2789 Staale Smedseng 2009-07-01
Bug #45790 Potential DoS vector: Writing of user input to log
without proper formatting
The problem is that a suitably crafted database identifier
supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
and thereby a denial of service. The database name is printed
to the log without using a format string, so potential
attackers can control the behavior of my_b_vprintf() by
supplying their own format string. A CREATE or DROP privilege
would be required.
This patch supplies a format string to the printing of the
database name. A test case is added to mysql_client_test.
@ sql/sql_parse.cc
Added format strings.
@ tests/mysql_client_test.c
Added new test case.
modified:
sql/sql_parse.cc
tests/mysql_client_test.c
2788 Staale Smedseng 2009-06-29
Merge from 5.0-bt
modified:
client/mysql.cc
client/mysqlbinlog.cc
client/mysqltest.c
cmd-line-utils/readline/bind.c
cmd-line-utils/readline/complete.c
cmd-line-utils/readline/display.c
cmd-line-utils/readline/histexpand.c
cmd-line-utils/readline/histfile.c
cmd-line-utils/readline/history.h
cmd-line-utils/readline/input.c
cmd-line-utils/readline/isearch.c
cmd-line-utils/readline/kill.c
cmd-line-utils/readline/macro.c
cmd-line-utils/readline/mbutil.c
cmd-line-utils/readline/misc.c
cmd-line-utils/readline/nls.c
cmd-line-utils/readline/readline.c
cmd-line-utils/readline/readline.h
cmd-line-utils/readline/rlprivate.h
cmd-line-utils/readline/rltty.c
cmd-line-utils/readline/search.c
cmd-line-utils/readline/terminal.c
cmd-line-utils/readline/text.c
cmd-line-utils/readline/tilde.c
cmd-line-utils/readline/undo.c
cmd-line-utils/readline/util.c
cmd-line-utils/readline/vi_mode.c
extra/yassl/src/handshake.cpp
extra/yassl/src/yassl_imp.cpp
extra/yassl/taocrypt/include/modes.hpp
extra/yassl/taocrypt/src/asn.cpp
server-tools/instance-manager/user_map.cc
sql/ha_myisam.cc
sql/log_event.cc
sql/slave.cc
sql/sql_parse.cc
sql/sql_repl.cc
sql/sql_table.cc
sql/thr_malloc.cc
strings/decimal.c
=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc 2009-06-29 13:17:01 +0000
+++ b/sql/sql_parse.cc 2009-07-01 12:09:44 +0000
@@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_c
}
if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
break;
- mysql_log.write(thd,command,packet);
+ mysql_log.write(thd, command, "%s", db);
bzero(&create_info, sizeof(create_info));
mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
&create_info, 0);
@@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_c
ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
break;
}
- mysql_log.write(thd,command,db);
+ mysql_log.write(thd, command, "%s", db);
mysql_rm_db(thd, db, 0, 0);
break;
}
=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c 2009-05-05 09:07:11 +0000
+++ b/tests/mysql_client_test.c 2009-07-01 12:09:44 +0000
@@ -12063,6 +12063,27 @@ static void test_bug6081()
}
+/*
+ Verify that bogus database names are handled properly with
+ COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
+ the use of printf specifiers in the database name.
+*/
+static void test_bug45790()
+{
+ const char* bogus_db = "%s%s%s%s%s%s%s";
+ int rc;
+
+ myheader("test_bug45790");
+ rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+ (ulong)strlen(bogus_db), 0);
+ myquery(rc);
+
+ rc= simple_command(mysql, COM_DROP_DB, bogus_db,
+ (ulong)strlen(bogus_db), 0);
+ myquery(rc);
+}
+
+
static void test_bug6096()
{
MYSQL_STMT *stmt;
@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug6059", test_bug6059 },
{ "test_bug6046", test_bug6046 },
{ "test_bug6081", test_bug6081 },
+ { "test_bug45790",test_bug45790 },
{ "test_bug6096", test_bug6096 },
{ "test_datetime_ranges", test_datetime_ranges },
{ "test_bug4172", test_bug4172 },
Attachment: [text/bzr-bundle] bzr/staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu.bundle
| Thread |
|---|
| • bzr push into mysql-5.0-bugteam branch (staale.smedseng:2788 to 2789)Bug#45790 | Staale Smedseng | 1 Jul |
