CVE-2008-2079

Hi,

I wonder if there's a patch to fix CVE-2008-2079 in 5.0.51? The patch
used in #32167 does not apply on 5.0.51.

        Norbert


--
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=lists@...

Hi!

On Jun 05, Norbert Tretkowski wrote:
> Hi,
>
> I wonder if there's a patch to fix CVE-2008-2079 in 5.0.51? The patch
> used in #32167 does not apply on 5.0.51.

Just to make sure, do you mean this patch
http://lists.mysql.com/commits/43206
does not apply on 5.0 ?
 
Regards / Mit vielen Grüssen,
Sergei

--
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@...>
 / /|_/ / // /\ \/ /_/ / /__  Principal Software Engineer/Server Architect
/_/  /_/\_, /___/\___\_\___/  Sun Microsystems GmbH, HRB München 161028
       <___/                  Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin Häring

--
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=lists@...

Hi Sergei,

Am Donnerstag, den 05.06.2008, 10:33 +0200 schrieb Sergei Golubchik:
> On Jun 05, Norbert Tretkowski wrote:
> > I wonder if there's a patch to fix CVE-2008-2079 in 5.0.51? The patch
> > used in #32167 does not apply on 5.0.51.
>
> Just to make sure, do you mean this patch
> http://lists.mysql.com/commits/43206
> does not apply on 5.0 ?

that patch fails to apply on 5.0.51b (I haven't tested it with newer
versions).

        Norbert


--
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=lists@...

Norbert Tretkowski wrote:
> I wonder if there's a patch to fix CVE-2008-2079 in 5.0.51? The patch
> used in #32167 does not apply on 5.0.51.

This is the patch we have in openSUSE 11.0's mysql-5.0.51.

Michal

From:
http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d674xBscPm_ztIMnZI3dj2r7IQ
http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d8f2Z15kczRJRewvyFNHM6lheA
http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7e6a0CyEvUOiqbdlN1JWAu7pcsA
http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c80109fGl7Wudvu2CM0pXMSbzYNg
http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47cbdacaZc2nF4NS9WyTkT_6nTPp_Q
---
 mysql-test/r/symlink.result |   77 ++++++++++++++++----------------
 mysql-test/t/symlink.test   |  104 ++++++++++++++++++++++++--------------------
 sql/mysql_priv.h            |    1
 sql/mysqld.cc               |    8 ++-
 sql/sql_parse.cc            |   60 +++++++++++++++++++++++++
 5 files changed, 163 insertions(+), 87 deletions(-)

--- mysql-test/r/symlink.result.orig
+++ mysql-test/r/symlink.result
@@ -100,23 +100,15 @@ t1 CREATE TABLE `t1` (
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
 drop table t1;
 CREATE TABLE t1(a INT)
-DATA DIRECTORY='TEST_DIR/master-data/mysql'
-INDEX DIRECTORY='TEST_DIR/master-data/mysql';
-RENAME TABLE t1 TO user;
-ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
-DROP TABLE t1;
-show create table t1;
-Table Create Table
-t1 CREATE TABLE `t1` (
-  `i` int(11) default NULL
-) ENGINE=MyISAM DEFAULT CHARSET=latin1
-drop table t1;
-show create table t1;
-Table Create Table
-t1 CREATE TABLE `t1` (
-  `i` int(11) default NULL
-) ENGINE=MyISAM DEFAULT CHARSET=latin1
-drop table t1;
+DATA DIRECTORY='TEST_DIR/tmp'
+INDEX DIRECTORY='TEST_DIR/tmp';
+ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17)
+CREATE TABLE t2(a INT)
+DATA DIRECTORY='TEST_DIR/tmp'
+INDEX DIRECTORY='TEST_DIR/tmp';
+RENAME TABLE t2 TO t1;
+ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17)
+DROP TABLE t2;
 show create table t1;
 Table Create Table
 t1 CREATE TEMPORARY TABLE `t1` (
@@ -138,27 +130,38 @@ select * from t1;
 a
 42
 drop table t1;
+execute stmt;
+show create table t1;
+Table Create Table
+t1 CREATE TABLE `t1` (
+  `c` char(10) default NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/'
+drop table t1;
+execute stmt;
+show create table t1;
+Table Create Table
+t1 CREATE TABLE `t1` (
+  `c` char(10) default NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/'
+drop table t1;
+deallocate prepare stmt;
+CREATE TABLE t1(a INT)
+DATA DIRECTORY='TEST_DIR/var/master-data/test';
+Got one of the listed errors
+CREATE TABLE t1(a INT)
+DATA DIRECTORY='TEST_DIR/var/master-data/';
+Got one of the listed errors
+CREATE TABLE t1(a INT)
+INDEX DIRECTORY='TEST_DIR/var/master-data';
+Got one of the listed errors
+CREATE TABLE t1(a INT)
+INDEX DIRECTORY='TEST_DIR/var/master-data_var';
+Got one of the listed errors
 End of 4.1 tests
-CREATE DATABASE db1;
-CREATE DATABASE db2;
-USE db2;
-INSERT INTO db2.t1 VALUES (1);
-SELECT * FROM db2.t1;
-b
-1
-RESET QUERY CACHE;
-USE db1;
 SET SESSION keep_files_on_create = TRUE;
 CREATE TABLE t1 (a INT) ENGINE MYISAM;
-ERROR HY000: Can't create/write to file './db1/t1.MYD' (Errcode: 17)
-CREATE TABLE t3 (a INT) Engine=MyISAM;
-INSERT INTO t3 VALUES (1),(2),(3);
-TRUNCATE TABLE t3;
-SELECT * from t3;
-a
-SET SESSION keep_files_on_create = DEFAULT;
-DROP TABLE db2.t1, db1.t3;
-DROP DATABASE db1;
-DROP DATABASE db2;
-USE test;
+ERROR HY000: Can't create/write to file './test/t1.MYD' (Errcode: 17)
+SET SESSION keep_files_on_create = FALSE;
+CREATE TABLE t1 (a INT) ENGINE MYISAM;
+DROP TABLE t1;
 End of 5.0 tests
--- mysql-test/t/symlink.test.orig
+++ mysql-test/t/symlink.test
@@ -127,29 +127,22 @@ drop table t1;
 #
 # BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
 #
+--write_file $MYSQLTEST_VARDIR/tmp/t1.MYI
+EOF
 --replace_result $MYSQLTEST_VARDIR TEST_DIR
+--error 1
 eval CREATE TABLE t1(a INT)
-DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
-INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
+DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp'
+INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp';
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+eval CREATE TABLE t2(a INT)
+DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp'
+INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp';
 --replace_result $MYSQLTEST_VARDIR TEST_DIR
 --error 1
-RENAME TABLE t1 TO user;
-DROP TABLE t1;
-
-#
-# Test specifying DATA DIRECTORY that is the same as what would normally
-# have been chosen. (Bug #8707)
-#
-disable_query_log;
-eval create table t1 (i int) data directory = "$MYSQLTEST_VARDIR/master-data/test/";
-enable_query_log;
-show create table t1;
-drop table t1;
-disable_query_log;
-eval create table t1 (i int) index directory = "$MYSQLTEST_VARDIR/master-data/test/";
-enable_query_log;
-show create table t1;
-drop table t1;
+RENAME TABLE t2 TO t1;
+DROP TABLE t2;
+--remove_file $MYSQLTEST_VARDIR/tmp/t1.MYI
 
