rpms/mysql/F-12 mysql-cve-2008-7247.patch, NONE, 1.1 my.cnf, 1.5, 1.6 mysql.spec, 1.136, 1.137
Tom Lane
tgl at fedoraproject.org
Thu Jan 28 20:36:07 UTC 2010
Author: tgl
Update of /cvs/pkgs/rpms/mysql/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26348
Modified Files:
my.cnf mysql.spec
Added Files:
mysql-cve-2008-7247.patch
Log Message:
Add backported patch for CVE-2008-7247 (upstream bug 39277); sync with devel branch
mysql-cve-2008-7247.patch:
sql_table.cc | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
--- NEW FILE mysql-cve-2008-7247.patch ---
Back-ported patch for upstream bug #39277.
diff -Naur mysql-5.1.42.orig/sql/sql_table.cc mysql-5.1.42/sql/sql_table.cc
--- mysql-5.1.42.orig/sql/sql_table.cc 2009-12-16 12:57:30.000000000 -0500
+++ mysql-5.1.42/sql/sql_table.cc 2010-01-28 14:33:52.000000000 -0500
@@ -3892,15 +3892,43 @@
create_info->table_existed= 0; // Mark that table is created
#ifdef HAVE_READLINK
- if (test_if_data_home_dir(create_info->data_file_name))
{
- my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
- goto unlock_and_end;
- }
- if (test_if_data_home_dir(create_info->index_file_name))
- {
- my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
- goto unlock_and_end;
+ size_t dirlen;
+ char dirpath[FN_REFLEN];
+
+ /*
+ data_file_name and index_file_name include the table name without
+ extension. Mostly this does not refer to an existing file. When
+ comparing data_file_name or index_file_name against the data
+ directory, we try to resolve all symbolic links. On some systems,
+ we use realpath(3) for the resolution. This returns ENOENT if the
+ resolved path does not refer to an existing file. my_realpath()
+ does then copy the requested path verbatim, without symlink
+ resolution. Thereafter the comparison can fail even if the
+ requested path is within the data directory. E.g. if symlinks to
+ another file system are used. To make realpath(3) return the
+ resolved path, we strip the table name and compare the directory
+ path only. If the directory doesn't exist either, table creation
+ will fail anyway.
+ */
+ if (create_info->data_file_name)
+ {
+ dirname_part(dirpath, create_info->data_file_name, &dirlen);
+ if (test_if_data_home_dir(dirpath))
+ {
+ my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
+ goto unlock_and_end;
+ }
+ }
+ if (create_info->index_file_name)
+ {
+ dirname_part(dirpath, create_info->index_file_name, &dirlen);
+ if (test_if_data_home_dir(dirpath))
+ {
+ my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
+ goto unlock_and_end;
+ }
+ }
}
#ifdef WITH_PARTITION_STORAGE_ENGINE
Index: my.cnf
===================================================================
RCS file: /cvs/pkgs/rpms/mysql/F-12/my.cnf,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- my.cnf 27 Jul 2008 17:54:30 -0000 1.5
+++ my.cnf 28 Jan 2010 20:36:07 -0000 1.6
@@ -6,6 +6,10 @@ user=mysql
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
+# Disabling symbolic-links is recommended to prevent assorted security risks;
+# to do so, uncomment this line:
+# symbolic-links=0
+
# To allow mysqld to connect to a MySQL Cluster management daemon, uncomment
# these lines and adjust the connectstring as needed.
#ndbcluster
Index: mysql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mysql/F-12/mysql.spec,v
retrieving revision 1.136
retrieving revision 1.137
diff -u -p -r1.136 -r1.137
--- mysql.spec 2 Jan 2010 20:26:34 -0000 1.136
+++ mysql.spec 28 Jan 2010 20:36:07 -0000 1.137
@@ -1,6 +1,6 @@
Name: mysql
Version: 5.1.42
-Release: 2%{?dist}
+Release: 7%{?dist}
Summary: MySQL client programs and shared libraries
Group: Applications/Databases
URL: http://www.mysql.com
@@ -9,9 +9,12 @@ URL: http://www.mysql.com
License: GPLv2 with exceptions
# Regression tests take a long time, you can skip 'em with this
-%{!?runselftest:%define runselftest 1}
+%{!?runselftest:%global runselftest 1}
-Source0: http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-%{version}.tar.gz
+# Upstream has a mirror redirector for downloads, so the URL is hard to
+# represent statically. You can get the tarball by following a link from
+# http://dev.mysql.com/downloads/mysql/
+Source0: mysql-%{version}.tar.gz
Source1: mysql.init
Source3: my.cnf
Source4: scriptstub.c
@@ -34,6 +37,7 @@ Patch8: mysql-setschedparam.patch
Patch9: mysql-ndb-stacksize.patch
Patch10: mysql-strmov.patch
Patch11: mysql-signal-align.patch
+Patch12: mysql-cve-2008-7247.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: gperf, perl, readline-devel, openssl-devel
@@ -51,7 +55,7 @@ Conflicts: MySQL
Obsoletes: mysql-client mysql-perl
# Working around perl dependency checking bug in rpm FTTB. Remove later.
-%define __perl_requires %{SOURCE999}
+%global __perl_requires %{SOURCE999}
%description
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
@@ -178,6 +182,7 @@ the MySQL sources.
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
libtoolize --force
aclocal
@@ -186,6 +191,17 @@ autoconf
autoheader
%build
+
+# fail quickly and obviously if user tries to build as root
+%if %runselftest
+ if [ x"`id -u`" = x0 ]; then
+ echo "mysql's regression tests fail if run as root."
+ echo "If you really need to build the RPM as root, use"
+ echo "--define='runselftest 0' to skip the regression tests."
+ exit 1
+ fi
+%endif
+
CFLAGS="%{optflags} -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
# MySQL 4.1.10 definitely doesn't work under strict aliasing; also,
# gcc 4.1 breaks MySQL 5.0.16 without -fwrapv
@@ -652,6 +668,16 @@ fi
%{_mandir}/man1/mysql_client_test.1*
%changelog
+* Thu Jan 28 2010 Tom Lane <tgl at redhat.com> 5.1.42-7
+- Add backported patch for CVE-2008-7247 (upstream bug 39277)
+Related: #543619
+- Emit explicit error message if user tries to build RPM as root
+Related: #558915
+- Correct Source0: tag and comment to reflect how to get the tarball
+- Add comment suggesting disabling symbolic links in /etc/my.cnf
+Related: #553652
+- Change %%define to %%global, per packaging guidelines
+
* Sat Jan 2 2010 Tom Lane <tgl at redhat.com> 5.1.42-2
- Disable building the innodb plugin; it tickles assorted gcc bugs and
doesn't seem entirely ready for prime time anyway.
More information about the scm-commits
mailing list