From 60c6254ac8ade7888e3b83208bea9097c1abf01f Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 8 Dec 2012 10:25:10 +0100 Subject: MySQL 5.5.28: sync with rawhide, rebuild for security, use with_systemd and with_dtrace macro instead of version test --- mysql-cve-2012-5611.patch | 81 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 mysql-cve-2012-5611.patch (limited to 'mysql-cve-2012-5611.patch') diff --git a/mysql-cve-2012-5611.patch b/mysql-cve-2012-5611.patch new file mode 100644 index 0000000..45f414b --- /dev/null +++ b/mysql-cve-2012-5611.patch @@ -0,0 +1,81 @@ +Back-ported patch for CVE-2012-5611 --- see +http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.17 + + +diff -Naur mysql-5.5.28.orig/mysql-test/r/information_schema.result mysql-5.5.28/mysql-test/r/information_schema.result +--- mysql-5.5.28.orig/mysql-test/r/information_schema.result 2012-08-29 04:50:47.000000000 -0400 ++++ mysql-5.5.28/mysql-test/r/information_schema.result 2012-12-05 10:33:56.906738492 -0500 +@@ -1712,6 +1712,10 @@ + length(CAST(b AS CHAR)) + 20 + DROP TABLE ubig; ++grant usage on *.* to mysqltest_1@localhost; ++select 1 from information_schema.tables where table_schema=repeat('a', 2000); ++1 ++drop user mysqltest_1@localhost; + End of 5.1 tests. + # + # Additional test for WL#3726 "DDL locking for all metadata objects" +diff -Naur mysql-5.5.28.orig/mysql-test/t/information_schema.test mysql-5.5.28/mysql-test/t/information_schema.test +--- mysql-5.5.28.orig/mysql-test/t/information_schema.test 2012-08-29 04:50:47.000000000 -0400 ++++ mysql-5.5.28/mysql-test/t/information_schema.test 2012-12-05 10:33:56.908738590 -0500 +@@ -1444,6 +1444,13 @@ + + DROP TABLE ubig; + ++grant usage on *.* to mysqltest_1@localhost; ++connect (con1, localhost, mysqltest_1,,); ++connection con1; ++select 1 from information_schema.tables where table_schema=repeat('a', 2000); ++connection default; ++disconnect con1; ++drop user mysqltest_1@localhost; + + --echo End of 5.1 tests. + +diff -Naur mysql-5.5.28.orig/sql/sql_acl.cc mysql-5.5.28/sql/sql_acl.cc +--- mysql-5.5.28.orig/sql/sql_acl.cc 2012-08-29 04:50:46.000000000 -0400 ++++ mysql-5.5.28/sql/sql_acl.cc 2012-12-05 10:35:47.608766346 -0500 +@@ -1573,14 +1573,20 @@ + acl_entry *entry; + DBUG_ENTER("acl_get"); + +- mysql_mutex_lock(&acl_cache->lock); +- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); ++ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1; ++ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db); ++ ++ if (end >= key + sizeof(key)) // db name was truncated ++ DBUG_RETURN(0); // no privileges for an invalid db name ++ + if (lower_case_table_names) + { + my_casedn_str(files_charset_info, tmp_db); + db=tmp_db; + } + key_length= (size_t) (end-key); ++ ++ mysql_mutex_lock(&acl_cache->lock); + if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key, + key_length))) + { +@@ -4902,11 +4908,17 @@ + bool check_grant_db(THD *thd,const char *db) + { + Security_context *sctx= thd->security_ctx; +- char helping [NAME_LEN+USERNAME_LENGTH+2]; ++ char helping [NAME_LEN+USERNAME_LENGTH+2], *end; + uint len; + bool error= TRUE; + +- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; ++ end= strmov(helping, sctx->priv_user) + 1; ++ end= strnmov(end, db, helping + sizeof(helping) - end); ++ ++ if (end >= helping + sizeof(helping)) // db name was truncated ++ return 1; // no privileges for an invalid db name ++ ++ len= (uint) (end - helping) + 1; + + mysql_rwlock_rdlock(&LOCK_grant); + -- cgit