rpms/mysql/devel mysql-innodb-crash.patch, NONE, 1.1 mysql-rename-bug.patch, NONE, 1.1 mysql-view-bug.patch, NONE, 1.1 mysql.spec, 1.97, 1.98
Tom Lane (tgl)
fedora-extras-commits at redhat.com
Fri Dec 14 03:39:28 UTC 2007
- Previous message: rpms/parted/devel parted-1.8.6-label-types.patch, NONE, 1.1 parted.spec, 1.114, 1.115
- Next message: rpms/mysql/F-8 mysql-innodb-crash.patch, NONE, 1.1 mysql-rename-bug.patch, NONE, 1.1 mysql-view-bug.patch, NONE, 1.1 mysql.spec, 1.96, 1.97
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tgl
Update of /cvs/pkgs/rpms/mysql/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2615
Modified Files:
mysql.spec
Added Files:
mysql-innodb-crash.patch mysql-rename-bug.patch
mysql-view-bug.patch
Log Message:
Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303.
mysql-innodb-crash.patch:
--- NEW FILE mysql-innodb-crash.patch ---
Back-port upstream fix for CVE-2007-5925.
diff -Naur mysql-5.0.45.orig/innobase/include/db0err.h mysql-5.0.45/innobase/include/db0err.h
--- mysql-5.0.45.orig/innobase/include/db0err.h 2007-07-04 09:06:59.000000000 -0400
+++ mysql-5.0.45/innobase/include/db0err.h 2007-12-13 12:44:05.000000000 -0500
@@ -57,6 +57,18 @@
buffer pool (for big transactions,
InnoDB stores the lock structs in the
buffer pool) */
+#define DB_FOREIGN_DUPLICATE_KEY 46 /* foreign key constraints
+ activated by the operation would
+ lead to a duplicate key in some
+ table */
+#define DB_TOO_MANY_CONCURRENT_TRXS 47 /* when InnoDB runs out of the
+ preconfigured undo slots, this can
+ only happen when there are too many
+ concurrent transactions */
+#define DB_UNSUPPORTED 48 /* when InnoDB sees any artefact or
+ a feature that it can't recoginize or
+ work with e.g., FT indexes created by
+ a later version of the engine. */
/* The following are partial failure codes */
#define DB_FAIL 1000
diff -Naur mysql-5.0.45.orig/innobase/include/page0cur.h mysql-5.0.45/innobase/include/page0cur.h
--- mysql-5.0.45.orig/innobase/include/page0cur.h 2007-07-04 09:06:10.000000000 -0400
+++ mysql-5.0.45/innobase/include/page0cur.h 2007-12-13 12:44:05.000000000 -0500
@@ -22,6 +22,7 @@
/* Page cursor search modes; the values must be in this order! */
+#define PAGE_CUR_UNSUPP 0
#define PAGE_CUR_G 1
#define PAGE_CUR_GE 2
#define PAGE_CUR_L 3
diff -Naur mysql-5.0.45.orig/sql/ha_innodb.cc mysql-5.0.45/sql/ha_innodb.cc
--- mysql-5.0.45.orig/sql/ha_innodb.cc 2007-07-04 09:06:48.000000000 -0400
+++ mysql-5.0.45/sql/ha_innodb.cc 2007-12-13 12:44:05.000000000 -0500
@@ -526,6 +526,9 @@
}
return(HA_ERR_LOCK_TABLE_FULL);
+ } else if (error == DB_UNSUPPORTED) {
+
+ return(HA_ERR_UNSUPPORTED);
} else {
return(-1); // Unknown error
}
@@ -3689,11 +3692,21 @@
and comparison of non-latin1 char type fields in
innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to
work correctly. */
-
- default: assert(0);
+ case HA_READ_MBR_CONTAIN:
+ case HA_READ_MBR_INTERSECT:
+ case HA_READ_MBR_WITHIN:
+ case HA_READ_MBR_DISJOINT:
+ my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0));
+ return(PAGE_CUR_UNSUPP);
+ /* do not use "default:" in order to produce a gcc warning:
+ enumeration value '...' not handled in switch
+ (if -Wswitch or -Wall is used)
+ */
}
- return(0);
+ my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality");
+
+ return(PAGE_CUR_UNSUPP);
}
/*
@@ -3831,11 +3844,18 @@
