List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:December 12 2002 2:54pm
Subject:Re: [packagers] MySQL 3.23.54 is released
View as plain text  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Thu, 12 Dec 2002, Christian Hammers wrote:

> Does anybody already have a small diffset that can be used to fix the
> security problems older releases without having to upgrade to a new
> version?
>
> At least we from Debian prefer only applying small diffs to our stable
> distribution because most admins don't like upgrading a version because
> incompatibilities can never be ruled out in practice.. (Our current
> version in Debian "woody" is e.g. 3.23.49)

I meant to send this to you much earlier, but unfortunately our sysadmins
made some changes to our mail server configuration which blocked me from
posting to the packagers list :( I hope it works now.

However, I've sent that patch to the SuSE security team a few days ago
already, requesting them to forward it to vendor-sec as well (AFAIK Debian
is subscribed to this list, too). I wonder, if that happened.

A patch against 3.23.53 is attached - it should apply to older versions as
well. Sorry for the delay - I promise to inform you more in advance the
next time we are informed about a security bug.

Bye,
	LenZ

- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /      Mr. Lenz Grimmer <lenz@stripped>
 / /|_/ / // /\ \/ /_/ / /__     MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/     Hamburg, Germany
       <___/   www.mysql.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE9+KM5SVDhKrJykfIRAkk7AJ9xDTfpELwk+Src4E3FOLeEQ1wX3QCePLQi
ogFKkduHuL+sO5CaCAMclgs=
=PhCL
-----END PGP SIGNATURE-----

diff -ur mysql-3.23.53.org/libmysql/libmysql.c mysql-3.23.53/libmysql/libmysql.c
--- mysql-3.23.53.org/libmysql/libmysql.c	Mon Dec  9 15:32:58 2002
+++ mysql-3.23.53/libmysql/libmysql.c	Mon Dec  9 15:46:31 2002
@@ -891,7 +891,7 @@
   uint	field,pkt_len;
   ulong len;
   uchar *cp;
-  char	*to;
+  char	*to, *end_to;
   MYSQL_DATA *result;
   MYSQL_ROWS **prev_ptr,*cur;
   NET *net = &mysql->net;
@@ -929,6 +929,7 @@
     *prev_ptr=cur;
     prev_ptr= &cur->next;
     to= (char*) (cur->data+fields+1);
+    end_to=to+pkt_len-1;
     for (field=0 ; field < fields ; field++)
     {
       if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -938,6 +939,13 @@
       else
       {
 	cur->data[field] = to;
+        if (len > end_to - to)
+        {
+          free_rows(result);
+          net->last_errno=CR_UNKNOWN_ERROR;
+          strmov(net->last_error,ER(net->last_errno));
+          DBUG_RETURN(0);
+        }
 	memcpy(to,(char*) cp,len); to[len]=0;
 	to+=len+1;
 	cp+=len;
@@ -972,7 +980,7 @@
 {
   uint field;
   ulong pkt_len,len;
-  uchar *pos,*prev_pos;
+  uchar *pos,*prev_pos, *end_pos;
 
   if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
     return -1;
@@ -980,6 +988,7 @@
     return 1;				/* End of data */
   prev_pos= 0;				/* allowed to write at packet[-1] */
   pos=mysql->net.read_pos;
+  end_pos=pos+pkt_len;
   for (field=0 ; field < fields ; field++)
   {
     if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
@@ -989,6 +998,12 @@
     }
     else
     {
+      if (len > end_pos - pos)
+      {
+        mysql->net.last_errno=CR_UNKNOWN_ERROR;
+        strmov(mysql->net.last_error,ER(mysql->net.last_errno));
+        return -1;
+      }
       row[field] = (char*) pos;
       pos+=len;
       *lengths++=len;
diff -ur mysql-3.23.53.org/sql/sql_parse.cc mysql-3.23.53/sql/sql_parse.cc
--- mysql-3.23.53.org/sql/sql_parse.cc	Mon Dec  9 15:32:55 2002
+++ mysql-3.23.53/sql/sql_parse.cc	Mon Dec  9 15:46:24 2002
@@ -109,6 +109,8 @@
   NET *net= &thd->net;
   thd->db=0;
 
+  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+    return 1;
   if (!(thd->user = my_strdup(user, MYF(0))))
   {
     send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@
   char *user=   (char*) net->read_pos+5;
   char *passwd= strend(user)+1;
   char *db=0;
-  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
-    return ER_HANDSHAKE_ERROR;
   if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
     db=strend(passwd)+1;
   if (thd->client_capabilities & CLIENT_INTERACTIVE)
Thread