Package: mysql-server-5.0 Version: 5.0.32-7etch5 Severity: important Tags: patch
The attached patch went into MySQL upstream in version 5.0.36. Without the patch, the MySQL parser will interpret a null character in the SQL input stream as a space, and so read past the end of the string. I haven't analysed the code to see if this mistake can happen inside of quoted strings in the SQL input stream, or not. Although the server I'm working on does not crash (the SQL statement simply does not parse correctly, and the SQL operation fails) - there are reports in: http://bugs.mysql.com/bug.php?id=25653 of a crash being caused, the crash appears to occur in the MySQL server. I would assume that a local user with access to the database could cause a DoS by exploiting this flaw, but it may be possible for remote users to inject data into web forms etc. to trigger the same crash. AFAIK, there is no CVE number for this flaw, and I have not analysed the code to see if more serious compromises are possible. Patch also cleans up .rej file from the current Etch package. diff -Naur stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list --- stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list 2008-04-01 08:30:03.000000000 +0100 +++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list 2008-03-31 21:04:40.000000000 +0100 @@ -28,3 +28,4 @@ 95_SECURITY_CVE-2007-5969.dpatch 95_SECURITY_CVE-2007-6304.dpatch 96_SECURITY_CVE-2008-0226+0227.dpatch +97_InnoDB_parserbug.dpatch diff -Naur stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch --- stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch 1970-01-01 01:00:00.000000000 +0100 +++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch 2008-03-31 21:04:34.000000000 +0100 @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 97_InnoDB_parserbug.dpatch by <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix bug in InnoDB parser as per 97_InnoDB_parserbug.dpatch + [EMAIL PROTECTED]@ + +--- a/innobase/dict/dict0dict.c 2006-12-20 11:14:48.000000000 +0000 ++++ b/innobase/dict/dict0dict.c 2008-01-11 14:43:37.000000000 +0000 +@@ -28,7 +28,7 @@ + #include "rem0cmp.h" + + /* Implement isspace() in a locale-independent way. (Bug #24299) */ +-#define ib_isspace(c) strchr(" \v\f\t\r\n", c) ++#define ib_isspace(c) ((char) (c) && strchr(" \v\f\t\r\n", c)) + + dict_sys_t* dict_sys = NULL; /* the dictionary system */ + --- stock/mysql-dfsg-5.0-5.0.32/debian/changelog 2008-04-01 08:30:03.000000000 +0100 +++ i386/mysql-dfsg-5.0-5.0.32/debian/changelog 2008-04-01 08:32:49.000000000 +0100 @@ -1,3 +1,9 @@ +mysql-dfsg-5.0 (5.0.32-7etch5bright) stable-proposed-updates; urgency=low + + * Fix upstream bug http://bugs.mysql.com/bug.php?id=25596 + + -- Tim Small <[EMAIL PROTECTED]> Fri, 28 Mar 2008 20:03:42 +0000 + mysql-dfsg-5.0 (5.0.32-7etch5) stable-security; urgency=high * SECURITY: --- mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch 2008-03-28 19:41:37.000000000 +0000 +++ mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch 2008-03-31 18:12:57.000000000 +0100 @@ -170,27 +170,6 @@ error= FALSE; err: -diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej ---- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej 1970-01-01 01:00:00.000000000 +0100 -+++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej 2007-12-22 20:15:32.790866404 +0100 -@@ -0,0 +1,17 @@ -+*************** -+*** 3061,3067 **** -+ else -+ { -+ /* regular create */ -+- if (lex->name) -+ res= mysql_create_like_table(thd, create_table, &create_info, -+ (Table_ident *)lex->name); -+ else -+--- 3062,3068 ---- -+ else -+ { -+ /* regular create */ -++ if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE) -+ res= mysql_create_like_table(thd, create_table, &create_info, -+ (Table_ident *)lex->name); -+ else diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy --- mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy 2006-12-20 12:14:38.000000000 +0100 +++ mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy 2007-12-22 20:15:32.790866404 +0100 -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-1-amd64 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages mysql-server-5.0 depends on: ii adduser 3.102 Add and remove users and groups ii debconf [debconf-2.0 1.5.11etch1 Debian configuration management sy ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libdbi-perl 1.53-1etch1 Perl5 database interface by Tim Bu ii libgcc1 1:4.1.1-21 GCC support library ii libmysqlclient15off 5.0.32-7etch5 mysql database client library ii libncurses5 5.5-5 Shared libraries for terminal hand ii libreadline5 5.2-2 GNU readline and history libraries ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip ii mysql-client-5.0 5.0.32-7etch5 mysql database client binaries ii mysql-common 5.0.32-7etch5 mysql database common files (e.g. ii passwd 1:4.0.18.1-7 change and administer password and ii perl 5.8.8-7etch1 Larry Wall's Practical Extraction ii psmisc 22.3-1 Utilities that use the proc filesy ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages mysql-server-5.0 recommends: ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

