OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael van Elst
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 16-Dec-2002 08:22:07
Branch: OPENPKG_1_1_SOLID Handle: 2002121607220600
Added files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/mysql mysql-sec.patch
Modified files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/mysql mysql.spec
Log:
fix for http://security.e-matters.de/advisories/042002.html
Summary:
Revision Changes Path
1.1.2.1 +178 -0 openpkg-src/mysql/mysql-sec.patch
1.33.2.2 +3 -1 openpkg-src/mysql/mysql.spec
____________________________________________________________________________
Index: openpkg-src/mysql/mysql-sec.patch
============================================================
$ cvs update -p -r1.1.2.1 mysql-sec.patch
diff -r -u mysql-3.23.53/libmysql/libmysql.c mysql-3.23.54/libmysql/libmysql.c
--- mysql-3.23.53/libmysql/libmysql.c Thu Oct 10 12:17:31 2002
+++ mysql-3.23.54/libmysql/libmysql.c Thu Dec 5 10:37:06 2002
@@ -307,7 +307,7 @@
DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d",
vio_description(net->vio),len));
end_server(mysql);
- net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ?
+ net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ?
CR_NET_PACKET_TOO_LARGE:
CR_SERVER_LOST);
strmov(net->last_error,ER(net->last_errno));
@@ -891,7 +891,7 @@
uint field,pkt_len;
ulong len;
uchar *cp;
- char *to;
+ char *to, *end_to;
MYSQL_DATA *result;
MYSQL_ROWS **prev_ptr,*cur;
NET *net = &mysql->net;
@@ -929,6 +929,7 @@
*prev_ptr=cur;
prev_ptr= &cur->next;
to= (char*) (cur->data+fields+1);
+ end_to=to+pkt_len-1;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -938,6 +939,13 @@
else
{
cur->data[field] = to;
+ if (len > end_to - to)
+ {
+ free_rows(result);
+ net->last_errno=CR_UNKNOWN_ERROR;
+ strmov(net->last_error,ER(net->last_errno));
+ DBUG_RETURN(0);
+ }
memcpy(to,(char*) cp,len); to[len]=0;
to+=len+1;
cp+=len;
@@ -972,7 +980,7 @@
{
uint field;
ulong pkt_len,len;
- uchar *pos,*prev_pos;
+ uchar *pos,*prev_pos, *end_pos;
if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
return -1;
@@ -980,6 +988,7 @@
return 1; /* End of data */
prev_pos= 0; /* allowed to write at packet[-1] */
pos=mysql->net.read_pos;
+ end_pos=pos+pkt_len;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
@@ -989,6 +998,12 @@
}
else
{
+ if (len > end_pos - pos)
+ {
+ mysql->net.last_errno=CR_UNKNOWN_ERROR;
+ strmov(mysql->net.last_error,ER(mysql->net.last_errno));
+ return -1;
+ }
row[field] = (char*) pos;
pos+=len;
*lengths++=len;
diff -r -u mysql-3.23.53/libmysql_r/libmysql.c mysql-3.23.54/libmysql_r/libmysql.c
--- mysql-3.23.53/libmysql_r/libmysql.c Thu Oct 10 12:17:31 2002
+++ mysql-3.23.54/libmysql_r/libmysql.c Thu Dec 5 10:37:06 2002
@@ -307,7 +307,7 @@
DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d",
vio_description(net->vio),len));
end_server(mysql);
- net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ?
+ net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ?
CR_NET_PACKET_TOO_LARGE:
CR_SERVER_LOST);
strmov(net->last_error,ER(net->last_errno));
@@ -891,7 +891,7 @@
uint field,pkt_len;
ulong len;
uchar *cp;
- char *to;
+ char *to, *end_to;
MYSQL_DATA *result;
MYSQL_ROWS **prev_ptr,*cur;
NET *net = &mysql->net;
@@ -929,6 +929,7 @@
*prev_ptr=cur;
prev_ptr= &cur->next;
to= (char*) (cur->data+fields+1);
+ end_to=to+pkt_len-1;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -938,6 +939,13 @@
else
{
cur->data[field] = to;
+ if (len > end_to - to)
+ {
+ free_rows(result);
+ net->last_errno=CR_UNKNOWN_ERROR;
+ strmov(net->last_error,ER(net->last_errno));
+ DBUG_RETURN(0);
+ }
memcpy(to,(char*) cp,len); to[len]=0;
to+=len+1;
cp+=len;
@@ -972,7 +980,7 @@
{
uint field;
ulong pkt_len,len;
- uchar *pos,*prev_pos;
+ uchar *pos,*prev_pos, *end_pos;
if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
return -1;
@@ -980,6 +988,7 @@
return 1; /* End of data */
prev_pos= 0; /* allowed to write at packet[-1] */
pos=mysql->net.read_pos;
+ end_pos=pos+pkt_len;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
@@ -989,6 +998,12 @@
}
else
{
+ if (len > end_pos - pos)
+ {
+ mysql->net.last_errno=CR_UNKNOWN_ERROR;
+ strmov(mysql->net.last_error,ER(mysql->net.last_errno));
+ return -1;
+ }
row[field] = (char*) pos;
pos+=len;
*lengths++=len;
diff -r -u mysql-3.23.53/sql/sql_parse.cc mysql-3.23.54/sql/sql_parse.cc
--- mysql-3.23.53/sql/sql_parse.cc Thu Oct 10 12:17:26 2002
+++ mysql-3.23.54/sql/sql_parse.cc Thu Dec 5 10:37:04 2002
@@ -109,6 +109,8 @@
NET *net= &thd->net;
thd->db=0;
+ if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+ return 1;
if (!(thd->user = my_strdup(user, MYF(0))))
{
send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@
char *user= (char*) net->read_pos+5;
char *passwd= strend(user)+1;
char *db=0;
- if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
- return ER_HANDSHAKE_ERROR;
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
db=strend(passwd)+1;
if (thd->client_capabilities & CLIENT_INTERACTIVE)
@@ -768,8 +768,8 @@
thread_safe_increment(com_other,&LOCK_thread_count);
slow_command = TRUE;
char* data = packet + 1;
- uint db_len = *data;
- uint tbl_len = *(data + db_len + 1);
+ uint db_len = *(uchar *)data;
+ uint tbl_len = *(uchar *)(data + db_len + 1);
char* db = sql_alloc(db_len + tbl_len + 2);
memcpy(db, data + 1, db_len);
char* tbl_name = db + db_len;
Index: openpkg-src/mysql/mysql.spec
============================================================
$ cvs diff -u -r1.33.2.1 -r1.33.2.2 mysql.spec
--- openpkg-src/mysql/mysql.spec 26 Aug 2002 19:54:19 -0000 1.33.2.1
+++ openpkg-src/mysql/mysql.spec 16 Dec 2002 07:22:06 -0000 1.33.2.2
@@ -46,13 +46,14 @@
Group: Database
License: GPL
Version: 3.23.52
-Release: 1.1.0
+Release: 1.1.1
# list of sources
Source0:
http://sunsite.informatik.rwth-aachen.de/mysql/Downloads/MySQL-3.23/mysql-%{version}.tar.gz
Source1: my.cnf
Source2: rc.mysql
Patch0: mysql.patch
+Patch1: mysql-sec.patch
# build information
Prefix: %{l_prefix}
@@ -78,6 +79,7 @@
%prep
%setup -q
%patch0 -p1
+ %patch1 -p1
%build
# determine additional configure options
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