last_match_mode = (uint) match_mode;
- innodb_srv_conc_enter_innodb(prebuilt->trx);
+ if (mode != PAGE_CUR_UNSUPP) {
- ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0);
+ innodb_srv_conc_enter_innodb(prebuilt->trx);
- innodb_srv_conc_exit_innodb(prebuilt->trx);
+ ret = row_search_for_mysql((byte*) buf, mode, prebuilt,
+ match_mode, 0);
+
+ innodb_srv_conc_exit_innodb(prebuilt->trx);
+ } else {
+
+ ret = DB_UNSUPPORTED;
+ }
if (ret == DB_SUCCESS) {
error = 0;
@@ -5150,8 +5170,16 @@
mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag :
HA_READ_KEY_EXACT);
- n_rows = btr_estimate_n_rows_in_range(index, range_start,
- mode1, range_end, mode2);
+ if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) {
+
+ n_rows = btr_estimate_n_rows_in_range(index, range_start,
+ mode1, range_end,
+ mode2);
+ } else {
+
+ n_rows = 0;
+ }
+
dtuple_free_for_mysql(heap1);
dtuple_free_for_mysql(heap2);
mysql-rename-bug.patch:
--- NEW FILE mysql-rename-bug.patch ---
Back-port upstream fix for CVE-2007-5969.
diff -Naur mysql-5.0.45.orig/mysql-test/r/symlink.result mysql-5.0.45/mysql-test/r/symlink.result
--- mysql-5.0.45.orig/mysql-test/r/symlink.result 2007-07-04 09:49:09.000000000 -0400
+++ mysql-5.0.45/mysql-test/r/symlink.result 2007-12-13 12:28:59.000000000 -0500
@@ -99,6 +99,12 @@
`b` int(11) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1
drop table t1;
+CREATE TABLE t1(a INT)
+DATA DIRECTORY='TEST_DIR/master-data/mysql'
+INDEX DIRECTORY='TEST_DIR/master-data/mysql';
+RENAME TABLE t1 TO user;
+ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
+DROP TABLE t1;
show create table t1;
Table Create Table
t1 CREATE TABLE `t1` (
diff -Naur mysql-5.0.45.orig/mysql-test/t/symlink.test mysql-5.0.45/mysql-test/t/symlink.test
--- mysql-5.0.45.orig/mysql-test/t/symlink.test 2007-07-04 09:49:09.000000000 -0400
+++ mysql-5.0.45/mysql-test/t/symlink.test 2007-12-13 12:28:59.000000000 -0500
@@ -125,6 +125,18 @@
drop table t1;
#
+# BUG#32111 <http://bugs.mysql.com/32111> - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
+#
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+eval CREATE TABLE t1(a INT)
+DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
+INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+--error 1
+RENAME TABLE t1 TO user;
+DROP TABLE t1;
+
+#
# Test specifying DATA DIRECTORY that is the same as what would normally
# have been chosen. (Bug #8707)
#
diff -Naur mysql-5.0.45.orig/mysys/my_symlink2.c mysql-5.0.45/mysys/my_symlink2.c
--- mysql-5.0.45.orig/mysys/my_symlink2.c 2007-07-04 09:06:25.000000000 -0400
+++ mysql-5.0.45/mysys/my_symlink2.c 2007-12-13 12:28:59.000000000 -0500
@@ -124,6 +124,7 @@
int was_symlink= (!my_disable_symlinks &&
!my_readlink(link_name, from, MYF(0)));
int result=0;
+ int name_is_different;
DBUG_ENTER("my_rename_with_symlink");
if (!was_symlink)
@@ -132,6 +133,14 @@
/* Change filename that symlink pointed to */
strmov(tmp_name, to);
fn_same(tmp_name,link_name,1); /* Copy dir */
+ name_is_different= strcmp(link_name, tmp_name);
+ if (name_is_different && !access(tmp_name, F_OK))
+ {
+ my_errno= EEXIST;
+ if (MyFlags & MY_WME)
+ my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
+ DBUG_RETURN(1);
+ }
/* Create new symlink */
if (my_symlink(tmp_name, to, MyFlags))
@@ -143,7 +152,7 @@
the same basename and different directories.
