTTTEKeZJpig0NPU0B5NR+
+kaZjNA+CCh/p85dE4vv03CwNQCyoWYIFgSQo20Jc+6w30JvunCsoclCKTJY9GGVqYZ6B0yxV6YJN
+kz1+aEyo+myYF2WRCmjO/G150z54EOF0cUUIWNitkIVQyEgYBKB1OFxiBht+YHz/Sx59W+pQwpri
+1HWrB5ioIUREJj209CJ8DHVha5FLpW9TWH123oCjBbaoDRmo3ThU/pjCZk1Tc9pnPzwzsBsMHG16
+6kx2dOYB9SbkWQsE+WqdOqdsmT99aCUDy8k4+vKf8vx+nkvsYW8acnys1X457TGtSkTka9mR5B0x
+IqKWedTEviWAXlOlKjnpeZlZpBEBLHVSpsF4ltxhIhVOObbJxk2deiCnPduV/wm4O6604XOa4CAD
+ATQuunANC4r+Vs2XTWp0r80zh4bm9fncoAcx8AI7vruA7t3E5enuonAjglHLNr/rVOYhgjwZDh86
+B3SAyDwK+L2OgZmdZc1s8ka+Ao7QXN7KFqFUocXv4AYF3qhfjsTlJVOsuqu7ttt7cWfVcyQyHMiv
+kLUaEq53XepF/rPJpD8BUR22ugkDO18YPhB1LwXncBuGSGIJDYhtAfEeKYB7DCqAh4TDyDYlBEhU
+oj6iQ4+x7FUTnjMoog0GUYDiDN0MkPYlbx6cZUK8kYZDKKgUvyGSmu6QFt4r1C1OlZHAiFzGZypJ
+c9bXTligPOY4DAcxGtmMKyAMUK5PPEEVATlDKaKwxBxSLOayAGEJtlGe5y01ifG6hyKS4jlMNfPl
+pjTqpzRCADK4uZPZYg4WrjVhk5gLZseSlSC4oP/rdd3LoTpwH45ab8jqa5g2TD1qOUmrInWmFPPN
+NS+UUEF7ylbpOOIqpV6ltrq2KGNxdbvNa+QG62rYrBZiBtUusJgMxo0mQpYwomrGoi4oMALlsWuU
+puUc+FWWoH8GJEXLOmKFVUKW/KWHPsV3D2cirn0Wung2kfsM2W0o5vLJIhUMGI2dNQWBmOHg4Np5
+K5aZZacvJeGgCiYUjbMaNhUFIxDJO64xNKuqpamVFZZO7gP52IHStvpSsXf2bKrSyg4mTNNbfWQg
+QeMmDSPZMUzzonz98tTUP3jtz+8iKKTxpHE7Fhmcl8WUXMB4jWjfA9Pz+nJg+cCWKbAWQLWQskdo
+ITmCjfNEjQqyQwKjnhdrRKAEfDG8COT9ekegolrGTM3mv0tH8WPx0HNWlTZrHum9+/EX9ZtXqjcy
+O6V0qz7T0JVzAZK6LXgY3tlc/FgjQU1E73KaKoKDGrbMqbNy5F9iFcRtLjGhos3KkXWxP1c6fTYm
+0plRcsKzrX7hpWdE98F8gxCcsFKIQZwWojeJkPAiGofNePHC8TtPku86z8C47FapEj1ln395+BSU
+tEbCcpnSKREggh3hHF9LMYf7s9APT0jcvoKeB2uMA9z0SYMANIE/kej8l2ucnbQy0sdlRFP/fiBA
+0nK41nnNJgGLPWiXvvYWksn4Su1sA31OOZDMstBiL4UD2oCqKNOoShTqrxvTC6I/gl2GIQhjioXI
+13QqqpuHtNeSJ9QKrC+QXBh9IBCXEThsoCEjnmK1apPcg6B1+8xCJEPaR9s4e0mCIHIkXVjj3pHS
+Nk2FcXlRRyrl8K4HJ7FbKo2+sBiH9licxDa/STtngOVEwzF87ZTO59oStl4lYTmqMXHnK0TIjpGZ
+hto4ee9GxBVN7lpH9JvIjlbcsxOlLQBhtN+GLf8GBdCUAOpC3TiPHnLE5MLeVq/ebmDPMxsgEaAl
+Dqkggqf5mkXE57sQqaX8ZpRBaJ0cxsKakjR0nBLifA0E/DvNi1oVRoEVp6XQv0PNtMDOs4SW5h4i
+GZ4YjoEiA1WitQIcang5CVa8Jev1/RLJZB6taCNU3BTNdBzaDhMQ5BcsqIA5CUBHKpxnGEV4GQpe
+3bplIgF63pDvj1rflAbNt83YI6qTcl495xmWnpsXN1iG6RDEiPUUh5W+l5mRn3znxLCJi3ZO6tBt
+o6UEFO3d7arwpCj2rYvcutHFd6ZbdoGtKiOpFyhUNxBWGNDgmEMfBxwadksba6zM0GRhO05F9/Wd
+ilyh6u6q0pD4Jz1mIDIURzHWr3D0jK9dpw5sp55xFRva9ShSp+DZ+2xeQKUxfXU9P0E2mJYlAwEP
+eBNF4DT1ahgYOWUAoEMhlORrksFECM9ThF+6Sq24xsBh4yq9LOTDClY9T9aRazrYhrTig13p5AAp
+kMEmDBqeF5JjAsNbieKOuEy0zWsbJSQUK4yKQYBUBmmEZdlmZULdu3C0dinVZkFoT+EOiDJkzXyk
+mOfzhabGPk4BmHOcB7TCouMVR2r8l1V6QXRzsjlVSrHuBzOB4l4wFtWZb3jIJgThkmTBOhj6ZzxB
+ijLarSR5lUDiX3VCVZ2W3gZ/LZ7OT2PMrJ9gdqaV6vT+3Jeegn6BYdCoEU/m4JmCTBFODUH3f2uK
+LtdFozODSB6NXojBanrBVrNoZA8cVEgY99Ih1M281tJznM3SCqhYikO2xD3BO5kUgutq0eqETt91
+TyKND5ONU1ew18Vo1VECNANQUdwNGvJ3MgdiZjz1ZNBvrybbq0YQW9Mi8YgBNRlHj3oHF6HrBCTk
+pBAcQCLBZH3K5TBzzo/dzF4no60kWpnrbxpUZljc9yoHDlrhitnBawneqEoc1iBymCgDmxNmVLc7
+E9qyprFnWjNERyLNLQO2DaVtUC1QuW81FBALYgrh0r0bn7wL+TTOBFds4D/i7kinChIZ54rXYA==
+
+
+--Boundary_(ID_+NCS5Ir28uUsrYRvF/Mg8g)--
More information about the Pkg-mysql-commits
mailing list