 #
 # Bug#8706 - temporary table with data directory option fails
@@ -188,44 +181,61 @@ connection default;
 select * from t1;
 drop table t1;
 
---echo End of 4.1 tests
-
 #
-# Bug #29325: create table overwrites .MYD file of other table (datadir)
+# CREATE TABLE with DATA DIRECTORY option
 #
-
-CREATE DATABASE db1;
-CREATE DATABASE db2;
-
-USE db2;
+# Protect ourselves from data left in tmp/ by a previos possibly failed
+# test
+--system rm -f $MYSQLTEST_VARDIR/tmp/t1.*
 --disable_query_log
-eval CREATE TABLE t1 (b INT) ENGINE MYISAM
-DATA DIRECTORY = '$MYSQLTEST_VARDIR/master-data/db1/';
+eval prepare stmt from "create table t1 (c char(10)) data directory='$MYSQLTEST_VARDIR/tmp'";
 --enable_query_log
+execute stmt;
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+show create table t1;
+drop table t1;
+execute stmt;
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+show create table t1;
+drop table t1;
+deallocate prepare stmt;
 
-INSERT INTO db2.t1 VALUES (1);
-SELECT * FROM db2.t1;
-RESET QUERY CACHE;
+#
+# Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
+#
+--replace_result $MYSQL_TEST_DIR TEST_DIR
+--error 1,1210
+eval CREATE TABLE t1(a INT)
+DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/test';
+--replace_result $MYSQL_TEST_DIR TEST_DIR
+--error 1,1210
+eval CREATE TABLE t1(a INT)
+DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/';
+--replace_result $MYSQL_TEST_DIR TEST_DIR
+--error 1,1210
+eval CREATE TABLE t1(a INT)
+INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data';
+--replace_result $MYSQL_TEST_DIR TEST_DIR
+--error 1,1210
+eval CREATE TABLE t1(a INT)
+INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data_var';
 
-USE db1;
+--echo End of 4.1 tests
 
-#no warning from create table
+#
+# Bug #29325: create table overwrites .MYD file of other table (datadir)
+#
 SET SESSION keep_files_on_create = TRUE;
+--write_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD
+EOF
 --disable_abort_on_error
+--error 1
 CREATE TABLE t1 (a INT) ENGINE MYISAM;
+--error 0,1
+--remove_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD;
 --enable_abort_on_error
-
-CREATE TABLE t3 (a INT) Engine=MyISAM;
-INSERT INTO t3 VALUES (1),(2),(3);
-TRUNCATE TABLE t3;
-SELECT * from t3;
-
-SET SESSION keep_files_on_create = DEFAULT;
-
-DROP TABLE db2.t1, db1.t3;
-DROP DATABASE db1;
-DROP DATABASE db2;
-USE test;
-
+SET SESSION keep_files_on_create = FALSE;
+CREATE TABLE t1 (a INT) ENGINE MYISAM;
+DROP TABLE t1;
 
