List:Packagers« Previous MessageNext Message »
From:Christian Hammers Date:September 11 2003 8:47am
Subject:Re: MySQL 4.0.15 has been released
View as plain text  
Hello

On Thu, Sep 11, 2003 at 11:13:10AM +0300, Michael Shigorin wrote:
> On Wed, Sep 10, 2003 at 08:02:32PM +0200, Lenz Grimmer wrote:
> >  * Fixed buffer overflow in SET PASSWORD which could
> >    potentially be exploited by MySQL users with root privileges
> >    to execute random code or to gain shell access (thanks to
> >    Jedi/Sector One for spotting and reporting this one).
> 
> Is this relevant for 3.x?  If yes, then is it going to be fixed?
> If no, then is there a standalone patch for this issue?

Something else that MySQL could do for it's porters would be to announce
fixed for backports at least at the same time the new version is
uploaded.

For now, the submitter on the bugtrag mailing list gave us a fix.
It's untested (while we're at it, MySQL could confirm that the fix
is ok because also easy looking patches sometimes fix only half of the
problem...)

bye,

-christian-

--------------- cut & paste so not directly applyable-----------------
  The following patch (applies fine to 4.0.14, should also work on
earlier
releases with minor fuzz) fixes the bug :

--- mysql-4.0.14-old/sql/sql_acl.cc     2003-07-18 16:57:25.000000000 +0200
+++ mysql-4.0.14/sql/sql_acl.cc 2003-09-10 23:21:13.559759576 +0200
@@ -233,7 +233,7 @@
    "Found old style password for user '%s'. Ignoring user. (You may want to restart
mysqld using --old-protocol)",
                      user.user ? user.user : ""); /* purecov: tested */
     }
-    else if (length % 8)               // This holds true for passwords
+    else if (length % 8 || length > 16)                // This holds true for
passwords
     {
       sql_print_error(
                      "Found invalid password for user: '%s@%s'; Ignoring user",

Thread