From e46ac38a7e4d69d009e74afa76d584461e52b654 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Fri, 14 Dec 2007 03:38:55 +0000 Subject: [PATCH] Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303. --- mysql-innodb-crash.patch | 114 ++++++++++++++++++++++++++++ mysql-rename-bug.patch | 75 ++++++++++++++++++ mysql-view-bug.patch | 160 +++++++++++++++++++++++++++++++++++++++ mysql.spec | 12 ++- 4 files changed, 360 insertions(+), 1 deletion(-) create mode 100644 mysql-innodb-crash.patch create mode 100644 mysql-rename-bug.patch create mode 100644 mysql-view-bug.patch diff --git a/mysql-innodb-crash.patch b/mysql-innodb-crash.patch new file mode 100644 index 0000000..c2c6de5 --- /dev/null +++ b/mysql-innodb-crash.patch @@ -0,0 +1,114 @@ +Back-port upstream fix for CVE-2007-5925. + +diff -Naur mysql-5.0.45.orig/innobase/include/db0err.h mysql-5.0.45/innobase/include/db0err.h +--- mysql-5.0.45.orig/innobase/include/db0err.h 2007-07-04 09:06:59.000000000 -0400 ++++ mysql-5.0.45/innobase/include/db0err.h 2007-12-13 12:44:05.000000000 -0500 +@@ -57,6 +57,18 @@ + buffer pool (for big transactions, + InnoDB stores the lock structs in the + buffer pool) */ ++#define DB_FOREIGN_DUPLICATE_KEY 46 /* foreign key constraints ++ activated by the operation would ++ lead to a duplicate key in some ++ table */ ++#define DB_TOO_MANY_CONCURRENT_TRXS 47 /* when InnoDB runs out of the ++ preconfigured undo slots, this can ++ only happen when there are too many ++ concurrent transactions */ ++#define DB_UNSUPPORTED 48 /* when InnoDB sees any artefact or ++ a feature that it can't recoginize or ++ work with e.g., FT indexes created by ++ a later version of the engine. */ + + /* The following are partial failure codes */ + #define DB_FAIL 1000 +diff -Naur mysql-5.0.45.orig/innobase/include/page0cur.h mysql-5.0.45/innobase/include/page0cur.h +--- mysql-5.0.45.orig/innobase/include/page0cur.h 2007-07-04 09:06:10.000000000 -0400 ++++ mysql-5.0.45/innobase/include/page0cur.h 2007-12-13 12:44:05.000000000 -0500 +@@ -22,6 +22,7 @@ + + /* Page cursor search modes; the values must be in this order! */ + ++#define PAGE_CUR_UNSUPP 0 + #define PAGE_CUR_G 1 + #define PAGE_CUR_GE 2 + #define PAGE_CUR_L 3 +diff -Naur mysql-5.0.45.orig/sql/ha_innodb.cc mysql-5.0.45/sql/ha_innodb.cc +--- mysql-5.0.45.orig/sql/ha_innodb.cc 2007-07-04 09:06:48.000000000 -0400 ++++ mysql-5.0.45/sql/ha_innodb.cc 2007-12-13 12:44:05.000000000 -0500 +@@ -526,6 +526,9 @@ + } + + return(HA_ERR_LOCK_TABLE_FULL); ++ } else if (error == DB_UNSUPPORTED) { ++ ++ return(HA_ERR_UNSUPPORTED); + } else { + return(-1); // Unknown error + } +@@ -3689,11 +3692,21 @@ + and comparison of non-latin1 char type fields in + innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to + work correctly. */ +- +- default: assert(0); ++ case HA_READ_MBR_CONTAIN: ++ case HA_READ_MBR_INTERSECT: ++ case HA_READ_MBR_WITHIN: ++ case HA_READ_MBR_DISJOINT: ++ my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0)); ++ return(PAGE_CUR_UNSUPP); ++ /* do not use "default:" in order to produce a gcc warning: ++ enumeration value '...' not handled in switch ++ (if -Wswitch or -Wall is used) ++ */ + } + +- return(0); ++ my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality"); ++ ++ return(PAGE_CUR_UNSUPP); + } + + /* +@@ -3831,11 +3844,18 @@ + + last_match_mode = (uint) match_mode; + +- innodb_srv_conc_enter_innodb(prebuilt->trx); ++ if (mode != PAGE_CUR_UNSUPP) { + +- ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0); ++ innodb_srv_conc_enter_innodb(prebuilt->trx); + +- innodb_srv_conc_exit_innodb(prebuilt->trx); ++ ret = row_search_for_mysql((byte*) buf, mode, prebuilt, ++ match_mode, 0); ++ ++ innodb_srv_conc_exit_innodb(prebuilt->trx); ++ } else { ++ ++ ret = DB_UNSUPPORTED; ++ } + + if (ret == DB_SUCCESS) { + error = 0; +@@ -5150,8 +5170,16 @@ + mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag : + HA_READ_KEY_EXACT); + +- n_rows = btr_estimate_n_rows_in_range(index, range_start, +- mode1, range_end, mode2); ++ if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) { ++ ++ n_rows = btr_estimate_n_rows_in_range(index, range_start, ++ mode1, range_end, ++ mode2); ++ } else { ++ ++ n_rows = 0; ++ } ++ + dtuple_free_for_mysql(heap1); + dtuple_free_for_mysql(heap2); + diff --git a/mysql-rename-bug.patch b/mysql-rename-bug.patch new file mode 100644 index 0000000..cd5058d --- /dev/null +++ b/mysql-rename-bug.patch @@ -0,0 +1,75 @@ +Back-port upstream fix for CVE-2007-5969. + +diff -Naur mysql-5.0.45.orig/mysql-test/r/symlink.result mysql-5.0.45/mysql-test/r/symlink.result +--- mysql-5.0.45.orig/mysql-test/r/symlink.result 2007-07-04 09:49:09.000000000 -0400 ++++ mysql-5.0.45/mysql-test/r/symlink.result 2007-12-13 12:28:59.000000000 -0500 +@@ -99,6 +99,12 @@ + `b` int(11) default NULL + ) ENGINE=MyISAM DEFAULT CHARSET=latin1 + drop table t1; ++CREATE TABLE t1(a INT) ++DATA DIRECTORY='TEST_DIR/master-data/mysql' ++INDEX DIRECTORY='TEST_DIR/master-data/mysql'; ++RENAME TABLE t1 TO user; ++ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17) ++DROP TABLE t1; + show create table t1; + Table Create Table + t1 CREATE TABLE `t1` ( +diff -Naur mysql-5.0.45.orig/mysql-test/t/symlink.test mysql-5.0.45/mysql-test/t/symlink.test +--- mysql-5.0.45.orig/mysql-test/t/symlink.test 2007-07-04 09:49:09.000000000 -0400 ++++ mysql-5.0.45/mysql-test/t/symlink.test 2007-12-13 12:28:59.000000000 -0500 +@@ -125,6 +125,18 @@ + drop table t1; + + # ++# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE ++# ++--replace_result $MYSQLTEST_VARDIR TEST_DIR ++eval CREATE TABLE t1(a INT) ++DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql' ++INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'; ++--replace_result $MYSQLTEST_VARDIR TEST_DIR ++--error 1 ++RENAME TABLE t1 TO user; ++DROP TABLE t1; ++ ++# + # Test specifying DATA DIRECTORY that is the same as what would normally + # have been chosen. (Bug #8707) + # +diff -Naur mysql-5.0.45.orig/mysys/my_symlink2.c mysql-5.0.45/mysys/my_symlink2.c +--- mysql-5.0.45.orig/mysys/my_symlink2.c 2007-07-04 09:06:25.000000000 -0400 ++++ mysql-5.0.45/mysys/my_symlink2.c 2007-12-13 12:28:59.000000000 -0500 +@@ -124,6 +124,7 @@ + int was_symlink= (!my_disable_symlinks && + !my_readlink(link_name, from, MYF(0))); + int result=0; ++ int name_is_different; + DBUG_ENTER("my_rename_with_symlink"); + + if (!was_symlink) +@@ -132,6 +133,14 @@ + /* Change filename that symlink pointed to */ + strmov(tmp_name, to); + fn_same(tmp_name,link_name,1); /* Copy dir */ ++ name_is_different= strcmp(link_name, tmp_name); ++ if (name_is_different && !access(tmp_name, F_OK)) ++ { ++ my_errno= EEXIST; ++ if (MyFlags & MY_WME) ++ my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST); ++ DBUG_RETURN(1); ++ } + + /* Create new symlink */ + if (my_symlink(tmp_name, to, MyFlags)) +@@ -143,7 +152,7 @@ + the same basename and different directories. + */ + +- if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags)) ++ if (name_is_different && my_rename(link_name, tmp_name, MyFlags)) + { + int save_errno=my_errno; + my_delete(to, MyFlags); /* Remove created symlink */ diff --git