Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
mysql5
>
mysql-5.0.26
> mysql-5.0.26-CVE-2008-2079.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File mysql-5.0.26-CVE-2008-2079.patch of Package mysql-5.0.26
From: http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d674xBscPm_ztIMnZI3dj2r7IQ http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d8f2Z15kczRJRewvyFNHM6lheA http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7e6a0CyEvUOiqbdlN1JWAu7pcsA http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c80109fGl7Wudvu2CM0pXMSbzYNg http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47cbdacaZc2nF4NS9WyTkT_6nTPp_Q --- mysql-test/r/symlink.result | 35 +++++++++++++++++++------ mysql-test/t/symlink.test | 49 +++++++++++++++++++++++++++++------ sql/mysql_priv.h | 1 sql/mysqld.cc | 4 ++ sql/sql_parse.cc | 60 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 131 insertions(+), 18 deletions(-) --- mysql-test/r/symlink.result.orig +++ mysql-test/r/symlink.result @@ -100,20 +100,37 @@ t1 CREATE TABLE `t1` ( ) ENGINE=MyISAM DEFAULT CHARSET=latin1 drop table t1; CREATE TABLE t1(a INT) -DATA DIRECTORY='TEST_DIR/master-data/mysql' -INDEX DIRECTORY='TEST_DIR/master-data/mysql'; -RENAME TABLE t1 TO user; -ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17) -DROP TABLE t1; +DATA DIRECTORY='TEST_DIR/tmp' +INDEX DIRECTORY='TEST_DIR/tmp'; +ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17) +CREATE TABLE t2(a INT) +DATA DIRECTORY='TEST_DIR/tmp' +INDEX DIRECTORY='TEST_DIR/tmp'; +RENAME TABLE t2 TO t1; +ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17) +DROP TABLE t2; show create table t1; Table Create Table t1 CREATE TABLE `t1` ( - `i` int(11) default NULL -) ENGINE=MyISAM DEFAULT CHARSET=latin1 + `c` char(10) default NULL +) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/' drop table t1; show create table t1; Table Create Table t1 CREATE TABLE `t1` ( - `i` int(11) default NULL -) ENGINE=MyISAM DEFAULT CHARSET=latin1 + `c` char(10) default NULL +) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/' drop table t1; +CREATE TABLE t1(a INT) +DATA DIRECTORY='TEST_DIR/var/master-data/test'; +Got one of the listed errors +CREATE TABLE t1(a INT) +DATA DIRECTORY='TEST_DIR/var/master-data/'; +Got one of the listed errors +CREATE TABLE t1(a INT) +INDEX DIRECTORY='TEST_DIR/var/master-data'; +Got one of the listed errors +CREATE TABLE t1(a INT) +INDEX DIRECTORY='TEST_DIR/var/master-data_var'; +Got one of the listed errors +End of 4.1 tests --- mysql-test/t/symlink.test.orig +++ mysql-test/t/symlink.test @@ -127,28 +127,59 @@ drop table t1; # # BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE # +--exec touch $MYSQLTEST_VARDIR/tmp/t1.MYI --replace_result $MYSQLTEST_VARDIR TEST_DIR +--error 1 eval CREATE TABLE t1(a INT) -DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql' -INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'; +DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp' +INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp'; +--replace_result $MYSQLTEST_VARDIR TEST_DIR +eval CREATE TABLE t2(a INT) +DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp' +INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp'; --replace_result $MYSQLTEST_VARDIR TEST_DIR --error 1 -RENAME TABLE t1 TO user; -DROP TABLE t1; +RENAME TABLE t2 TO t1; +DROP TABLE t2; +--remove_file $MYSQLTEST_VARDIR/tmp/t1.MYI # -# Test specifying DATA DIRECTORY that is the same as what would normally -# have been chosen. (Bug #8707) +# CREATE TABLE with DATA DIRECTORY option # +# Protect ourselves from data left in tmp/ by a previos possibly failed +# test +--system rm -f $MYSQLTEST_VARDIR/tmp/t1.