From: Staale Smedseng Date: July 1 2009 12:09pm Subject: bzr commit into mysql-5.0-bugteam branch (staale.smedseng:2789) Bug#45790 List-Archive: http://lists.mysql.com/commits/77649 X-Bug: 45790 Message-Id: <20090701120952.26540D6A18A@atum21.norway.sun.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7504795486490617702==" --===============7504795486490617702== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///export/home/tmp/ss156133/z/45790-50/ based on revid:staale.smedseng@stripped 2789 Staale Smedseng 2009-07-01 Bug #45790 Potential DoS vector: Writing of user input to log without proper formatting The problem is that a suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV, and thereby a denial of service. The database name is printed to the log without using a format string, so potential attackers can control the behavior of my_b_vprintf() by supplying their own format string. A CREATE or DROP privilege would be required. This patch supplies a format string to the printing of the database name. A test case is added to mysql_client_test. @ sql/sql_parse.cc Added format strings. @ tests/mysql_client_test.c Added new test case. modified: sql/sql_parse.cc tests/mysql_client_test.c === modified file 'sql/sql_parse.cc' --- a/sql/sql_parse.cc 2009-06-29 13:17:01 +0000 +++ b/sql/sql_parse.cc 2009-07-01 12:09:44 +0000 @@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_c } if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db))) break; - mysql_log.write(thd,command,packet); + mysql_log.write(thd, command, "%s", db); bzero(&create_info, sizeof(create_info)); mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db), &create_info, 0); @@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_c ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0)); break; } - mysql_log.write(thd,command,db); + mysql_log.write(thd, command, "%s", db); mysql_rm_db(thd, db, 0, 0); break; } === modified file 'tests/mysql_client_test.c' --- a/tests/mysql_client_test.c 2009-05-05 09:07:11 +0000 +++ b/tests/mysql_client_test.c 2009-07-01 12:09:44 +0000 @@ -12063,6 +12063,27 @@ static void test_bug6081() } +/* + Verify that bogus database names are handled properly with + COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through + the use of printf specifiers in the database name. +*/ +static void test_bug45790() +{ + const char* bogus_db = "%s%s%s%s%s%s%s"; + int rc; + + myheader("test_bug45790"); + rc= simple_command(mysql, COM_CREATE_DB, bogus_db, + (ulong)strlen(bogus_db), 0); + myquery(rc); + + rc= simple_command(mysql, COM_DROP_DB, bogus_db, + (ulong)strlen(bogus_db), 0); + myquery(rc); +} + + static void test_bug6096() { MYSQL_STMT *stmt; @@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= { { "test_bug6059", test_bug6059 }, { "test_bug6046", test_bug6046 }, { "test_bug6081", test_bug6081 }, + { "test_bug45790",test_bug45790 }, { "test_bug6096", test_bug6096 }, { "test_datetime_ranges", test_datetime_ranges }, { "test_bug4172", test_bug4172 }, --===============7504795486490617702== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/staale.smedseng@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: staale.smedseng@stripped # target_branch: file:///export/home/tmp/ss156133/z/45790-50/ # testament_sha1: 33f5b249baa5dd03d9d5bc9fea4940a568bf1110 # timestamp: 2009-07-01 14:09:52 +0200 # base_revision_id: staale.smedseng@stripped\ # hdxl4s2qc6blisig # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWSmI8dsAAwl/gFAQIABbd/// fqLdgL////pgB4u3dr55DZtYQ6CsjrWhoHDRASn6jEyh6Zok9TaTT1PUA9QNDQ0AaNBKREwT0Ent T0SbUaPFAyBoAAADQNUngRGgNMho0DQAABkaAMmQEiJBT0Iwg2lNDCMnlPQjQA0GgPQhxkyZMRiY ATJgmQA0YRgCGASSCaaATTJoI0I02jSnkyU2IeoTRoxNqYkrAMtlQnmFcqggatf2NGTxfUHDTTsh kMjUxpnESCMD6pCxrzhnpCgnhG2+6q/BDMQ4LvnVXXLS7YBBiAaxnvtMfGvsXjbGwsP32i2VWM33 DNdUXznzzFbqIO2sbfBE86L01up9jc7pTva340dhxMVbiGVrUrKk0BGE8DnBqBOOYQlCU2QwhWUZ Y0tBxE0SE6hSqTQgEWVI0wKPI4SJZFMj81UsVMPREChV5iXAFPDl1YYwlbG12Ioxx/EgudSpXK+L YWOrHKnkz3XxODeOhl4ulQmIopweQAIWnNOsADshKyIRV71sevYPtMhQdJplNBWowkz1hpn09ERb OaDtPE84Fo+x1q7mW1Cpw3bg9V6ru9Q3s4D7sJJiNt7lXW6mIOQ3ES7nPQpHpu617VMj4Guv3VF3 ZNCzO5lHI3H0b1JrMuCEKQopUAWSKU7JqUAxpDlCmANKasG66XlpnDgqMCtatGbToXA1bhbeA8rg BKSkBM6Lo4c2qFx1KCcDqjptKQoOq7tv9k7ChYmw/pBXJATU0i1amTYn2AfAkmqyzMalLWEkqTiD cAOC3XMMxlUtcnzB9SyIAdijOY3R0dK00U1lfMC6tKNzhxn9OIEfbUH5Sk23IXslCOJhZXUPmrZV UGYDa1kJyKl1RkqfK8TLVpjJVxcLQWrfNu0damoocPgsymy2MqMivYXLlxRkpR7XJnstylKrbBwS DjIMkyBWaDcPfuAa2rqYmrgsAYas3XJx8v0uNRUxgaGIpkz5sig8u5eWeOM5Smp9aSl2IHOohdmr P7GBQMTGJIhAKQI3h8yhACi8csNCilQWN5ApPdGhmbU1h02OGTBUQZPm2sSK40dS3WF50ry4IS52 vFac1eR2jjLEM3UN84zF1ri1zXEuukUjVRgsR2BxH6FYZBjbplrS8EDaff3hX9SVsLSTvFsFYEBb IYQ6e4osv5CMRQg71h/jGQuDhD3LeL0MkavTRRKKfOqtoOitHIinjLieJ4HYdo4kehzKxL2YUTk6 3E8i078QZHsrBJsgJ3kat/zDIjN0bkLOLA1ERhWoiqvyqjIkHyxmlqzNh33GCPQ+imYn3fI+FYU5 1KR+wx3b7gf0aL8GRHT8OgcnKeq86fmaj8QtKkxclUh6eIdA0xszigWRwWYYY1G8sYYRqwAiQGgs pQQm61BCBLiDgidZDdoSVAfUyNpXTXMJOKQOk7C5UNemGLDyMtyjN51qy0S2ZI+nLFnpx0vOUHIY 1thwJUGe+kUElRUqlxcbiBd3mFgUFsZKpKCLiu4xMfao2RaebqYWiTYP/dxLPqV3eBgorYkrKi0V w+9QFL806tS1TpNlVsP2ov1TeKO0fkxe4KgTMRuQbXoU8UGkwdhFYHhaOYVCQVBYSSBGUhjULswu FhTW07pADVRtX6qzjLStwnQcDiKgD0LGMxhkt65RpVl+9TuqF1cpqsx3kDwizQSY9aagzAzsab69 +CduFpVuhKcD0MzcuOcs0vwYOgRdqSzjuNKe9g3w8lgi6ggTOSMdIxY0qCQwenuphJBVv4w5sYhF BZGsyTeDeIFZSUKsDynmTbRHZsetF2rf1B7l8AwB4i/9JdSZCY7xkdbeGhC4TPCjsnsXAyHnLdVo qrGSNES2AMAEyJ4NQRe+eVzSLLYjEFRRJAYbKHBeN43f0U1WN735G4SjmBwcoMFYHOaVKGhB6iyH jIQqRFk6d2rVyLd9F1U3AQmm05gUJ4lqhbXMuhh3D2q7E2KHBvQeHOPvSC9BxkPIIKSNgrALlo5f a1kdjjDSgdbXkzX3BvIPrJ4EilAzvFAQ2g9xgyLLExpWdF69A6lwwErqDjNlmmxGG39j2Y9QIO6X I6uRksVTQpT3wAoz+LjYyfKhuoMQwPs55DAC7R8YlLgOMC5DFLI5pzhhsG6+LPX9oK+TeAScNJDu gHFYmaaMPMSh27J+CetavCJQ5BJhD1oVXQtDtiInjNcwikqrCLbYjZVYqiAZTjBEw/cgO+wlFzRy WZubXbAHE4Chr2+ciIRO8GF6vQoIlsePeUUfGwlebRf3mP0xcF9R523ETvGAeNzukUdQ6Je6UecV tbnmiSYTDDE2CVLfUCAcqwOHvu9D4/rqCELsU/hkQEHEWBkqL2hJc1HJbb9edfWglLi/fjBeIE06 XBsHXrkbl9VzA81gugK1ktSOA6/pLXvWIoGt7Q02vQNoBay5v9FO2izappzP/F3JFOFCQKYjx2w= --===============7504795486490617702==--