rpms/mysql/F-11 mysql-cve-2008-7247.patch, NONE, 1.1 my.cnf, 1.5, 1.6 mysql.spec, 1.127, 1.128

Thu Jan 28 20:40:50 UTC 2010

Author: tgl

Update of /cvs/pkgs/rpms/mysql/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27091

Modified Files:
	my.cnf mysql.spec 
Added Files:
	mysql-cve-2008-7247.patch 
Log Message:
Add backported patch for CVE-2008-7247 (upstream bug 39277); sync with devel branch

mysql-cve-2008-7247.patch:
 sql_table.cc |   44 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 36 insertions(+), 8 deletions(-)

--- NEW FILE mysql-cve-2008-7247.patch ---
Back-ported patch for upstream bug #39277.


diff -Naur mysql-5.1.42.orig/sql/sql_table.cc mysql-5.1.42/sql/sql_table.cc
--- mysql-5.1.42.orig/sql/sql_table.cc	2009-12-16 12:57:30.000000000 -0500
+++ mysql-5.1.42/sql/sql_table.cc	2010-01-28 14:33:52.000000000 -0500
@@ -3892,15 +3892,43 @@
   create_info->table_existed= 0;		// Mark that table is created
 
 #ifdef HAVE_READLINK
-  if (test_if_data_home_dir(create_info->data_file_name))
   {
-    my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
-    goto unlock_and_end;
-  }
-  if (test_if_data_home_dir(create_info->index_file_name))
-  {
-    my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
-    goto unlock_and_end;
+    size_t dirlen;
+    char   dirpath[FN_REFLEN];
+
+    /*
+      data_file_name and index_file_name include the table name without
+      extension. Mostly this does not refer to an existing file. When
+      comparing data_file_name or index_file_name against the data
+      directory, we try to resolve all symbolic links. On some systems,
+      we use realpath(3) for the resolution. This returns ENOENT if the
+      resolved path does not refer to an existing file. my_realpath()
+      does then copy the requested path verbatim, without symlink
+      resolution. Thereafter the comparison can fail even if the
+      requested path is within the data directory. E.g. if symlinks to
+      another file system are used. To make realpath(3) return the
+      resolved path, we strip the table name and compare the directory
+      path only. If the directory doesn't exist either, table creation
+      will fail anyway.
+    */
+    if (create_info->data_file_name)
+    {
+      dirname_part(dirpath, create_info->data_file_name, &dirlen);
+      if (test_if_data_home_dir(dirpath))
+      {
+        my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
+        goto unlock_and_end;
+      }
+    }
+    if (create_info->index_file_name)
+    {
+      dirname_part(dirpath, create_info->index_file_name, &dirlen);
+      if (test_if_data_home_dir(dirpath))
+      {
+        my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
+        goto unlock_and_end;
+      }
+    }
   }
 
 #ifdef WITH_PARTITION_STORAGE_ENGINE


Index: my.cnf
===================================================================
RCS file: /cvs/pkgs/rpms/mysql/F-11/my.cnf,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- my.cnf	27 Jul 2008 17:54:30 -0000	1.5
+++ my.cnf	28 Jan 2010 20:40:50 -0000	1.6
@@ -6,6 +6,10 @@ user=mysql
 # clients (those using the mysqlclient10 compatibility package).
 old_passwords=1
 
+# Disabling symbolic-links is recommended to prevent assorted security risks;
+# to do so, uncomment this line:
+# symbolic-links=0
+
 # To allow mysqld to connect to a MySQL Cluster management daemon, uncomment
 # these lines and adjust the connectstring as needed.
 #ndbcluster


Index: mysql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mysql/F-11/mysql.spec,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -p -r1.127 -r1.128
--- mysql.spec	2 Jan 2010 20:29:11 -0000	1.127
+++ mysql.spec	28 Jan 2010 20:40:50 -0000	1.128
@@ -1,6 +1,6 @@
 Name: mysql
 Version: 5.1.42
-Release: 2%{?dist}
+Release: 7%{?dist}
 Summary: MySQL client programs and shared libraries
 Group: Applications/Databases
 URL: http://www.mysql.com
@@ -9,9 +9,12 @@ URL: http://www.mysql.com
 License: GPLv2 with exceptions
 
 # Regression tests take a long time, you can skip 'em with this
-%{!?runselftest:%define runselftest 1}
+%{!?runselftest:%global runselftest 1}
 
-Source0: http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-%{version}.tar.gz
+# Upstream has a mirror redirector for downloads, so the URL is hard to
+# represent statically.  You can get the tarball by following a link from
+# http://dev.mysql.com/downloads/mysql/
+Source0: mysql-%{version}.tar.gz
 Source1: mysql.init
 Source3: my.cnf
 Source4: scriptstub.c
@@ -34,6 +37,7 @@ Patch8: mysql-setschedparam.patch
 Patch9: mysql-ndb-stacksize.patch
 Patch10: mysql-strmov.patch
 Patch11: mysql-signal-align.patch
+Patch12: mysql-cve-2008-7247.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: gperf, perl, readline-devel, openssl-devel
@@ -51,7 +55,7 @@ Conflicts: MySQL
 Obsoletes: mysql-client mysql-perl
 
 # Working around perl dependency checking bug in rpm FTTB. Remove later.
-%define __perl_requires %{SOURCE999}
+%global __perl_requires %{SOURCE999}
 
 %description
 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
@@ -178,6 +182,7 @@ the MySQL sources.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 libtoolize --force
 aclocal
@@ -186,6 +191,17 @@ autoconf
 autoheader
 
 %build
+
+# fail quickly and obviously if user tries to build as root
+%if %runselftest
+	if [ x"`id -u`" = x0 ]; then
+		echo "mysql's regression tests fail if run as root."
+		echo "If you really need to build the RPM as root, use"
+		echo "--define='runselftest 0' to skip the regression tests."
+		exit 1
+	fi
+%endif
+
 CFLAGS="%{optflags} -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
 # MySQL 4.1.10 definitely doesn't work under strict aliasing; also,
 # gcc 4.1 breaks MySQL 5.0.16 without -fwrapv
@@ -652,6 +668,16 @@ fi
 %{_mandir}/man1/mysql_client_test.1*
 
 %changelog
+* Thu Jan 28 2010 Tom Lane <tgl at redhat.com> 5.1.42-7
+- Add backported patch for CVE-2008-7247 (upstream bug 39277)
+Related: #543619
+- Emit explicit error message if user tries to build RPM as root
+Related: #558915
+- Correct Source0: tag and comment to reflect how to get the tarball
+- Add comment suggesting disabling symbolic links in /etc/my.cnf
+Related: #553652
+- Change %%define to %%global, per packaging guidelines
+
 * Sat Jan  2 2010 Tom Lane <tgl at redhat.com> 5.1.42-2
 - Disable building the innodb plugin; it tickles assorted gcc bugs and
   doesn't seem entirely ready for prime time anyway.

