File: 95_SECURITY_CVE-2009-2446.dpatch

package info (click to toggle)
mysql-dfsg-5.0 5.0.32-7etch12
  • links: PTS
  • area: main
  • in suites: etch
  • size: 89,332 kB
  • ctags: 94,781
  • sloc: cpp: 436,297; ansic: 409,141; sh: 40,574; tcl: 30,484; perl: 27,872; yacc: 8,236; makefile: 5,532; java: 4,610; xml: 3,914; pascal: 3,462; sql: 2,673; awk: 1,338; asm: 1,061; sed: 772
file content (95 lines) | stat: -rw-r--r-- 3,307 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99-unnamed.dpatch by Christian Hammers <ch@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch provided by Sergei Golubchik of MySQL.

@DPATCH@

# From: Date: July 1 2009 2:09pm
# Subject: bzr commit into mysql-5.0-bugteam branch (staale.smedseng:2789) Bug#45790
# List-Archive: http://lists.mysql.com/commits/77649
# 
# #At file:///export/home/tmp/ss156133/z/45790-50/ based on revid:staale.smedseng@stripped
# 
#  2789 Staale Smedseng   2009-07-01
#       Bug #45790 Potential DoS vector: Writing of user input to log
#       without proper formatting
#             
#       The problem is that a suitably crafted database identifier
#       supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
#       and thereby a denial of service. The database name is printed
#       to the log without using a format string, so potential
#       attackers can control the behavior of my_b_vprintf() by
#       supplying their own format string. A CREATE or DROP privilege
#       would be required.
#             
#       This patch supplies a format string to the printing of the
#       database name. A test case is added to mysql_client_test.
#      @ sql/sql_parse.cc
#         Added format strings.
#      @ tests/mysql_client_test.c
#         Added new test case.
# 
#     modified:
#       sql/sql_parse.cc
#       tests/mysql_client_test.c
--- old/sql/sql_parse.cc   2009-07-22 00:28:28.000000000 +0200
+++ new/sql/sql_parse.cc    2009-07-22 00:29:32.000000000 +0200
@@ -1935,7 +1935,7 @@
       }
       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
 	break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd, command, "%s", db);
       bzero(&create_info, sizeof(create_info));
       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                       &create_info, 0);
@@ -1960,7 +1960,7 @@
                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
 	break;
       }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd, command, "%s", db);
       mysql_rm_db(thd, db, 0, 0);
       break;
     }
--- old/tests/mysql_client_test.c 2009-05-05 09:07:11 +0000
+++ new/tests/mysql_client_test.c 2009-07-01 12:09:44 +0000
@@ -12063,6 +12063,27 @@ static void test_bug6081()
 }
 
 
+/*
+  Verify that bogus database names are handled properly with
+  COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
+  the use of printf specifiers in the database name.
+*/
+static void test_bug45790()
+{
+  const char* bogus_db = "%s%s%s%s%s%s%s";
+  int rc;
+
+  myheader("test_bug45790");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+
+  rc= simple_command(mysql, COM_DROP_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
+
 static void test_bug6096()
 {
   MYSQL_STMT *stmt;
@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_bug45790",test_bug45790 },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },