diff options
author | Remi Collet <fedora@famillecollet.com> | 2012-12-08 10:25:10 +0100 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2012-12-08 10:25:10 +0100 |
commit | 60c6254ac8ade7888e3b83208bea9097c1abf01f (patch) | |
tree | 6a86bd4f078094bc367560ac3d23e76e5e3df16f /mysql-cve-2012-5611.patch | |
parent | 8fb1a350b6487602b62de069911750421c01c6ef (diff) |
MySQL 5.5.28: sync with rawhide, rebuild for security, use with_systemd and with_dtrace macro instead of version test
Diffstat (limited to 'mysql-cve-2012-5611.patch')
-rw-r--r-- | mysql-cve-2012-5611.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/mysql-cve-2012-5611.patch b/mysql-cve-2012-5611.patch new file mode 100644 index 0000000..45f414b --- /dev/null +++ b/mysql-cve-2012-5611.patch @@ -0,0 +1,81 @@ +Back-ported patch for CVE-2012-5611 --- see +http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.17 + + +diff -Naur mysql-5.5.28.orig/mysql-test/r/information_schema.result mysql-5.5.28/mysql-test/r/information_schema.result +--- mysql-5.5.28.orig/mysql-test/r/information_schema.result 2012-08-29 04:50:47.000000000 -0400 ++++ mysql-5.5.28/mysql-test/r/information_schema.result 2012-12-05 10:33:56.906738492 -0500 +@@ -1712,6 +1712,10 @@ + length(CAST(b AS CHAR)) + 20 + DROP TABLE ubig; ++grant usage on *.* to mysqltest_1@localhost; ++select 1 from information_schema.tables where table_schema=repeat('a', 2000); ++1 ++drop user mysqltest_1@localhost; + End of 5.1 tests. + # + # Additional test for WL#3726 "DDL locking for all metadata objects" +diff -Naur mysql-5.5.28.orig/mysql-test/t/information_schema.test mysql-5.5.28/mysql-test/t/information_schema.test +--- mysql-5.5.28.orig/mysql-test/t/information_schema.test 2012-08-29 04:50:47.000000000 -0400 ++++ mysql-5.5.28/mysql-test/t/information_schema.test 2012-12-05 10:33:56.908738590 -0500 +@@ -1444,6 +1444,13 @@ + + DROP TABLE ubig; + ++grant usage on *.* to mysqltest_1@localhost; ++connect (con1, localhost, mysqltest_1,,); ++connection con1; ++select 1 from information_schema.tables where table_schema=repeat('a', 2000); ++connection default; ++disconnect con1; ++drop user mysqltest_1@localhost; + + --echo End of 5.1 tests. + +diff -Naur mysql-5.5.28.orig/sql/sql_acl.cc mysql-5.5.28/sql/sql_acl.cc +--- mysql-5.5.28.orig/sql/sql_acl.cc 2012-08-29 04:50:46.000000000 -0400 ++++ mysql-5.5.28/sql/sql_acl.cc 2012-12-05 10:35:47.608766346 -0500 +@@ -1573,14 +1573,20 @@ + acl_entry *entry; + DBUG_ENTER("acl_get"); + +- mysql_mutex_lock(&acl_cache->lock); +- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); ++ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1; ++ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db); ++ ++ if (end >= key + sizeof(key)) // db name was truncated ++ DBUG_RETURN(0); // no privileges for an invalid db name ++ + if (lower_case_table_names) + { + my_casedn_str(files_charset_info, tmp_db); + db=tmp_db; + } + key_length= (size_t) (end-key); ++ ++ mysql_mutex_lock(&acl_cache->lock); + if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key, + key_length))) + { +@@ -4902,11 +4908,17 @@ + bool check_grant_db(THD *thd,const char *db) + { + Security_context *sctx= thd->security_ctx; +- char helping [NAME_LEN+USERNAME_LENGTH+2]; ++ char helping [NAME_LEN+USERNAME_LENGTH+2], *end; + uint len; + bool error= TRUE; + +- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; ++ end= strmov(helping, sctx->priv_user) + 1; ++ end= strnmov(end, db, helping + sizeof(helping) - end); ++ ++ if (end >= helping + sizeof(helping)) // db name was truncated ++ return 1; // no privileges for an invalid db name ++ ++ len= (uint) (end - helping) + 1; + + mysql_rwlock_rdlock(&LOCK_grant); + |