From e98ad40f7f7069cf5e3430723ea8bcee9291d3a0 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 28 Jan 2010 20:26:30 +0000 Subject: [PATCH] Add backported patch for CVE-2008-7247 (upstream bug 39277) --- mysql-cve-2008-7247.patch | 58 +++++++++++++++++++++++++++++++++++++++ mysql.spec | 8 +++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 mysql-cve-2008-7247.patch diff --git a/mysql-cve-2008-7247.patch b/mysql-cve-2008-7247.patch new file mode 100644 index 0000000..acd460f --- /dev/null +++ b/mysql-cve-2008-7247.patch @@ -0,0 +1,58 @@ +Back-ported patch for upstream bug #39277. + + +diff -Naur mysql-5.1.42.orig/sql/sql_table.cc mysql-5.1.42/sql/sql_table.cc +--- mysql-5.1.42.orig/sql/sql_table.cc 2009-12-16 12:57:30.000000000 -0500 ++++ mysql-5.1.42/sql/sql_table.cc 2010-01-28 14:33:52.000000000 -0500 +@@ -3892,15 +3892,43 @@ + create_info->table_existed= 0; // Mark that table is created + + #ifdef HAVE_READLINK +- if (test_if_data_home_dir(create_info->data_file_name)) + { +- my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY"); +- goto unlock_and_end; +- } +- if (test_if_data_home_dir(create_info->index_file_name)) +- { +- my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY"); +- goto unlock_and_end; ++ size_t dirlen; ++ char dirpath[FN_REFLEN]; ++ ++ /* ++ data_file_name and index_file_name include the table name without ++ extension. Mostly this does not refer to an existing file. When ++ comparing data_file_name or index_file_name against the data ++ directory, we try to resolve all symbolic links. On some systems, ++ we use realpath(3) for the resolution. This returns ENOENT if the ++ resolved path does not refer to an existing file. my_realpath() ++ does then copy the requested path verbatim, without symlink ++ resolution. Thereafter the comparison can fail even if the ++ requested path is within the data directory. E.g. if symlinks to ++ another file system are used. To make realpath(3) return the ++ resolved path, we strip the table name and compare the directory ++ path only. If the directory doesn't exist either, table creation ++ will fail anyway. ++ */ ++ if (create_info->data_file_name) ++ { ++ dirname_part(dirpath, create_info->data_file_name, &dirlen); ++ if (test_if_data_home_dir(dirpath)) ++ { ++ my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY"); ++ goto unlock_and_end; ++ } ++ } ++ if (create_info->index_file_name) ++ { ++ dirname_part(dirpath, create_info->index_file_name, &dirlen); ++ if (test_if_data_home_dir(dirpath)) ++ { ++ my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY"); ++ goto unlock_and_end; ++ } ++ } + } + + #ifdef WITH_PARTITION_STORAGE_ENGINE diff --git a/mysql.spec b/mysql.spec index a390a5f..328fd8c 100644 --- a/mysql.spec +++ b/mysql.spec @@ -1,6 +1,6 @@ Name: mysql Version: 5.1.42 -Release: 6%{?dist} +Release: 7%{?dist} Summary: MySQL client programs and shared libraries Group: Applications/Databases URL: http://www.mysql.com @@ -37,6 +37,7 @@ Patch8: mysql-setschedparam.patch Patch9: mysql-ndb-stacksize.patch Patch10: mysql-strmov.patch Patch11: mysql-signal-align.patch +Patch12: mysql-cve-2008-7247.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gperf, perl, readline-devel, openssl-devel @@ -181,6 +182,7 @@ the MySQL sources. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 libtoolize --force aclocal @@ -666,6 +668,10 @@ fi %{_mandir}/man1/mysql_client_test.1* %changelog +* Thu Jan 28 2010 Tom Lane 5.1.42-7 +- Add backported patch for CVE-2008-7247 (upstream bug 39277) +Related: #543619 + * Tue Jan 26 2010 Tom Lane 5.1.42-6 - Emit explicit error message if user tries to build RPM as root Related: #558915