File: 95_SECURITY_CVE-2007-5969.dpatch

package info (click to toggle)
mysql-dfsg-5.0 5.0.32-7etch12
  • links: PTS
  • area: main
  • in suites: etch
  • size: 89,332 kB
  • ctags: 94,781
  • sloc: cpp: 436,297; ansic: 409,141; sh: 40,574; tcl: 30,484; perl: 27,872; yacc: 8,236; makefile: 5,532; java: 4,610; xml: 3,914; pascal: 3,462; sql: 2,673; awk: 1,338; asm: 1,061; sed: 772
file content (84 lines) | stat: -rw-r--r-- 3,187 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## 95_SECURITY_CVE-2007-5969.dpatch by  <nobse@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix for CVE-2007-5969: The convert_search_mode_to_innobase function in
## DP: ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
## DP: remote authenticated users to cause a denial of service (database crash)
## DP: via a certain CONTAINS operation on an indexed column, which triggers an
## DP: assertion error. (closes: #451235)

@DPATCH@
diff -Nrup a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result
--- a/mysql-test/r/symlink.result	2007-07-13 15:32:27 +02:00
+++ b/mysql-test/r/symlink.result	2007-11-15 10:55:43 +01:00
@@ -99,6 +99,12 @@ t1	CREATE TABLE `t1` (
   `b` int(11) default NULL
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
 drop table t1;
+CREATE TABLE t1(a INT)
+DATA DIRECTORY='TEST_DIR/master-data/mysql'
+INDEX DIRECTORY='TEST_DIR/master-data/mysql';
+RENAME TABLE t1 TO user;
+ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
+DROP TABLE t1;
 show create table t1;
 Table	Create Table
 t1	CREATE TABLE `t1` (
diff -Nrup a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test
--- a/mysql-test/t/symlink.test	2007-07-13 15:32:27 +02:00
+++ b/mysql-test/t/symlink.test	2007-11-15 10:55:43 +01:00
@@ -125,6 +125,18 @@ show create table t1;
 drop table t1;
 
 #
+# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
+#
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+eval CREATE TABLE t1(a INT)
+DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
+INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+--error 1
+RENAME TABLE t1 TO user;
+DROP TABLE t1;
+
+#
 # Test specifying DATA DIRECTORY that is the same as what would normally
 # have been chosen. (Bug #8707)
 #
diff -Nrup a/mysys/my_symlink2.c b/mysys/my_symlink2.c
--- a/mysys/my_symlink2.c	2007-07-18 14:33:39 +02:00
+++ b/mysys/my_symlink2.c	2007-11-15 10:55:43 +01:00
@@ -126,6 +126,7 @@ int my_rename_with_symlink(const char *f
   int was_symlink= (!my_disable_symlinks &&
 		    !my_readlink(link_name, from, MYF(0)));
   int result=0;
+  int name_is_different;
   DBUG_ENTER("my_rename_with_symlink");
 
   if (!was_symlink)
@@ -134,6 +135,14 @@ int my_rename_with_symlink(const char *f
   /* Change filename that symlink pointed to */
   strmov(tmp_name, to);
   fn_same(tmp_name,link_name,1);		/* Copy dir */
+  name_is_different= strcmp(link_name, tmp_name);
+  if (name_is_different && !access(tmp_name, F_OK))
+  {
+    my_errno= EEXIST;
+    if (MyFlags & MY_WME)
+      my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
+    DBUG_RETURN(1);
+  }
 
   /* Create new symlink */
   if (my_symlink(tmp_name, to, MyFlags))
@@ -145,7 +154,7 @@ int my_rename_with_symlink(const char *f
     the same basename and different directories.
    */
 
-  if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
+  if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
   {
     int save_errno=my_errno;
     my_delete(to, MyFlags);			/* Remove created symlink */