*/
- if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
+ if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
{
int save_errno=my_errno;
my_delete(to, MyFlags); /* Remove created symlink */
mysql-view-bug.patch:
--- NEW FILE mysql-view-bug.patch ---
Back-port upstream fix for CVE-2007-6303.
diff -Naur mysql-5.0.45.orig/mysql-test/r/view_grant.result mysql-5.0.45/mysql-test/r/view_grant.result
--- mysql-5.0.45.orig/mysql-test/r/view_grant.result 2007-07-04 09:49:09.000000000 -0400
+++ mysql-5.0.45/mysql-test/r/view_grant.result 2007-12-13 14:20:02.000000000 -0500
@@ -776,15 +776,60 @@
GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813 at localhost;
GRANT SELECT ON db26813.t1 TO u26813 at localhost;
ALTER VIEW v1 AS SELECT f2 FROM t1;
-ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1'
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
ALTER VIEW v2 AS SELECT f2 FROM t1;
-ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
ALTER VIEW v3 AS SELECT f2 FROM t1;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
SHOW CREATE VIEW v3;
View Create View
-v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1`
+v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1`
DROP USER u26813 at localhost;
DROP DATABASE db26813;
+#
+# Bug#29908: A user can gain additional access through the ALTER VIEW.
+#
+CREATE DATABASE mysqltest_29908;
+USE mysqltest_29908;
+CREATE TABLE t1(f1 INT, f2 INT);
+CREATE USER u29908_1 at localhost;
+CREATE DEFINER = u29908_1 at localhost VIEW v1 AS SELECT f1 FROM t1;
+CREATE DEFINER = u29908_1 at localhost SQL SECURITY INVOKER VIEW v2 AS
+SELECT f1 FROM t1;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1 at localhost;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1 at localhost;
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_1 at localhost;
+CREATE USER u29908_2 at localhost;
+GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2 at localhost;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2 at localhost;
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_2 at localhost;
+ALTER VIEW v1 AS SELECT f2 FROM t1;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ALTER VIEW v2 AS SELECT f2 FROM t1;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+SHOW CREATE VIEW v2;
+View Create View
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
+ALTER VIEW v1 AS SELECT f2 FROM t1;
+SHOW CREATE VIEW v1;
+View Create View
+v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1`
+ALTER VIEW v2 AS SELECT f2 FROM t1;
+SHOW CREATE VIEW v2;
+View Create View
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
+ALTER VIEW v1 AS SELECT f1 FROM t1;
+SHOW CREATE VIEW v1;
+View Create View
+v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1`
+ALTER VIEW v2 AS SELECT f1 FROM t1;
+SHOW CREATE VIEW v2;
+View Create View
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
+DROP USER u29908_1 at localhost;
+DROP USER u29908_2 at localhost;
+DROP DATABASE mysqltest_29908;
+#######################################################################
DROP DATABASE IF EXISTS mysqltest1;
DROP DATABASE IF EXISTS mysqltest2;
CREATE DATABASE mysqltest1;
diff -Naur mysql-5.0.45.orig/mysql-test/t/view_grant.test mysql-5.0.45/mysql-test/t/view_grant.test
--- mysql-5.0.45.orig/mysql-test/t/view_grant.test 2007-07-04 09:49:09.000000000 -0400
+++ mysql-5.0.45/mysql-test/t/view_grant.test 2007-12-13 14:19:43.000000000 -0500
@@ -1034,10 +1034,11 @@
connect (u1,localhost,u26813,,db26813);
connection u1;
---error 1142
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v1 AS SELECT f2 FROM t1;
---error 1142
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v2 AS SELECT f2 FROM t1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v3 AS SELECT f2 FROM t1;
connection root;
@@ -1047,6 +1048,51 @@
DROP DATABASE db26813;
disconnect u1;
+--echo #
+--echo # Bug#29908: A user can gain additional access through the ALTER VIEW.
