Package: mysql-server-5.0
Version: 5.0.32-7etch5
Severity: important
Tags: patch


The attached patch went into MySQL upstream in version 5.0.36.  Without the
patch, the MySQL parser will interpret a null character in the SQL input
stream as a space, and so read past the end of the string.  I haven't
analysed the code to see if this mistake can happen inside of quoted
strings in the SQL input stream, or not.

Although the server I'm working on does not crash (the SQL statement
simply does not parse correctly, and the SQL operation fails) - there
are reports in:

http://bugs.mysql.com/bug.php?id=25653

of a crash being caused, the crash appears to occur in the MySQL
server.  I would assume that a local user with access to the database
could cause a DoS by exploiting this flaw, but it may be possible for
remote users to inject data into web forms etc. to trigger the same
crash.  AFAIK, there is no CVE number for this flaw, and I have not
analysed the code to see if more serious compromises are possible.

Patch also cleans up .rej file from the current Etch package.

diff -Naur stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list 
i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list
--- stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list   2008-04-01 
08:30:03.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list    2008-03-31 
21:04:40.000000000 +0100
@@ -28,3 +28,4 @@
 95_SECURITY_CVE-2007-5969.dpatch
 95_SECURITY_CVE-2007-6304.dpatch
 96_SECURITY_CVE-2008-0226+0227.dpatch
+97_InnoDB_parserbug.dpatch
diff -Naur 
stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch 
i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch
--- stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch       
1970-01-01 01:00:00.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch        
2008-03-31 21:04:34.000000000 +0100
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 97_InnoDB_parserbug.dpatch by  <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix bug in InnoDB parser as per 97_InnoDB_parserbug.dpatch
+
[EMAIL PROTECTED]@
+
+--- a/innobase/dict/dict0dict.c        2006-12-20 11:14:48.000000000 +0000
++++ b/innobase/dict/dict0dict.c        2008-01-11 14:43:37.000000000 +0000
+@@ -28,7 +28,7 @@
+ #include "rem0cmp.h"
+ 
+ /* Implement isspace() in a locale-independent way. (Bug #24299) */
+-#define ib_isspace(c) strchr(" \v\f\t\r\n", c)
++#define ib_isspace(c) ((char) (c) && strchr(" \v\f\t\r\n", c))
+ 
+ dict_sys_t*   dict_sys        = NULL; /* the dictionary system */
+ 
--- stock/mysql-dfsg-5.0-5.0.32/debian/changelog        2008-04-01 
08:30:03.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/changelog 2008-04-01 08:32:49.000000000 
+0100
@@ -1,3 +1,9 @@
+mysql-dfsg-5.0 (5.0.32-7etch5bright) stable-proposed-updates; urgency=low
+
+  * Fix upstream bug http://bugs.mysql.com/bug.php?id=25596
+
+ -- Tim Small <[EMAIL PROTECTED]>  Fri, 28 Mar 2008 20:03:42 +0000
+
 mysql-dfsg-5.0 (5.0.32-7etch5) stable-security; urgency=high
 
   * SECURITY:

--- mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch       
2008-03-28 19:41:37.000000000 +0000
+++ mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch       
2008-03-31 18:12:57.000000000 +0100
@@ -170,27 +170,6 @@
    error= FALSE;
  
  err:
-diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej 
mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej
---- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej    1970-01-01 
01:00:00.000000000 +0100
-+++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej 2007-12-22 20:15:32.790866404 
+0100
-@@ -0,0 +1,17 @@
-+***************
-+*** 3061,3067 ****
-+      else
-+      {
-+        /* regular create */
-+-       if (lex->name)
-+          res= mysql_create_like_table(thd, create_table, &create_info,
-+                                       (Table_ident *)lex->name);
-+        else
-+--- 3062,3068 ----
-+      else
-+      {
-+        /* regular create */
-++       if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
-+          res= mysql_create_like_table(thd, create_table, &create_info,
-+                                       (Table_ident *)lex->name);
-+        else
 diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy 
mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy
 --- mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy 2006-12-20 12:14:38.000000000 
+0100
 +++ mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy      2007-12-22 20:15:32.790866404 
+0100



-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-1-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages mysql-server-5.0 depends on:
ii  adduser              3.102               Add and remove users and groups
ii  debconf [debconf-2.0 1.5.11etch1         Debian configuration management sy
ii  libc6                2.3.6.ds1-13etch5   GNU C Library: Shared libraries
ii  libdbi-perl          1.53-1etch1         Perl5 database interface by Tim Bu
ii  libgcc1              1:4.1.1-21          GCC support library
ii  libmysqlclient15off  5.0.32-7etch5       mysql database client library
ii  libncurses5          5.5-5               Shared libraries for terminal hand
ii  libreadline5         5.2-2               GNU readline and history libraries
ii  libstdc++6           4.1.1-21            The GNU Standard C++ Library v3
ii  libwrap0             7.6.dbs-13          Wietse Venema's TCP wrappers libra
ii  lsb-base             3.1-23.2etch1       Linux Standard Base 3.1 init scrip
ii  mysql-client-5.0     5.0.32-7etch5       mysql database client binaries
ii  mysql-common         5.0.32-7etch5       mysql database common files (e.g. 
ii  passwd               1:4.0.18.1-7        change and administer password and
ii  perl                 5.8.8-7etch1        Larry Wall's Practical Extraction 
ii  psmisc               22.3-1              Utilities that use the proc filesy
ii  zlib1g               1:1.2.3-13          compression library - runtime

Versions of packages mysql-server-5.0 recommends:
ii  mailx            1:8.1.2-0.20050715cvs-1 A simple mail user agent

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to