 --echo End of 5.0 tests
--- sql/mysql_priv.h.orig
+++ sql/mysql_priv.h
@@ -1255,6 +1255,7 @@ void my_dbopt_free(void);
 extern time_t server_start_time, flush_status_time;
 extern char *mysql_data_home,server_version[SERVER_VERSION_LENGTH],
     mysql_real_data_home[], *opt_mysql_tmpdir, mysql_charsets_dir[],
+    mysql_unpacked_real_data_home[],
             def_ft_boolean_syntax[sizeof(ft_boolean_syntax)];
 #define mysql_tmpdir (my_tmpdir(&mysql_tmpdir_list))
 extern MY_TMPDIR mysql_tmpdir_list;
--- sql/mysqld.cc.orig
+++ sql/mysqld.cc
@@ -453,14 +453,13 @@ char log_error_file[FN_REFLEN], glob_hos
 char mysql_real_data_home[FN_REFLEN],
      language[FN_REFLEN], reg_ext[FN_EXTLEN], mysql_charsets_dir[FN_REFLEN],
      *opt_init_file, *opt_tc_log_file,
+     mysql_unpacked_real_data_home[FN_REFLEN],
      def_ft_boolean_syntax[sizeof(ft_boolean_syntax)];
-
+char *mysql_data_home= mysql_real_data_home;
 const key_map key_map_empty(0);
 key_map key_map_full(0);                        // Will be initialized later
 
 const char *opt_date_time_formats[3];
-
-char *mysql_data_home= mysql_real_data_home;
 char server_version[SERVER_VERSION_LENGTH];
 char *mysqld_unix_port, *opt_mysql_tmpdir;
 const char **errmesg; /* Error messages */
@@ -7565,6 +7564,9 @@ static void fix_paths(void)
     pos[1]= 0;
   }
   convert_dirname(mysql_real_data_home,mysql_real_data_home,NullS);
+  (void) fn_format(buff, mysql_real_data_home, "", "",
+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
+  (void) unpack_dirname(mysql_unpacked_real_data_home, buff);
   convert_dirname(language,language,NullS);
   (void) my_load_path(mysql_home,mysql_home,""); // Resolve current dir
   (void) my_load_path(mysql_real_data_home,mysql_real_data_home,mysql_home);
--- sql/sql_parse.cc.orig
+++ sql/sql_parse.cc
@@ -76,6 +76,7 @@ static void remove_escape(char *name);
 static bool append_file_to_dir(THD *thd, const char **filename_ptr,
        const char *table_name);
 static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
+static bool test_if_data_home_dir(const char *dir);
 
 const char *any_db="*any*"; // Special symbol for check_access
 
@@ -3001,6 +3002,20 @@ mysql_execute_command(THD *thd)
                    "INDEX DIRECTORY option ignored");
     create_info.data_file_name= create_info.index_file_name= NULL;
 #else
+
+    if (test_if_data_home_dir(lex->create_info.data_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
+      res= -1;
+      break;
+    }
+    if (test_if_data_home_dir(lex->create_info.index_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
+      res= -1;
+      break;
+    }
+
     /* Fix names if symlinked tables */
     if (append_file_to_dir(thd, &create_info.data_file_name,
    create_table->table_name) ||
@@ -7843,3 +7858,48 @@ bool check_string_length(LEX_STRING *str
 
   return TRUE;
 }
+
+
+/*
+  Check if path does not contain mysql data home directory
+
+  SYNOPSIS
+    test_if_data_home_dir()
+    dir                     directory
+    conv_home_dir           converted data home directory
+    home_dir_len            converted data home directory length
+
+  RETURN VALUES
+    0 ok
+    1 error
+*/
+
+static bool test_if_data_home_dir(const char *dir)
+{
+  char path[FN_REFLEN], conv_path[FN_REFLEN];
+  uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home);
+  DBUG_ENTER("test_if_data_home_dir");
+
+  if (!dir)
+    DBUG_RETURN(0);
+
+  (void) fn_format(path, dir, "", "",
+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
+  dir_len= unpack_dirname(conv_path, dir);
+
+  if (home_dir_len <= dir_len)
+  {
+    if (lower_case_file_system)
+    {
+      if (!my_strnncoll(default_charset_info, (const uchar*) conv_path,
+                        home_dir_len,
+                        (const uchar*) mysql_unpacked_real_data_home,
+                        home_dir_len))
+        DBUG_RETURN(1);
+    }
+    else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
+      DBUG_RETURN(1);
+  }
+  DBUG_RETURN(0);
+}
+



--
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=lists@...

Am Donnerstag, den 05.06.2008, 11:05 +0200 schrieb Michal Marek:
> This is the patch we have in openSUSE 11.0's mysql-5.0.51.

Thanks!

        Norbert


--
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=lists@...