Subject: pkg/33616: patch for CVE-2006-0903 bug in mysql4-server package
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <cedric.devillers@script.univ-paris7.fr>
List: pkgsrc-bugs
Date: 06/01/2006 09:20:00
>Number: 33616
>Category: pkg
>Synopsis: patch for CVE-2006-0903 bug in mysql4-server package
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jun 01 09:20:00 +0000 2006
>Originator: Cedric DEVILLERS
>Release: NetBSD 3.0
>Organization:
University Paris VII
>Environment:
NetBSD test3-tech 3.0 NetBSD 3.0 (GENERIC.MPACPI) #0: Mon Dec 19 01:23:45 UTC 2005 builds@works.netbsd.org:/home/builds/ab/netbsd-3-0-RELEASE/i386/200512182024Z-obj/home/builds/ab/netbsd-3-0-RELEASE/src/sys/arch/i386/compile/GENERIC.MPACPI i386
>Description:
It's just a patch for the mysql bug reference by CVE-2006-0903 for the mysql4-server package.
>How-To-Repeat:
>Fix:
--------- Patch -- cut here ---------
--- sql/sql_lex.cc.orig
+++ sql/sql_lex.cc
@@ -960,6 +960,9 @@
while (lex->ptr != lex->end_of_query &&
((c=yyGet()) != '*' || yyPeek() != '/'))
{
+ if (c == '\0')
+ return(ABORT_SYM); // NULLs illegal even in comments
+
if (c == '\n')
lex->yylineno++;
}
--- tests/mysql_client_test.c.orig
+++ tests/mysql_client_test.c
@@ -21,7 +21,8 @@
Main author: venu ( venu@mysql.com )
***************************************************************************/
#include <my_global.h>
+#include <mysqld_error.h>
#include <my_sys.h>
#include <mysql.h>
#include <errmsg.h>
@@ -11738,6 +11739,49 @@
}
/*
+ Bug #17667: An attacker has the opportunity to bypass query logging.
+*/
+
+static void test_bug17667()
+{
+ NET *net= &mysql->net;
+ int rc;
+ myheader("test_bug17667");
+
+ /* I. Prepare the table */
+ mysql_real_query(mysql, "drop table if exists t1", 23);
+
+ rc= mysql_real_query(mysql, "create table t1 (i int)", 23);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "insert into t1 (i) values (1)", 29);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "insert into /* NUL=\0 */ t1 (i) values (2)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+ mysql_real_query(mysql, "/* NUL=\0 */ insert into t1 (i) values (3)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+ mysql_real_query(mysql, "insert into /* TAB=\t */ t1 (i) values (4)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "/* TAB=\t */ insert into t1 (i) values (5)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ /* II. Cleanup */
+ rc= mysql_real_query(mysql, "drop table t1", 13);
+ myquery(rc);
+}
+
+
+/*
Bug#11718: query with function, join and order by returns wrong type
*/
@@ -12071,6 +12115,7 @@
{ "test_bug11718", test_bug11718 },
{ "test_bug12925", test_bug12925 },
{ "test_bug15613", test_bug15613 },
+ { "test_bug17667", test_bug17667 },
{ 0, 0 }
};
------- End of patch ------------