+--echo #
+connection root;
+CREATE DATABASE mysqltest_29908;
+USE mysqltest_29908;
+CREATE TABLE t1(f1 INT, f2 INT);
+CREATE USER u29908_1 at localhost;
+CREATE DEFINER = u29908_1 at localhost VIEW v1 AS SELECT f1 FROM t1;
+CREATE DEFINER = u29908_1 at localhost SQL SECURITY INVOKER VIEW v2 AS
+ SELECT f1 FROM t1;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1 at localhost;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1 at localhost;
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_1 at localhost;
+CREATE USER u29908_2 at localhost;
+GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2 at localhost;
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2 at localhost;
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_2 at localhost;
+
+connect (u2,localhost,u29908_2,,mysqltest_29908);
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ALTER VIEW v1 AS SELECT f2 FROM t1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ALTER VIEW v2 AS SELECT f2 FROM t1;
+SHOW CREATE VIEW v2;
+
+connect (u1,localhost,u29908_1,,mysqltest_29908);
+ALTER VIEW v1 AS SELECT f2 FROM t1;
+SHOW CREATE VIEW v1;
+ALTER VIEW v2 AS SELECT f2 FROM t1;
+SHOW CREATE VIEW v2;
+
+connection root;
+ALTER VIEW v1 AS SELECT f1 FROM t1;
+SHOW CREATE VIEW v1;
+ALTER VIEW v2 AS SELECT f1 FROM t1;
+SHOW CREATE VIEW v2;
+
+DROP USER u29908_1 at localhost;
+DROP USER u29908_2 at localhost;
+DROP DATABASE mysqltest_29908;
+disconnect u1;
+disconnect u2;
+--echo #######################################################################
+
#
# BUG#24040: Create View don't succed with "all privileges" on a database.
#
diff -Naur mysql-5.0.45.orig/sql/sql_view.cc mysql-5.0.45/sql/sql_view.cc
--- mysql-5.0.45.orig/sql/sql_view.cc 2007-07-04 09:06:03.000000000 -0400
+++ mysql-5.0.45/sql/sql_view.cc 2007-12-13 13:30:29.000000000 -0500
@@ -224,9 +224,6 @@
{
LEX *lex= thd->lex;
bool link_to_local;
-#ifndef NO_EMBEDDED_ACCESS_CHECKS
- bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
-#endif
/* first table in list is target VIEW name => cut off it */
TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
TABLE_LIST *tables= lex->query_tables;
@@ -281,7 +278,7 @@
- same as current user
- current user has SUPER_ACL
*/
- if (definer_check_is_needed &&
+ if (lex->definer &&
(strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
my_strcasecmp(system_charset_info,
lex->definer->host.str,
Index: mysql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mysql/devel/mysql.spec,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- mysql.spec 5 Dec 2007 14:27:10 -0000 1.97
+++ mysql.spec 14 Dec 2007 03:38:55 -0000 1.98
@@ -1,6 +1,6 @@
Name: mysql
Version: 5.0.45
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: MySQL client programs and shared libraries
Group: Applications/Databases
URL: http://www.mysql.com
@@ -28,6 +28,9 @@
Patch8: mysql-install-test.patch
Patch9: mysql-bdb-link.patch
Patch10: mysql-bdb-open.patch
+Patch11: mysql-innodb-crash.patch
+Patch12: mysql-rename-bug.patch
+Patch13: mysql-view-bug.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: gperf, perl, readline-devel, openssl-devel
@@ -133,6 +136,9 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
libtoolize --force
aclocal
@@ -474,6 +480,10 @@
%{_mandir}/man1/mysql_client_test.1*
%changelog
+* Thu Dec 13 2007 Tom Lane <tgl at redhat.com> 5.0.45-6
+- Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303.
+Related: #422211
+
* Wed Dec 5 2007 Tom Lane <tgl at redhat.com> 5.0.45-5
- Rebuild for new openssl
- Previous message: rpms/parted/devel parted-1.8.6-label-types.patch, NONE, 1.1 parted.spec, 1.114, 1.115
- Next message: rpms/mysql/F-8 mysql-innodb-crash.patch, NONE, 1.1 mysql-rename-bug.patch, NONE, 1.1 mysql-view-bug.patch, NONE, 1.1 mysql.spec, 1.96, 1.97
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list