Add backported patch for CVE-2008-7247 (upstream bug 39277)

2010-01-28 20:26:30 +00:00 · 2010-01-28 20:26:30 +00:00 · e98ad40f7f
commit e98ad40f7f
parent 56e52fefef
2 changed files with 65 additions and 1 deletions
--- a/mysql-cve-2008-7247.patch
+++ b/mysql-cve-2008-7247.patch
@ -0,0 +1,58 @@
+Back-ported patch for upstream bug #39277.
+
+
+diff -Naur mysql-5.1.42.orig/sql/sql_table.cc mysql-5.1.42/sql/sql_table.cc
+--- mysql-5.1.42.orig/sql/sql_table.cc	2009-12-16 12:57:30.000000000 -0500
+++ mysql-5.1.42/sql/sql_table.cc	2010-01-28 14:33:52.000000000 -0500
+@@ -3892,15 +3892,43 @@
+   create_info->table_existed= 0;		// Mark that table is created
+ 
+ #ifdef HAVE_READLINK
+-  if (test_if_data_home_dir(create_info->data_file_name))
+   {
+-    my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
+-    goto unlock_and_end;
+-  }
+-  if (test_if_data_home_dir(create_info->index_file_name))
+-  {
+-    my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
+-    goto unlock_and_end;
+    size_t dirlen;
+    char   dirpath[FN_REFLEN];
+
+    /*
+      data_file_name and index_file_name include the table name without
+      extension. Mostly this does not refer to an existing file. When
+      comparing data_file_name or index_file_name against the data
+      directory, we try to resolve all symbolic links. On some systems,
+      we use realpath(3) for the resolution. This returns ENOENT if the
+      resolved path does not refer to an existing file. my_realpath()
+      does then copy the requested path verbatim, without symlink
+      resolution. Thereafter the comparison can fail even if the
+      requested path is within the data directory. E.g. if symlinks to
+      another file system are used. To make realpath(3) return the
+      resolved path, we strip the table name and compare the directory
+      path only. If the directory doesn't exist either, table creation
+      will fail anyway.
+    */
+    if (create_info->data_file_name)
+    {
+      dirname_part(dirpath, create_info->data_file_name, &dirlen);
+      if (test_if_data_home_dir(dirpath))
+      {
+        my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY");
+        goto unlock_and_end;
+      }
+    }
+    if (create_info->index_file_name)
+    {
+      dirname_part(dirpath, create_info->index_file_name, &dirlen);
+      if (test_if_data_home_dir(dirpath))
+      {
+        my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY");
+        goto unlock_and_end;
+      }
+    }
+   }
+ 
+ #ifdef WITH_PARTITION_STORAGE_ENGINE
--- a/mysql.spec
+++ b/mysql.spec
@ -1,6 +1,6 @@
 Name: mysql
 Version: 5.1.42
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: MySQL client programs and shared libraries
 Group: Applications/Databases
 URL: http://www.mysql.com
@ -37,6 +37,7 @@ Patch8: mysql-setschedparam.patch
 Patch9: mysql-ndb-stacksize.patch
 Patch10: mysql-strmov.patch
 Patch11: mysql-signal-align.patch
+Patch12: mysql-cve-2008-7247.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: gperf, perl, readline-devel, openssl-devel
@ -181,6 +182,7 @@ the MySQL sources.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 libtoolize --force
 aclocal
@ -666,6 +668,10 @@ fi
 %{_mandir}/man1/mysql_client_test.1*

 %changelog
+* Thu Jan 28 2010 Tom Lane <tgl@redhat.com> 5.1.42-7
+- Add backported patch for CVE-2008-7247 (upstream bug 39277)
+Related: #543619
+
 * Tue Jan 26 2010 Tom Lane <tgl@redhat.com> 5.1.42-6
 - Emit explicit error message if user tries to build RPM as root
 Related: #558915