Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303.

mysql-innodb-crash.patch

@@ -0,0 +1,114 @@
+Back-port upstream fix for CVE-2007-5925.
+
+diff -Naur mysql-5.0.45.orig/innobase/include/db0err.h mysql-5.0.45/innobase/include/db0err.h
+--- mysql-5.0.45.orig/innobase/include/db0err.h	2007-07-04 09:06:59.000000000 -0400
++++ mysql-5.0.45/innobase/include/db0err.h	2007-12-13 12:44:05.000000000 -0500
+@@ -57,6 +57,18 @@
+ 					buffer pool (for big transactions,
+ 					InnoDB stores the lock structs in the
+ 					buffer pool) */
++#define DB_FOREIGN_DUPLICATE_KEY 46	/* foreign key constraints
++					activated by the operation would
++					lead to a duplicate key in some
++					table */
++#define DB_TOO_MANY_CONCURRENT_TRXS 47	/* when InnoDB runs out of the
++					preconfigured undo slots, this can
++					only happen when there are too many
++					concurrent transactions */
++#define DB_UNSUPPORTED		48	/* when InnoDB sees any artefact or
++					a feature that it can't recoginize or
++					work with e.g., FT indexes created by
++					a later version of the engine. */
+ 
+ /* The following are partial failure codes */
+ #define DB_FAIL 		1000
+diff -Naur mysql-5.0.45.orig/innobase/include/page0cur.h mysql-5.0.45/innobase/include/page0cur.h
+--- mysql-5.0.45.orig/innobase/include/page0cur.h	2007-07-04 09:06:10.000000000 -0400
++++ mysql-5.0.45/innobase/include/page0cur.h	2007-12-13 12:44:05.000000000 -0500
+@@ -22,6 +22,7 @@
+ 
+ /* Page cursor search modes; the values must be in this order! */
+ 
++#define	PAGE_CUR_UNSUPP	0
+ #define	PAGE_CUR_G	1
+ #define	PAGE_CUR_GE	2
+ #define	PAGE_CUR_L	3
+diff -Naur mysql-5.0.45.orig/sql/ha_innodb.cc mysql-5.0.45/sql/ha_innodb.cc
+--- mysql-5.0.45.orig/sql/ha_innodb.cc	2007-07-04 09:06:48.000000000 -0400
++++ mysql-5.0.45/sql/ha_innodb.cc	2007-12-13 12:44:05.000000000 -0500
+@@ -526,6 +526,9 @@
+  		}
+ 
+     		return(HA_ERR_LOCK_TABLE_FULL);
++ 	} else if (error == DB_UNSUPPORTED) {
++ 
++ 		return(HA_ERR_UNSUPPORTED);
+     	} else {
+     		return(-1);			// Unknown error
+     	}
+@@ -3689,11 +3692,21 @@
+ 		  and comparison of non-latin1 char type fields in
+ 		  innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to
+ 		  work correctly. */
+-
+-		default:			assert(0);
++		case HA_READ_MBR_CONTAIN:
++		case HA_READ_MBR_INTERSECT:
++		case HA_READ_MBR_WITHIN:
++		case HA_READ_MBR_DISJOINT:
++			my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0));
++			return(PAGE_CUR_UNSUPP);
++		/* do not use "default:" in order to produce a gcc warning:
++		enumeration value '...' not handled in switch
++		(if -Wswitch or -Wall is used)
++		*/
+ 	}
+ 
+-	return(0);
++	my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality");
++
++	return(PAGE_CUR_UNSUPP);
+ }
+ 
+ /*
+@@ -3831,11 +3844,18 @@
+ 
+ 	last_match_mode = (uint) match_mode;
+ 
+-	innodb_srv_conc_enter_innodb(prebuilt->trx);
++	if (mode != PAGE_CUR_UNSUPP) {
+ 
+-	ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0);
++		innodb_srv_conc_enter_innodb(prebuilt->trx);
+ 
+-	innodb_srv_conc_exit_innodb(prebuilt->trx);
++		ret = row_search_for_mysql((byte*) buf, mode, prebuilt,
++					   match_mode, 0);
++
++		innodb_srv_conc_exit_innodb(prebuilt->trx);
++	} else {
++
++		ret = DB_UNSUPPORTED;
++	}
+ 
+ 	if (ret == DB_SUCCESS) {
+ 		error = 0;
+@@ -5150,8 +5170,16 @@
+ 	mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag :
+                                                 HA_READ_KEY_EXACT);
+ 
+-	n_rows = btr_estimate_n_rows_in_range(index, range_start,
+-						mode1, range_end, mode2);
++	if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) {
++
++		n_rows = btr_estimate_n_rows_in_range(index, range_start,
++						      mode1, range_end,
++						      mode2);
++	} else {
++
++		n_rows = 0;
++	}
++
+ 	dtuple_free_for_mysql(heap1);
+ 	dtuple_free_for_mysql(heap2);
+ 