* disable_query_log; -eval create table t1 (i int) data directory = "$MYSQLTEST_VARDIR/master-data/test/"; +eval create table t1 (c char(10)) data directory='$MYSQLTEST_VARDIR/tmp'; enable_query_log; +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR show create table t1; drop table t1; disable_query_log; -eval create table t1 (i int) index directory = "$MYSQLTEST_VARDIR/master-data/test/"; +eval create table t1 (c char(10)) data directory='$MYSQLTEST_VARDIR/tmp'; enable_query_log; +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR show create table t1; drop table t1; -# End of 4.1 tests +# +# Bug#32167 another privilege bypass with DATA/INDEX DIRECORY +# +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/test'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data_var'; + +--echo End of 4.1 tests --- sql/mysql_priv.h.orig +++ sql/mysql_priv.h @@ -1170,6 +1170,7 @@ void my_dbopt_free(void); extern time_t start_time; extern char *mysql_data_home,server_version[SERVER_VERSION_LENGTH], mysql_real_data_home[], *opt_mysql_tmpdir, mysql_charsets_dir[], + mysql_unpacked_real_data_home[], def_ft_boolean_syntax[sizeof(ft_boolean_syntax)]; #define mysql_tmpdir (my_tmpdir(&mysql_tmpdir_list)) extern MY_TMPDIR mysql_tmpdir_list; --- sql/mysqld.cc.orig +++ sql/mysqld.cc @@ -435,6 +435,7 @@ char log_error_file[FN_REFLEN], glob_hos char mysql_real_data_home[FN_REFLEN], language[FN_REFLEN], reg_ext[FN_EXTLEN], mysql_charsets_dir[FN_REFLEN], *opt_init_file, *opt_tc_log_file, + mysql_unpacked_real_data_home[FN_REFLEN], def_ft_boolean_syntax[sizeof(ft_boolean_syntax)]; const key_map key_map_empty(0); @@ -7311,6 +7312,9 @@ static void fix_paths(void) pos[1]= 0; } convert_dirname(mysql_real_data_home,mysql_real_data_home,NullS); + (void) fn_format(buff, mysql_real_data_home, "", "", + (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS)); + (void) unpack_dirname(mysql_unpacked_real_data_home, buff); convert_dirname(language,language,NullS); (void) my_load_path(mysql_home,mysql_home,""); // Resolve current dir (void) my_load_path(mysql_real_data_home,mysql_real_data_home,mysql_home); --- sql/sql_parse.cc.orig +++ sql/sql_parse.cc @@ -77,6 +77,7 @@ static void remove_escape(char *name); static bool append_file_to_dir(THD *thd, const char **filename_ptr, const char *table_name); static bool check_show_create_table_access(THD *thd, TABLE_LIST *table); +static bool test_if_data_home_dir(const char *dir); const char *any_db="*any*"; // Special symbol for check_access @@ -2869,6 +2870,20 @@ mysql_execute_command(THD *thd) #ifndef HAVE_READLINK lex->create_info.data_file_name=lex->create_info.index_file_name=0; #else + + if (test_if_data_home_dir(lex->create_info.data_file_name)) + { + my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY"); + res= -1; + break; + } + if (test_if_data_home_dir(lex->create_info.index_file_name)) + { + my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY"); + res= -1; + break; + } + /* Fix names if symlinked tables */ if (append_file_to_dir(thd, &lex->create_info.data_file_name, create_table->table_name) || @@ -7705,3 +7720,48 @@ bool check_string_length(LEX_STRING *str return TRUE; } + + +/* + Check if path does not contain mysql data home directory + + SYNOPSIS + test_if_data_home_dir() + dir directory + conv_home_dir converted data home directory + home_dir_len converted data home directory length + + RETURN VALUES + 0 ok + 1 error +*/ + +static bool test_if_data_home_dir(const char *dir) +{ + char path[FN_REFLEN], conv_path[FN_REFLEN]; + uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home); + DBUG_ENTER("test_if_data_home_dir"); + + if (!dir) + DBUG_RETURN(0); + + (void) fn_format(path, dir, "", "", + (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS)); + dir_len= unpack_dirname(conv_path, dir); + + if (home_dir_len <= dir_len) + { + if (lower_case_file_system) + { + if (!my_strnncoll(default_charset_info, (const uchar*) conv_path, + home_dir_len, + (const uchar*) mysql_unpacked_real_data_home, + home_dir_len)) + DBUG_RETURN(1); + } + else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len)) + DBUG_RETURN(1); + } + DBUG_RETURN(0); +} +