MySQL 5.5.28: sync with rawhide, rebuild for security, use with_systemd and with_dtrace macro instead of version test

1 files changed, 81 insertions, 0 deletions

diff --git a/mysql-cve-2012-5611.patch b/mysql-cve-2012-5611.patch
new file mode 100644
index 0000000..45f414b
--- /dev/null
+++ b/mysql-cve-2012-5611.patch
@@ -0,0 +1,81 @@
+Back-ported patch for CVE-2012-5611 --- see
+http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.17
+
+
+diff -Naur mysql-5.5.28.orig/mysql-test/r/information_schema.result mysql-5.5.28/mysql-test/r/information_schema.result
+--- mysql-5.5.28.orig/mysql-test/r/information_schema.result	2012-08-29 04:50:47.000000000 -0400
++++ mysql-5.5.28/mysql-test/r/information_schema.result	2012-12-05 10:33:56.906738492 -0500
+@@ -1712,6 +1712,10 @@
+ length(CAST(b AS CHAR))
+ 20
+ DROP TABLE ubig;
++grant usage on *.* to mysqltest_1@localhost;
++select 1 from information_schema.tables where table_schema=repeat('a', 2000);
++1
++drop user mysqltest_1@localhost;
+ End of 5.1 tests.
+ #
+ # Additional test for WL#3726 "DDL locking for all metadata objects"
+diff -Naur mysql-5.5.28.orig/mysql-test/t/information_schema.test mysql-5.5.28/mysql-test/t/information_schema.test
+--- mysql-5.5.28.orig/mysql-test/t/information_schema.test	2012-08-29 04:50:47.000000000 -0400
++++ mysql-5.5.28/mysql-test/t/information_schema.test	2012-12-05 10:33:56.908738590 -0500
+@@ -1444,6 +1444,13 @@
+ 
+ DROP TABLE ubig;
+ 
++grant usage on *.* to mysqltest_1@localhost;
++connect (con1, localhost, mysqltest_1,,);
++connection con1;
++select 1 from information_schema.tables where table_schema=repeat('a', 2000);
++connection default;
++disconnect con1;
++drop user mysqltest_1@localhost;
+ 
+ --echo End of 5.1 tests.
+ 
+diff -Naur mysql-5.5.28.orig/sql/sql_acl.cc mysql-5.5.28/sql/sql_acl.cc
+--- mysql-5.5.28.orig/sql/sql_acl.cc	2012-08-29 04:50:46.000000000 -0400
++++ mysql-5.5.28/sql/sql_acl.cc	2012-12-05 10:35:47.608766346 -0500
+@@ -1573,14 +1573,20 @@
+   acl_entry *entry;
+   DBUG_ENTER("acl_get");
+ 
+-  mysql_mutex_lock(&acl_cache->lock);
+-  end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
++  tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1;
++  end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db);
++
++  if (end >= key + sizeof(key)) // db name was truncated
++    DBUG_RETURN(0);             // no privileges for an invalid db name
++
+   if (lower_case_table_names)
+   {
+     my_casedn_str(files_charset_info, tmp_db);
+     db=tmp_db;
+   }
+   key_length= (size_t) (end-key);
++
++  mysql_mutex_lock(&acl_cache->lock);
+   if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key,
+                                                               key_length)))
+   {
+@@ -4902,11 +4908,17 @@
+ bool check_grant_db(THD *thd,const char *db)
+ {
+   Security_context *sctx= thd->security_ctx;
+-  char helping [NAME_LEN+USERNAME_LENGTH+2];
++  char helping [NAME_LEN+USERNAME_LENGTH+2], *end;
+   uint len;
+   bool error= TRUE;
+ 
+-  len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;
++  end= strmov(helping, sctx->priv_user) + 1;
++  end= strnmov(end, db, helping + sizeof(helping) - end);
++
++  if (end >= helping + sizeof(helping)) // db name was truncated
++    return 1;                           // no privileges for an invalid db name
++
++  len= (uint) (end - helping) + 1;
+ 
+   mysql_rwlock_rdlock(&LOCK_grant);
+