mysql-rename-bug.patch

@@ -0,0 +1,75 @@
+Back-port upstream fix for CVE-2007-5969.
+
+diff -Naur mysql-5.0.45.orig/mysql-test/r/symlink.result mysql-5.0.45/mysql-test/r/symlink.result
+--- mysql-5.0.45.orig/mysql-test/r/symlink.result	2007-07-04 09:49:09.000000000 -0400
++++ mysql-5.0.45/mysql-test/r/symlink.result	2007-12-13 12:28:59.000000000 -0500
+@@ -99,6 +99,12 @@
+   `b` int(11) default NULL
+ ) ENGINE=MyISAM DEFAULT CHARSET=latin1
+ drop table t1;
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/master-data/mysql'
++INDEX DIRECTORY='TEST_DIR/master-data/mysql';
++RENAME TABLE t1 TO user;
++ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
++DROP TABLE t1;
+ show create table t1;
+ Table	Create Table
+ t1	CREATE TABLE `t1` (
+diff -Naur mysql-5.0.45.orig/mysql-test/t/symlink.test mysql-5.0.45/mysql-test/t/symlink.test
+--- mysql-5.0.45.orig/mysql-test/t/symlink.test	2007-07-04 09:49:09.000000000 -0400
++++ mysql-5.0.45/mysql-test/t/symlink.test	2007-12-13 12:28:59.000000000 -0500
+@@ -125,6 +125,18 @@
+ drop table t1;
+ 
+ #
++# BUG#32111 <http://bugs.mysql.com/32111> - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
++#
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
++INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
++--replace_result $MYSQLTEST_VARDIR TEST_DIR
++--error 1
++RENAME TABLE t1 TO user;
++DROP TABLE t1;
++
++#
+ # Test specifying DATA DIRECTORY that is the same as what would normally
+ # have been chosen. (Bug #8707)
+ #
+diff -Naur mysql-5.0.45.orig/mysys/my_symlink2.c mysql-5.0.45/mysys/my_symlink2.c
+--- mysql-5.0.45.orig/mysys/my_symlink2.c	2007-07-04 09:06:25.000000000 -0400
++++ mysql-5.0.45/mysys/my_symlink2.c	2007-12-13 12:28:59.000000000 -0500
+@@ -124,6 +124,7 @@
+   int was_symlink= (!my_disable_symlinks &&
+ 		    !my_readlink(link_name, from, MYF(0)));
+   int result=0;
++  int name_is_different;
+   DBUG_ENTER("my_rename_with_symlink");
+ 
+   if (!was_symlink)
+@@ -132,6 +133,14 @@
+   /* Change filename that symlink pointed to */
+   strmov(tmp_name, to);
+   fn_same(tmp_name,link_name,1);		/* Copy dir */
++  name_is_different= strcmp(link_name, tmp_name);
++  if (name_is_different && !access(tmp_name, F_OK))
++  {
++    my_errno= EEXIST;
++    if (MyFlags & MY_WME)
++      my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
++    DBUG_RETURN(1);
++  }
+ 
+   /* Create new symlink */
+   if (my_symlink(tmp_name, to, MyFlags))
+@@ -143,7 +152,7 @@
+     the same basename and different directories.
+    */
+ 
+-  if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
++  if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
+   {
+     int save_errno=my_errno;
+     my_delete(to, MyFlags);			/* Remove created symlink */

