List:Commits« Previous MessageNext Message »
From:Staale Smedseng Date:July 1 2009 12:35pm
Subject:bzr push into mysql-5.0-bugteam branch (staale.smedseng:2788 to 2789)
Bug#45790
View as plain text  
 2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
            
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The database name is printed
      to the log without using a format string, so potential
      attackers can control the behavior of my_b_vprintf() by
      supplying their own format string. A CREATE or DROP privilege
      would be required.
            
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Added format strings.
     @ tests/mysql_client_test.c
        Added new test case.

    modified:
      sql/sql_parse.cc
      tests/mysql_client_test.c
 2788 Staale Smedseng	2009-06-29
      Merge from 5.0-bt

    modified:
      client/mysql.cc
      client/mysqlbinlog.cc
      client/mysqltest.c
      cmd-line-utils/readline/bind.c
      cmd-line-utils/readline/complete.c
      cmd-line-utils/readline/display.c
      cmd-line-utils/readline/histexpand.c
      cmd-line-utils/readline/histfile.c
      cmd-line-utils/readline/history.h
      cmd-line-utils/readline/input.c
      cmd-line-utils/readline/isearch.c
      cmd-line-utils/readline/kill.c
      cmd-line-utils/readline/macro.c
      cmd-line-utils/readline/mbutil.c
      cmd-line-utils/readline/misc.c
      cmd-line-utils/readline/nls.c
      cmd-line-utils/readline/readline.c
      cmd-line-utils/readline/readline.h
      cmd-line-utils/readline/rlprivate.h
      cmd-line-utils/readline/rltty.c
      cmd-line-utils/readline/search.c
      cmd-line-utils/readline/terminal.c
      cmd-line-utils/readline/text.c
      cmd-line-utils/readline/tilde.c
      cmd-line-utils/readline/undo.c
      cmd-line-utils/readline/util.c
      cmd-line-utils/readline/vi_mode.c
      extra/yassl/src/handshake.cpp
      extra/yassl/src/yassl_imp.cpp
      extra/yassl/taocrypt/include/modes.hpp
      extra/yassl/taocrypt/src/asn.cpp
      server-tools/instance-manager/user_map.cc
      sql/ha_myisam.cc
      sql/log_event.cc
      sql/slave.cc
      sql/sql_parse.cc
      sql/sql_repl.cc
      sql/sql_table.cc
      sql/thr_malloc.cc
      strings/decimal.c
=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2009-06-29 13:17:01 +0000
+++ b/sql/sql_parse.cc	2009-07-01 12:09:44 +0000
@@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_c
       }
       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
 	break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd, command, "%s", db);
       bzero(&create_info, sizeof(create_info));
       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                       &create_info, 0);
@@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_c
                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
 	break;
       }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd, command, "%s", db);
       mysql_rm_db(thd, db, 0, 0);
       break;
     }

=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c	2009-05-05 09:07:11 +0000
+++ b/tests/mysql_client_test.c	2009-07-01 12:09:44 +0000
@@ -12063,6 +12063,27 @@ static void test_bug6081()
 }
 
 
+/*
+  Verify that bogus database names are handled properly with
+  COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
+  the use of printf specifiers in the database name.
+*/
+static void test_bug45790()
+{
+  const char* bogus_db = "%s%s%s%s%s%s%s";
+  int rc;
+
+  myheader("test_bug45790");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+
+  rc= simple_command(mysql, COM_DROP_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
+
 static void test_bug6096()
 {
   MYSQL_STMT *stmt;
@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_bug45790",test_bug45790 },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },


Attachment: [text/bzr-bundle] bzr/staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu.bundle
Thread
bzr push into mysql-5.0-bugteam branch (staale.smedseng:2788 to 2789)Bug#45790Staale Smedseng1 Jul