Subject: pkg/33616: patch for CVE-2006-0903 bug in mysql4-server package
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <cedric.devillers@script.univ-paris7.fr>
List: pkgsrc-bugs
Date: 06/01/2006 09:20:00
>Number:         33616
>Category:       pkg
>Synopsis:       patch for CVE-2006-0903 bug in mysql4-server package
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 01 09:20:00 +0000 2006
>Originator:     Cedric DEVILLERS
>Release:        NetBSD 3.0
>Organization:
University Paris VII
>Environment:
NetBSD test3-tech 3.0 NetBSD 3.0 (GENERIC.MPACPI) #0: Mon Dec 19 01:23:45 UTC 2005  builds@works.netbsd.org:/home/builds/ab/netbsd-3-0-RELEASE/i386/200512182024Z-obj/home/builds/ab/netbsd-3-0-RELEASE/src/sys/arch/i386/compile/GENERIC.MPACPI i386

>Description:
It's just a patch for the mysql bug reference by CVE-2006-0903 for the mysql4-server package.
>How-To-Repeat:

>Fix:
--------- Patch -- cut here ---------
--- sql/sql_lex.cc.orig
+++ sql/sql_lex.cc
@@ -960,6 +960,9 @@
       while (lex->ptr != lex->end_of_query &&
             ((c=yyGet()) != '*' || yyPeek() != '/'))
       {
+        if (c == '\0')
+          return(ABORT_SYM);              // NULLs illegal even in comments
+
        if (c == '\n')
          lex->yylineno++;
       }

--- tests/mysql_client_test.c.orig
+++ tests/mysql_client_test.c
@@ -21,7 +21,8 @@
  Main author: venu ( venu@mysql.com )
 ***************************************************************************/
 
 #include <my_global.h>
+#include <mysqld_error.h>
 #include <my_sys.h>
 #include <mysql.h>
 #include <errmsg.h>
@@ -11738,6 +11739,49 @@
 }
 
 /*
+  Bug #17667: An attacker has the opportunity to bypass query logging.
+*/
+
+static void test_bug17667()
+{
+  NET *net= &mysql->net;
+  int rc;
+  myheader("test_bug17667");
+
+  /* I. Prepare the table */
+  mysql_real_query(mysql,     "drop table if exists t1", 23);
+
+  rc= mysql_real_query(mysql, "create table t1 (i int)", 23);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "insert into t1 (i) values (1)", 29);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "insert into /* NUL=\0 */ t1 (i) values (2)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+  mysql_real_query(mysql,     "/* NUL=\0 */ insert into t1 (i) values (3)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+  mysql_real_query(mysql,     "insert into /* TAB=\t */ t1 (i) values (4)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "/* TAB=\t */ insert into t1 (i) values (5)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  /* II. Cleanup */
+  rc= mysql_real_query(mysql, "drop table t1", 13);
+  myquery(rc);
+}
+
+
+/*
   Bug#11718: query with function, join and order by returns wrong type
 */

@@ -12071,6 +12115,7 @@
   { "test_bug11718", test_bug11718 },
   { "test_bug12925", test_bug12925 },
   { "test_bug15613", test_bug15613 },
+  { "test_bug17667", test_bug17667 },
   { 0, 0 }
 };

------- End of patch ------------