82 lines
3.0 KiB
Diff
82 lines
3.0 KiB
Diff
Back-ported patch for CVE-2012-5611 --- see
|
|
http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.17
|
|
|
|
|
|
diff -Naur mysql-5.5.28.orig/mysql-test/r/information_schema.result mysql-5.5.28/mysql-test/r/information_schema.result
|
|
--- mysql-5.5.28.orig/mysql-test/r/information_schema.result 2012-08-29 04:50:47.000000000 -0400
|
|
+++ mysql-5.5.28/mysql-test/r/information_schema.result 2012-12-05 10:33:56.906738492 -0500
|
|
@@ -1712,6 +1712,10 @@
|
|
length(CAST(b AS CHAR))
|
|
20
|
|
DROP TABLE ubig;
|
|
+grant usage on *.* to mysqltest_1@localhost;
|
|
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
|
|
+1
|
|
+drop user mysqltest_1@localhost;
|
|
End of 5.1 tests.
|
|
#
|
|
# Additional test for WL#3726 "DDL locking for all metadata objects"
|
|
diff -Naur mysql-5.5.28.orig/mysql-test/t/information_schema.test mysql-5.5.28/mysql-test/t/information_schema.test
|
|
--- mysql-5.5.28.orig/mysql-test/t/information_schema.test 2012-08-29 04:50:47.000000000 -0400
|
|
+++ mysql-5.5.28/mysql-test/t/information_schema.test 2012-12-05 10:33:56.908738590 -0500
|
|
@@ -1444,6 +1444,13 @@
|
|
|
|
DROP TABLE ubig;
|
|
|
|
+grant usage on *.* to mysqltest_1@localhost;
|
|
+connect (con1, localhost, mysqltest_1,,);
|
|
+connection con1;
|
|
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
|
|
+connection default;
|
|
+disconnect con1;
|
|
+drop user mysqltest_1@localhost;
|
|
|
|
--echo End of 5.1 tests.
|
|
|
|
diff -Naur mysql-5.5.28.orig/sql/sql_acl.cc mysql-5.5.28/sql/sql_acl.cc
|
|
--- mysql-5.5.28.orig/sql/sql_acl.cc 2012-08-29 04:50:46.000000000 -0400
|
|
+++ mysql-5.5.28/sql/sql_acl.cc 2012-12-05 10:35:47.608766346 -0500
|
|
@@ -1573,14 +1573,20 @@
|
|
acl_entry *entry;
|
|
DBUG_ENTER("acl_get");
|
|
|
|
- mysql_mutex_lock(&acl_cache->lock);
|
|
- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
|
|
+ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1;
|
|
+ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db);
|
|
+
|
|
+ if (end >= key + sizeof(key)) // db name was truncated
|
|
+ DBUG_RETURN(0); // no privileges for an invalid db name
|
|
+
|
|
if (lower_case_table_names)
|
|
{
|
|
my_casedn_str(files_charset_info, tmp_db);
|
|
db=tmp_db;
|
|
}
|
|
key_length= (size_t) (end-key);
|
|
+
|
|
+ mysql_mutex_lock(&acl_cache->lock);
|
|
if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key,
|
|
key_length)))
|
|
{
|
|
@@ -4902,11 +4908,17 @@
|
|
bool check_grant_db(THD *thd,const char *db)
|
|
{
|
|
Security_context *sctx= thd->security_ctx;
|
|
- char helping [NAME_LEN+USERNAME_LENGTH+2];
|
|
+ char helping [NAME_LEN+USERNAME_LENGTH+2], *end;
|
|
uint len;
|
|
bool error= TRUE;
|
|
|
|
- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;
|
|
+ end= strmov(helping, sctx->priv_user) + 1;
|
|
+ end= strnmov(end, db, helping + sizeof(helping) - end);
|
|
+
|
|
+ if (end >= helping + sizeof(helping)) // db name was truncated
|
|
+ return 1; // no privileges for an invalid db name
|
|
+
|
|
+ len= (uint) (end - helping) + 1;
|
|
|
|
mysql_rwlock_rdlock(&LOCK_grant);
|
|
|