a/mysql-view-bug.patch b/mysql-view-bug.patch new file mode 100644 index 0000000..93d8b82 --- /dev/null +++ b/mysql-view-bug.patch @@ -0,0 +1,160 @@ +Back-port upstream fix for CVE-2007-6303. + +diff -Naur mysql-5.0.45.orig/mysql-test/r/view_grant.result mysql-5.0.45/mysql-test/r/view_grant.result +--- mysql-5.0.45.orig/mysql-test/r/view_grant.result 2007-07-04 09:49:09.000000000 -0400 ++++ mysql-5.0.45/mysql-test/r/view_grant.result 2007-12-13 14:20:02.000000000 -0500 +@@ -776,15 +776,60 @@ + GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost; + GRANT SELECT ON db26813.t1 TO u26813@localhost; + ALTER VIEW v1 AS SELECT f2 FROM t1; +-ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1' ++ERROR 42000: Access denied; you need the SUPER privilege for this operation + ALTER VIEW v2 AS SELECT f2 FROM t1; +-ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2' ++ERROR 42000: Access denied; you need the SUPER privilege for this operation + ALTER VIEW v3 AS SELECT f2 FROM t1; ++ERROR 42000: Access denied; you need the SUPER privilege for this operation + SHOW CREATE VIEW v3; + View Create View +-v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1` ++v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1` + DROP USER u26813@localhost; + DROP DATABASE db26813; ++# ++# Bug#29908: A user can gain additional access through the ALTER VIEW. ++# ++CREATE DATABASE mysqltest_29908; ++USE mysqltest_29908; ++CREATE TABLE t1(f1 INT, f2 INT); ++CREATE USER u29908_1@localhost; ++CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; ++CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS ++SELECT f1 FROM t1; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; ++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; ++CREATE USER u29908_2@localhost; ++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; ++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; ++ALTER VIEW v1 AS SELECT f2 FROM t1; ++ERROR 42000: Access denied; you need the SUPER privilege for this operation ++ALTER VIEW v2 AS SELECT f2 FROM t1; ++ERROR 42000: Access denied; you need the SUPER privilege for this operation ++SHOW CREATE VIEW v2; ++View Create View ++v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1` ++ALTER VIEW v1 AS SELECT f2 FROM t1; ++SHOW CREATE VIEW v1; ++View Create View ++v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1` ++ALTER VIEW v2 AS SELECT f2 FROM t1; ++SHOW CREATE VIEW v2; ++View Create View ++v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1` ++ALTER VIEW v1 AS SELECT f1 FROM t1; ++SHOW CREATE VIEW v1; ++View Create View ++v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1` ++ALTER VIEW v2 AS SELECT f1 FROM t1; ++SHOW CREATE VIEW v2; ++View Create View ++v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1` ++DROP USER u29908_1@localhost; ++DROP USER u29908_2@localhost; ++DROP DATABASE mysqltest_29908; ++####################################################################### + DROP DATABASE IF EXISTS mysqltest1; + DROP DATABASE IF EXISTS mysqltest2; + CREATE DATABASE mysqltest1; +diff -Naur mysql-5.0.45.orig/mysql-test/t/view_grant.test mysql-5.0.45/mysql-test/t/view_grant.test +--- mysql-5.0.45.orig/mysql-test/t/view_grant.test 2007-07-04 09:49:09.000000000 -0400 ++++ mysql-5.0.45/mysql-test/t/view_grant.test 2007-12-13 14:19:43.000000000 -0500 +@@ -1034,10 +1034,11 @@ + + connect (u1,localhost,u26813,,db26813); + connection u1; +---error 1142 ++--error ER_SPECIFIC_ACCESS_DENIED_ERROR + ALTER VIEW v1 AS SELECT f2 FROM t1; +---error 1142 ++--error ER_SPECIFIC_ACCESS_DENIED_ERROR + ALTER VIEW v2 AS SELECT f2 FROM t1; ++--error ER_SPECIFIC_ACCESS_DENIED_ERROR + ALTER VIEW v3 AS SELECT f2 FROM t1; + + connection root; +@@ -1047,6 +1048,51 @@ + DROP DATABASE db26813; + disconnect u1; + ++--echo # ++--echo # Bug#29908: A user can gain additional access through the ALTER VIEW. ++--echo # ++connection root; ++CREATE DATABASE mysqltest_29908; ++USE mysqltest_29908; ++CREATE TABLE t1(f1 INT, f2 INT); ++CREATE USER u29908_1@localhost; ++CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; ++CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS ++ SELECT f1 FROM t1; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; ++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; ++CREATE USER u29908_2@localhost; ++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; ++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; ++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; ++ ++connect (u2,localhost,u29908_2,,mysqltest_29908); ++--error ER_SPECIFIC_ACCESS_DENIED_ERROR ++ALTER VIEW v1 AS SELECT f2 FROM t1; ++--error ER_SPECIFIC_ACCESS_DENIED_ERROR ++ALTER VIEW v2 AS SELECT f2 FROM t1; ++SHOW CREATE VIEW v2; ++ ++connect (u1,localhost,u29908_1,,mysqltest_29908); ++ALTER VIEW v1 AS SELECT f2 FROM t1; ++SHOW CREATE VIEW v1; ++ALTER VIEW v2 AS SELECT f2 FROM t1; ++SHOW CREATE VIEW v2; ++ ++connection root; ++ALTER VIEW v1 AS SELECT f1 FROM t1; ++SHOW CREATE VIEW v1; ++ALTER VIEW v2 AS SELECT f1 FROM t1; ++SHOW CREATE VIEW v2; ++ ++DROP USER u29908_1@localhost; ++DROP USER u29908_2@localhost; ++DROP DATABASE mysqltest_29908; ++disconnect u1; ++disconnect u2; ++--echo ####################################################################### ++ + # + # BUG#24040: Create View don't succed with "all privileges" on a database. + # +diff -Naur mysql-5.0.45.orig/sql/sql_view.cc mysql-5.0.45/sql/sql_view.cc +--- mysql-5.0.45.orig/sql/sql_view.cc 2007-07-04 09:06:03.000000000 -0400 ++++ mysql-5.0.45/sql/sql_view.cc 2007-12-13 13:30:29.000000000 -0500 +@@ -224,9 +224,6 @@ + { + LEX *lex= thd->lex; + bool link_to_local; +-#ifndef NO_EMBEDDED_ACCESS_CHECKS +- bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer; +-#endif + /* first table in list is target VIEW name => cut off it */ + TABLE_LIST *view= lex->unlink_first_table(&link_to_local); + TABLE_LIST *tables= lex->query_tables; +@@ -281,7 +278,7 @@ + - same as current user + - current user has SUPER_ACL + */ +- if (definer_check_is_needed && ++ if (lex->definer && + (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 || + my_strcasecmp(system_charset_info, + lex->definer->host.str, diff --git a/mysql.spec b/mysql.spec index 112ccfc..7d487d2 100644 --- a/mysql.spec +++ b/mysql.spec @@ -1,6 +1,6 @@ Name: mysql Version: 5.0.45 -Release: 5%{?dist} +Release: 6%{?dist} Summary: MySQL client programs and shared libraries Group: Applications/Databases URL: http://www.mysql.com @@ -28,6 +28,9 @@ Patch7: mysql-rpl-test.patch Patch8: mysql-install-test.patch Patch9: mysql-bdb-link.patch Patch10: mysql-bdb-open.patch +Patch11: mysql-innodb-crash.patch +Patch12: mysql-rename-bug.patch +Patch13: mysql-view-bug.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gperf, perl, readline-devel, openssl-devel @@ -133,6 +136,9 @@ the MySQL sources. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 libtoolize --force aclocal @@ -474,6 +480,10 @@ fi %{_mandir}/man1/mysql_client_test.1* %changelog +* Thu Dec 13 2007 Tom Lane 5.0.45-6 +- Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303. +Related: #422211 + * Wed Dec 5 2007 Tom Lane 5.0.45-5 - Rebuild for new openssl