mysql-view-bug.patch

@@ -0,0 +1,160 @@
+Back-port upstream fix for CVE-2007-6303.
+
+diff -Naur mysql-5.0.45.orig/mysql-test/r/view_grant.result mysql-5.0.45/mysql-test/r/view_grant.result
+--- mysql-5.0.45.orig/mysql-test/r/view_grant.result	2007-07-04 09:49:09.000000000 -0400
++++ mysql-5.0.45/mysql-test/r/view_grant.result	2007-12-13 14:20:02.000000000 -0500
+@@ -776,15 +776,60 @@
+ GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost;
+ GRANT SELECT ON db26813.t1 TO u26813@localhost;
+ ALTER VIEW v1 AS SELECT f2 FROM t1;
+-ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1'
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ ALTER VIEW v2 AS SELECT f2 FROM t1;
+-ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ ALTER VIEW v3 AS SELECT f2 FROM t1;
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
+ SHOW CREATE VIEW v3;
+ View	Create View
+-v3	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1`
++v3	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1`
+ DROP USER u26813@localhost;
+ DROP DATABASE db26813;
++#
++# Bug#29908: A user can gain additional access through the ALTER VIEW.
++#
++CREATE DATABASE mysqltest_29908;
++USE mysqltest_29908;
++CREATE TABLE t1(f1 INT, f2 INT);
++CREATE USER u29908_1@localhost;
++CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
++CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
++SELECT f1 FROM t1;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
++CREATE USER u29908_2@localhost;
++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++ERROR 42000: Access denied; you need the SUPER privilege for this operation
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v1;
++View	Create View
++v1	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1`
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
++ALTER VIEW v1 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v1;
++View	Create View
++v1	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1`
++ALTER VIEW v2 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v2;
++View	Create View
++v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
++DROP USER u29908_1@localhost;
++DROP USER u29908_2@localhost;
++DROP DATABASE mysqltest_29908;
++#######################################################################
+ DROP DATABASE IF EXISTS mysqltest1;
+ DROP DATABASE IF EXISTS mysqltest2;
+ CREATE DATABASE mysqltest1;
+diff -Naur mysql-5.0.45.orig/mysql-test/t/view_grant.test mysql-5.0.45/mysql-test/t/view_grant.test
+--- mysql-5.0.45.orig/mysql-test/t/view_grant.test	2007-07-04 09:49:09.000000000 -0400
++++ mysql-5.0.45/mysql-test/t/view_grant.test	2007-12-13 14:19:43.000000000 -0500
+@@ -1034,10 +1034,11 @@
+ 
+ connect (u1,localhost,u26813,,db26813);
+ connection u1;
+---error 1142
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v1 AS SELECT f2 FROM t1;
+---error 1142
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v2 AS SELECT f2 FROM t1;
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ ALTER VIEW v3 AS SELECT f2 FROM t1;
+ 
+ connection root;
+@@ -1047,6 +1048,51 @@
+ DROP DATABASE db26813;
+ disconnect u1;
+ 
++--echo #
++--echo # Bug#29908: A user can gain additional access through the ALTER VIEW.
++--echo #
++connection root;
++CREATE DATABASE mysqltest_29908;
++USE mysqltest_29908;
++CREATE TABLE t1(f1 INT, f2 INT);
++CREATE USER u29908_1@localhost;
++CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
++CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
++  SELECT f1 FROM t1;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
++CREATE USER u29908_2@localhost;
++GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
++GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
++GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
++
++connect (u2,localhost,u29908_2,,mysqltest_29908);
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++--error ER_SPECIFIC_ACCESS_DENIED_ERROR
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++
++connect (u1,localhost,u29908_1,,mysqltest_29908);
++ALTER VIEW v1 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v1;
++ALTER VIEW v2 AS SELECT f2 FROM t1;
++SHOW CREATE VIEW v2;
++
++connection root;
++ALTER VIEW v1 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v1;
++ALTER VIEW v2 AS SELECT f1 FROM t1;
++SHOW CREATE VIEW v2;
++
++DROP USER u29908_1@localhost;
++DROP USER u29908_2@localhost;
++DROP DATABASE mysqltest_29908;
++disconnect u1;
++disconnect u2;
++--echo #######################################################################
++
+ #
+ # BUG#24040: Create View don't succed with "all privileges" on a database.
+ #
+diff -Naur mysql-5.0.45.orig/sql/sql_view.cc mysql-5.0.45/sql/sql_view.cc
+--- mysql-5.0.45.orig/sql/sql_view.cc	2007-07-04 09:06:03.000000000 -0400
++++ mysql-5.0.45/sql/sql_view.cc	2007-12-13 13:30:29.000000000 -0500
+@@ -224,9 +224,6 @@
+ {
+   LEX *lex= thd->lex;
+   bool link_to_local;
+-#ifndef NO_EMBEDDED_ACCESS_CHECKS
+-  bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
+-#endif
+   /* first table in list is target VIEW name => cut off it */
+   TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
+   TABLE_LIST *tables= lex->query_tables;
+@@ -281,7 +278,7 @@
+       - same as current user
+       - current user has SUPER_ACL
+   */
+-  if (definer_check_is_needed &&
++  if (lex->definer &&
+       (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
+        my_strcasecmp(system_charset_info,
+                      lex->definer->host.str,

mysql.spec

@@ -1,6 +1,6 @@
 Name: mysql
 Version: 5.0.45
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: MySQL client programs and shared libraries
 Group: Applications/Databases
 URL: http://www.mysql.com
@@ -28,6 +28,9 @@ Patch7: mysql-rpl-test.patch
 Patch8: mysql-install-test.patch
 Patch9: mysql-bdb-link.patch
 Patch10: mysql-bdb-open.patch
+Patch11: mysql-innodb-crash.patch
+Patch12: mysql-rename-bug.patch
+Patch13: mysql-view-bug.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: gperf, perl, readline-devel, openssl-devel
@@ -133,6 +136,9 @@ the MySQL sources.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 
 libtoolize --force
 aclocal
@@ -474,6 +480,10 @@ fi
 %{_mandir}/man1/mysql_client_test.1*
 
 %changelog
+* Thu Dec 13 2007 Tom Lane <tgl@redhat.com> 5.0.45-6
+- Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303.
+Related: #422211
+
 * Wed Dec  5 2007 Tom Lane <tgl@redhat.com> 5.0.45-5
 - Rebuild for new openssl