Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
mysql5
>
mysql-5.0.26
> mysql-5.0.26-CVE-2007-3782.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File mysql-5.0.26-CVE-2007-3782.patch of Package mysql-5.0.26
See http://bugs.mysql.com/bug.php?id=27878 http://lists.mysql.com/commits/26530 http://lists.mysql.com/commits/26540 --- mysql-test/r/grant.result | 19 +++++++++++++++++++ mysql-test/t/grant.test | 27 +++++++++++++++++++++++++++ sql/sql_prepare.cc | 5 +++-- sql/sql_update.cc | 5 +++-- 4 files changed, 52 insertions(+), 4 deletions(-) --- sql/sql_update.cc.orig +++ sql/sql_update.cc @@ -176,8 +176,9 @@ int mysql_update(THD *thd, table->quick_keys.clear_all(); #ifndef NO_EMBEDDED_ACCESS_CHECKS - /* TABLE_LIST contain right privilages request */ - want_privilege= table_list->grant.want_privilege; + /* Force privilege re-checking for views after they have been opened. */ + want_privilege= (table_list->view ? UPDATE_ACL : + table_list->grant.want_privilege); #endif if (mysql_prepare_update(thd, table_list, &conds, order_num, order)) DBUG_RETURN(1); --- mysql-test/r/grant.result.orig +++ mysql-test/r/grant.result @@ -970,4 +970,23 @@ REVOKE EXECUTE ON PROCEDURE p1 FROM 1234 ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16) REVOKE EXECUTE ON PROCEDURE t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY; ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60) +use test; +CREATE TABLE t1 (f1 int, f2 int); +INSERT INTO t1 VALUES(1,1), (2,2); +CREATE DATABASE db27878; +GRANT UPDATE(f1) ON t1 TO 'mysqltest_1'@'localhost'; +GRANT SELECT ON `test`.* TO 'mysqltest_1'@'localhost'; +GRANT ALL ON db27878.* TO 'mysqltest_1'@'localhost'; +use db27878; +CREATE SQL SECURITY INVOKER VIEW db27878.v1 AS SELECT * FROM test.t1; +use db27878; +UPDATE v1 SET f2 = 4; +ERROR HY000: View 'db27878.v1' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them +SELECT * FROM test.t1; +f1 f2 +1 1 +2 2 +DROP DATABASE db27878; +use test; +DROP TABLE t1; End of 5.0 tests --- mysql-test/t/grant.test.orig +++ mysql-test/t/grant.test @@ -413,6 +413,7 @@ connect (user1,localhost,mysqltest_1,,my connection user1; -- error 1142 alter table t1 rename t2; +disconnect user1; connection root; revoke all privileges on mysqltest.t1 from mysqltest_1@localhost; delete from mysql.user where user=_binary'mysqltest_1'; @@ -863,4 +864,30 @@ REVOKE EXECUTE ON PROCEDURE p1 FROM 1234 --error ER_WRONG_STRING_LENGTH REVOKE EXECUTE ON PROCEDURE t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY; + +# +# Bug#27878: Unchecked privileges on a view referring to a table from another +# database. +# +use test; +CREATE TABLE t1 (f1 int, f2 int); +INSERT INTO t1 VALUES(1,1), (2,2); +CREATE DATABASE db27878; +GRANT UPDATE(f1) ON t1 TO 'mysqltest_1'@'localhost'; +GRANT SELECT ON `test`.* TO 'mysqltest_1'@'localhost'; +GRANT ALL ON db27878.* TO 'mysqltest_1'@'localhost'; +use db27878; +CREATE SQL SECURITY INVOKER VIEW db27878.v1 AS SELECT * FROM test.t1; +connect (user1,localhost,mysqltest_1,,test); +connection user1; +use db27878; +--error 1356 +UPDATE v1 SET f2 = 4; +SELECT * FROM test.t1; +disconnect user1; +connection default; +DROP DATABASE db27878; +use test; +DROP TABLE t1; + --echo End of 5.0 tests --- sql/sql_prepare.cc.orig +++ sql/sql_prepare.cc @@ -1153,8 +1153,9 @@ static int mysql_test_update(Prepared_st goto error; #ifndef NO_EMBEDDED_ACCESS_CHECKS - /* TABLE_LIST contain right privilages request */ - want_privilege= table_list->grant.want_privilege; + /* Force privilege re-checking for views after they have been opened. */ + want_privilege= (table_list->view ? UPDATE_ACL : + table_list->grant.want_privilege); #endif if (mysql_prepare_update(thd, table_list, &select->where,