#! /bin/sh /usr/share/dpatch/dpatch-run
## 95_SECURITY_CVE-2007-3781.dpatch by  <nobse@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix for CVE-2007-3781: CREATE TABLE LIKE did not require any privileges
## DP: on the source table. Now it requires the SELECT privilege.

@DPATCH@
diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result
--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/r/grant2.result	2006-12-20 12:30:57.000000000 +0100
+++ mysql-dfsg-5.0-5.0.32/mysql-test/r/grant2.result	2007-12-22 20:15:32.290837909 +0100
@@ -380,3 +380,27 @@
 drop table t2;
 REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
 drop user `a@`@localhost;
+drop database if exists mysqltest_1;
+drop database if exists mysqltest_2;
+drop user mysqltest_u1@localhost;
+create database mysqltest_1;
+create database mysqltest_2;
+grant all on mysqltest_1.* to mysqltest_u1@localhost;
+use mysqltest_2;
+create table t1 (i int);
+show create table mysqltest_2.t1;
+ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
+create table t1 like mysqltest_2.t1;
+ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
+grant select on mysqltest_2.t1 to mysqltest_u1@localhost;
+show create table mysqltest_2.t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `i` int(11) default NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1
+create table t1 like mysqltest_2.t1;
+use test;
+drop database mysqltest_1;
+drop database mysqltest_2;
+drop user mysqltest_u1@localhost;
+End of 5.0 tests
diff -Nur mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test
--- mysql-dfsg-5.0-5.0.32.orig/mysql-test/t/grant2.test	2006-12-20 12:30:57.000000000 +0100
+++ mysql-dfsg-5.0-5.0.32/mysql-test/t/grant2.test	2007-12-22 20:15:32.790866404 +0100
@@ -509,3 +509,47 @@
 connection default;
 REVOKE ALL PRIVILEGES, GRANT OPTION FROM `a@`@localhost;
 drop user `a@`@localhost;
+
+
+#
+# Bug#25578 "CREATE TABLE LIKE does not require any privileges on source table"
+#
+--disable_warnings
+drop database if exists mysqltest_1;
+drop database if exists mysqltest_2;
+--enable_warnings
+--error 0,ER_CANNOT_USER
+drop user mysqltest_u1@localhost;
+
+create database mysqltest_1;
+create database mysqltest_2;
+grant all on mysqltest_1.* to mysqltest_u1@localhost;
+use mysqltest_2;
+create table t1 (i int);
+
+# Connect as user with all rights on mysqltest_1 but with no rights on mysqltest_2.
+connect (user1,localhost,mysqltest_u1,,mysqltest_1);
+connection user1;
+# As expected error is emitted
+--error ER_TABLEACCESS_DENIED_ERROR
+show create table mysqltest_2.t1;
+# This should emit error as well
+--error ER_TABLEACCESS_DENIED_ERROR
+create table t1 like mysqltest_2.t1;
+
+# Now let us check that SELECT privilege on the source is enough
+connection default;
+grant select on mysqltest_2.t1 to mysqltest_u1@localhost;
+connection user1;
+show create table mysqltest_2.t1;
+create table t1 like mysqltest_2.t1;
+
+# Clean-up
+connection default;
+use test;
+drop database mysqltest_1;
+drop database mysqltest_2;
+drop user mysqltest_u1@localhost;
+
+--echo End of 5.0 tests
+
diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/handler.h mysql-dfsg-5.0-5.0.32/sql/handler.h
--- mysql-dfsg-5.0-5.0.32.orig/sql/handler.h	2006-12-20 12:14:37.000000000 +0100
+++ mysql-dfsg-5.0-5.0.32/sql/handler.h	2007-12-22 20:15:32.790866404 +0100
@@ -163,6 +163,7 @@
 
 #define HA_LEX_CREATE_TMP_TABLE	1
 #define HA_LEX_CREATE_IF_NOT_EXISTS 2
+#define HA_LEX_CREATE_TABLE_LIKE 4
 #define HA_OPTION_NO_CHECKSUM	(1L << 17)
 #define HA_OPTION_NO_DELAY_KEY_WRITE (1L << 18)
 #define HA_MAX_REC_LENGTH	65535
diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc
--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc	2006-12-20 12:14:48.000000000 +0100
+++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc	2007-12-22 20:15:49.291806739 +0100
@@ -76,6 +76,7 @@
 static void remove_escape(char *name);
 static bool append_file_to_dir(THD *thd, const char **filename_ptr,
 			       const char *table_name);
+static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
 
 const char *any_db="*any*";	// Special symbol for check_access
 
@@ -3005,7 +3006,7 @@
     else
     {
       /* regular create */
-      if (lex->name)
+      if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
         res= mysql_create_like_table(thd, create_table, &lex->create_info, 
                                      (Table_ident *)lex->name); 
       else
@@ -3201,11 +3202,7 @@
         first_table->skip_temporary= 1;
 
       if (check_db_used(thd, all_tables) ||
-	  check_access(thd, SELECT_ACL | EXTRA_ACL, first_table->db,
-		       &first_table->grant.privilege, 0, 0, 
-                       test(first_table->schema_table)))
-	goto error;
-      if (grant_option && check_grant(thd, SELECT_ACL, all_tables, 2, UINT_MAX, 0))
+          check_show_create_table_access(thd, first_table))
 	goto error;
       res= mysqld_show_create(thd, first_table);
       break;
@@ -7337,6 +7334,25 @@
 }
 
 
+/**
+   @brief  Check privileges for SHOW CREATE TABLE statement.
+
+   @param  thd    Thread context
+   @param  table  Target table
+
+   @retval TRUE  Failure
+   @retval FALSE Success
+*/
+
+static bool check_show_create_table_access(THD *thd, TABLE_LIST *table)
+{
+  return check_access(thd, SELECT_ACL | EXTRA_ACL, table->db,
+                      &table->grant.privilege, 0, 0,
+                      test(table->schema_table)) ||
+         grant_option && check_grant(thd, SELECT_ACL, table, 2, UINT_MAX, 0);
+}
+
+
 /*
   CREATE TABLE query pre-check
 
@@ -7402,6 +7418,11 @@
     if (tables && check_table_access(thd, SELECT_ACL, tables,0))
       goto err;
   }
+  else if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
+  {
+    if (check_show_create_table_access(thd, tables))
+      goto err;
+  }
   error= FALSE;
 
 err: