rpms/mysql/FC-3 mysql-3.23.58-security2.patch, NONE, 1.1 mysql.spec, 1.32, 1.33
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Mar 19 03:56:36 UTC 2005
Update of /cvs/dist/rpms/mysql/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv21712
Modified Files:
mysql.spec
Added Files:
mysql-3.23.58-security2.patch
Log Message:
Backpatch repair for CAN-2005-0709, CAN-2005-0710, CAN-2005-0711 (bz#151051).
mysql-3.23.58-security2.patch:
include/my_global.h | 3 +
isam/create.c | 5 +-
merge/create.c | 2
myisam/mi_create.c | 13 +++--
myisammrg/myrg_create.c | 2
mysys/mf_tempfile.c | 8 +--
sql/ha_myisam.cc | 18 ++++----
sql/mysql_priv.h | 3 -
sql/mysqld.cc | 11 ++++
sql/share/english/errmsg.txt | 2
sql/sql_udf.cc | 96 +++++++++++++++++++++++++++++--------------
sql/table.cc | 6 ++
12 files changed, 114 insertions(+), 55 deletions(-)
--- NEW FILE mysql-3.23.58-security2.patch ---
This patch repairs CAN-2005-0709, CAN-2005-0710, CAN-2005-0711.
It is a backported version of MySQLs original patch for 4.0 which
was available at:
http://mysql.bkbits.net:8080/mysql-4.0/cset@42275cb1vIySS0vWwwUFE48ltGkmNA
Thanks to Christian Hammers <ch at debian.org> for doing the bulk of the
backport work.
diff -Naur mysql-3.23.58.orig/include/my_global.h mysql-3.23.58/include/my_global.h
--- mysql-3.23.58.orig/include/my_global.h 2003-09-11 07:50:43.000000000 -0400
+++ mysql-3.23.58/include/my_global.h 2005-03-18 17:03:59.000000000 -0500
@@ -420,6 +420,9 @@
#ifndef O_SHORT_LIVED
#define O_SHORT_LIVED 0
#endif
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
/* #define USE_RECORD_LOCK */
diff -Naur mysql-3.23.58.orig/isam/create.c mysql-3.23.58/isam/create.c
--- mysql-3.23.58.orig/isam/create.c 2003-09-11 07:49:19.000000000 -0400
+++ mysql-3.23.58/isam/create.c 2005-03-18 17:03:59.000000000 -0500
@@ -58,13 +58,14 @@
base_pos=512; /* Enough for N_STATE_INFO */
bzero((byte*) &share,sizeof(share));
if ((file = my_create(fn_format(buff,name,"",N_NAME_IEXT,4),0,
- O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
goto err;
errpos=1;
VOID(fn_format(buff,name,"",N_NAME_DEXT,2+4));
if (!(flags & HA_DONT_TOUCH_DATA))
{
- if ((dfile = my_create(buff,0,O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ if ((dfile = my_create(buff,0,O_RDWR | O_EXCL | O_NOFOLLOW,
+ MYF(MY_WME))) < 0)
goto err;
errpos=2;
}
diff -Naur mysql-3.23.58.orig/merge/create.c mysql-3.23.58/merge/create.c
--- mysql-3.23.58.orig/merge/create.c 2003-09-11 07:49:19.000000000 -0400
+++ mysql-3.23.58/merge/create.c 2005-03-18 17:03:59.000000000 -0500
@@ -33,7 +33,7 @@
errpos=0;
if ((file = my_create(fn_format(buff,name,"",MRG_NAME_EXT,4),0,
- O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
goto err;
errpos=1;
if (table_names)
diff -Naur mysql-3.23.58.orig/myisam/mi_create.c mysql-3.23.58/myisam/mi_create.c
--- mysql-3.23.58.orig/myisam/mi_create.c 2003-09-11 07:49:20.000000000 -0400
+++ mysql-3.23.58/myisam/mi_create.c 2005-03-18 17:03:59.000000000 -0500
@@ -37,7 +37,7 @@
{
register uint i,j;
File dfile,file;
- int errpos,save_errno;
+ int errpos,save_errno, create_mode= O_RDWR | O_TRUNC;
uint fields,length,max_key_length,packed,pointer,
key_length,info_length,key_segs,options,min_key_length_skipp,
base_pos,varchar_count,long_varchar_count,varchar_length,
@@ -170,7 +170,10 @@
min_pack_length+=varchar_length+2*varchar_count;
}
if (flags & HA_CREATE_TMP_TABLE)
+ {
options|= HA_OPTION_TMP_TABLE;
+ create_mode|= O_EXCL | O_NOFOLLOW;
+ }
if (flags & HA_CREATE_CHECKSUM || (options & HA_OPTION_CHECKSUM))
{
options|= HA_OPTION_CHECKSUM;
@@ -471,8 +474,8 @@
if (! (flags & HA_DONT_TOUCH_DATA))
share.state.create_time= (long) time((time_t*) 0);
- if ((file = my_create(fn_format(buff,name,"",MI_NAME_IEXT,4),0,
- O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ if ((file = my_create(fn_format(buff,name,"",MI_NAME_IEXT,4),0, create_mode,
+ MYF(MY_WME))) < 0)
goto err;
errpos=1;
VOID(fn_format(buff,name,"",MI_NAME_DEXT,2+4));
@@ -481,7 +484,7 @@
#ifdef USE_RAID
if (share.base.raid_type)
{
- if ((dfile=my_raid_create(buff,0,O_RDWR | O_TRUNC,
+ if ((dfile=my_raid_create(buff, 0, create_mode,
share.base.raid_type,
share.base.raid_chunks,
share.base.raid_chunksize,
@@ -490,7 +493,7 @@
}
else
#endif
- if ((dfile = my_create(buff,0,O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ if ((dfile = my_create(buff, 0, create_mode, MYF(MY_WME))) < 0)
goto err;
errpos=3;
diff -Naur mysql-3.23.58.orig/myisammrg/myrg_create.c mysql-3.23.58/myisammrg/myrg_create.c
--- mysql-3.23.58.orig/myisammrg/myrg_create.c 2003-09-11 07:49:20.000000000 -0400
+++ mysql-3.23.58/myisammrg/myrg_create.c 2005-03-18 17:03:59.000000000 -0500
@@ -33,7 +33,7 @@
errpos=0;
if ((file = my_create(fn_format(buff,name,"",MYRG_NAME_EXT,4),0,
- O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+ O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
goto err;
errpos=1;
if (table_names)
diff -Naur mysql-3.23.58.orig/mysys/mf_tempfile.c mysql-3.23.58/mysys/mf_tempfile.c
--- mysql-3.23.58.orig/mysys/mf_tempfile.c 2003-09-11 07:49:20.000000000 -0400
+++ mysql-3.23.58/mysys/mf_tempfile.c 2005-03-18 17:03:59.000000000 -0500
@@ -71,7 +71,7 @@
{
strmake(to,res,FN_REFLEN-1);
(*free)(res);
- file=my_create(to,0, mode, MyFlags);
+ file=my_create(to,0, mode | O_EXCL | O_NOFOLLOW, MyFlags);
}
environ=old_env;
}
@@ -82,7 +82,7 @@
{
strmake(to,res,FN_REFLEN-1);
(*free)(res);
- file=my_create(to, 0, mode, MyFlags);
+ file=my_create(to, 0, mode | O_EXCL | O_NOFOLLOW, MyFlags);
}
#elif defined(HAVE_MKSTEMP)
{
@@ -143,7 +143,7 @@
strmake(to,res,FN_REFLEN-1);
(*free)(res);
file=my_create(to,0,
- (int) (O_RDWR | O_BINARY | O_TRUNC |
+ (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW |
O_TEMPORARY | O_SHORT_LIVED),
MYF(MY_WME));
@@ -186,7 +186,7 @@
}
(void) strmov(end_pos,TMP_EXT);
file=my_create(to,0,
- (int) (O_RDWR | O_BINARY | O_TRUNC |
+ (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW |
O_TEMPORARY | O_SHORT_LIVED),
MYF(MY_WME));
}
diff -Naur mysql-3.23.58.orig/sql/ha_myisam.cc mysql-3.23.58/sql/ha_myisam.cc
--- mysql-3.23.58.orig/sql/ha_myisam.cc 2003-09-11 07:49:21.000000000 -0400
+++ mysql-3.23.58/sql/ha_myisam.cc 2005-03-18 17:03:59.000000000 -0500
@@ -936,7 +936,7 @@
HA_CREATE_INFO *info)
{
int error;
- uint i,j,recpos,minpos,fieldpos,temp_length,length;
+ uint i,j,recpos,minpos,fieldpos,temp_length,length, create_flags;
bool found_auto_increment=0;
enum ha_base_keytype type;
char buff[FN_REFLEN];
@@ -1101,16 +1101,20 @@
create_info.raid_chunks=info->raid_chunks ? info->raid_chunks : RAID_DEFAULT_CHUNKS;
create_info.raid_chunksize=info->raid_chunksize ? info->raid_chunksize : RAID_DEFAULT_CHUNKSIZE;
+ if (info->options & HA_LEX_CREATE_TMP_TABLE)
+ create_flags|= HA_CREATE_TMP_TABLE;
+ if (options & HA_OPTION_PACK_RECORD)
+ create_flags|= HA_PACK_RECORD;
+ if (options & HA_OPTION_CHECKSUM)
+ create_flags|= HA_CREATE_CHECKSUM;
+ if (options & HA_OPTION_DELAY_KEY_WRITE)
+ create_flags|= HA_CREATE_DELAY_KEY_WRITE;
+
error=mi_create(fn_format(buff,name,"","",2+4+16),
form->keys,keydef,
(uint) (recinfo_pos-recinfo), recinfo,
0, (MI_UNIQUEDEF*) 0,
- &create_info,
- (((options & HA_OPTION_PACK_RECORD) ? HA_PACK_RECORD : 0) |
- ((options & HA_OPTION_CHECKSUM) ? HA_CREATE_CHECKSUM : 0) |
- ((options & HA_OPTION_DELAY_KEY_WRITE) ?
- HA_CREATE_DELAY_KEY_WRITE : 0)));
-
+ &create_info, create_flags);
my_free((gptr) recinfo,MYF(0));
DBUG_RETURN(error);
diff -Naur mysql-3.23.58.orig/sql/mysql_priv.h mysql-3.23.58/sql/mysql_priv.h
--- mysql-3.23.58.orig/sql/mysql_priv.h 2003-09-11 07:49:21.000000000 -0400
+++ mysql-3.23.58/sql/mysql_priv.h 2005-03-18 17:03:59.000000000 -0500
@@ -541,7 +541,8 @@
COND_slave_stopped, COND_slave_start;
extern pthread_attr_t connection_attrib;
extern bool opt_endinfo, using_udf_functions, locked_in_memory,
- opt_using_transactions, use_temp_pool, opt_local_infile;
+ opt_using_transactions, use_temp_pool, opt_local_infile,
+ opt_allow_suspicious_udfs;
extern char f_fyllchar;
extern ulong ha_read_count, ha_write_count, ha_delete_count, ha_update_count,
ha_read_key_count, ha_read_next_count, ha_read_prev_count,
diff -Naur mysql-3.23.58.orig/sql/mysqld.cc mysql-3.23.58/sql/mysqld.cc
--- mysql-3.23.58.orig/sql/mysqld.cc 2003-09-11 07:49:19.000000000 -0400
+++ mysql-3.23.58/sql/mysqld.cc 2005-03-18 17:06:14.000000000 -0500
@@ -241,7 +241,7 @@
opt_myisam_log=0,
opt_large_files=sizeof(my_off_t) > 4;
bool opt_sql_bin_update = 0, opt_log_slave_updates = 0, opt_safe_show_db=0,
- opt_safe_user_create=0;
+ opt_safe_user_create=0, opt_allow_suspicious_udfs;
FILE *bootstrap_file=0;
int segfaulted = 0; // ensure we do not enter SIGSEGV handler twice
extern MASTER_INFO glob_mi;
@@ -2752,10 +2752,12 @@
OPT_MAX_BINLOG_DUMP_EVENTS, OPT_SPORADIC_BINLOG_DUMP_FAIL,
OPT_SAFE_USER_CREATE, OPT_SQL_MODE,
OPT_HAVE_NAMED_PIPE,
- OPT_SLAVE_SKIP_ERRORS, OPT_LOCAL_INFILE
+ OPT_SLAVE_SKIP_ERRORS, OPT_LOCAL_INFILE,
+ OPT_ALLOW_SUSPICIOUS_UDFS
};
static struct option long_options[] = {
+ {"allow-suspicious-udfs", no_argument, 0, (int) OPT_ALLOW_SUSPICIOUS_UDFS},
{"ansi", no_argument, 0, 'a'},
{"basedir", required_argument, 0, 'b'},
#ifdef HAVE_BERKELEY_DB
@@ -3343,6 +3345,11 @@
printf("Usage: %s [OPTIONS]\n", my_progname);
puts("\n\
--ansi Use ANSI SQL syntax instead of MySQL syntax\n\
+ --allow-suspicious-udfs\n\
+ Allows to use UDF's consisting of only one symbol\n\
+ xxx() without corresponing xxx_init() or xxx_deinit().\n\
+ That also means that one can load any function from\n\
+ any library, for example exit() from libc.so\n\
-b, --basedir=path Path to installation directory. All paths are\n\
usually resolved relative to this\n\
--big-tables Allow big result sets by saving all temporary sets\n\
diff -Naur mysql-3.23.58.orig/sql/share/english/errmsg.txt mysql-3.23.58/sql/share/english/errmsg.txt
--- mysql-3.23.58.orig/sql/share/english/errmsg.txt 2003-09-11 08:00:00.000000000 -0400
+++ mysql-3.23.58/sql/share/english/errmsg.txt 2005-03-18 17:03:59.000000000 -0500
@@ -128,7 +128,7 @@
"No paths allowed for shared library",
"Function '%-.64s' already exist",
"Can't open shared library '%-.64s' (errno: %d %-.64s)",
-"Can't find function '%-.64s' in library'",
+"Can't find function '%-.64s' in library",
"Function '%-.64s' is not defined",
"Host '%-.64s' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts'",
"Host '%-.64s' is not allowed to connect to this MySQL server",
diff -Naur mysql-3.23.58.orig/sql/sql_udf.cc mysql-3.23.58/sql/sql_udf.cc
--- mysql-3.23.58.orig/sql/sql_udf.cc 2003-09-11 07:49:20.000000000 -0400
+++ mysql-3.23.58/sql/sql_udf.cc 2005-03-18 17:03:59.000000000 -0500
@@ -75,29 +75,49 @@
static pthread_mutex_t THR_LOCK_udf;
-static udf_func *add_udf(char *name, Item_result ret, char *dl,
- Item_udftype typ);
+static udf_func *add_udf(char *name, Item_result ret,
+ char *dl, Item_udftype typ);
static void del_udf(udf_func *udf);
static void *find_udf_dl(const char *dl);
-
-static void init_syms(udf_func *tmp)
+static char *init_syms(udf_func *tmp, char *nm)
{
- char nm[MAX_FIELD_NAME+16],*end;
+ char *end;
+
+ if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name))))
+ return tmp->name;
- tmp->func = dlsym(tmp->dlhandle, tmp->name);
end=strmov(nm,tmp->name);
- (void) strmov(end,"_init");
- tmp->func_init = dlsym(tmp->dlhandle, nm);
- (void) strmov(end,"_deinit");
- tmp->func_deinit = dlsym(tmp->dlhandle, nm);
+
if (tmp->type == UDFTYPE_AGGREGATE)
{
- (void)strmov( end, "_reset" );
- tmp->func_reset = dlsym( tmp->dlhandle, nm );
- (void)strmov( end, "_add" );
- tmp->func_add = dlsym( tmp->dlhandle, nm );
+ (void)strmov(end, "_reset");
+ if (!((tmp->func_reset= dlsym(tmp->dlhandle, nm))))
+ return nm;
+ (void)strmov(end, "_add");
+ if (!((tmp->func_add= dlsym(tmp->dlhandle, nm))))
+ return nm;
+ }
+
+ (void) strmov(end,"_deinit");
+ tmp->func_deinit= dlsym(tmp->dlhandle, nm);
+
+ (void) strmov(end,"_init");
+ tmp->func_init= dlsym(tmp->dlhandle, nm);
+
+ /*
+ to prefent loading "udf" from, e.g. libc.so
+ let's ensure that at least one auxiliary symbol is defined
+ */
+ if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE)
+ {
+ if (opt_allow_suspicious_udfs)
+ sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm);
+ else
+ return nm;
}
+
+ return 0;
}
static byte* get_hash_key(const byte *buff,uint *length,
@@ -109,7 +129,7 @@
}
/*
-** Read all predeclared functions from func at mysql and accept all that
+** Read all predeclared functions from mysql.func and accept all that
** can be used.
*/
@@ -151,7 +171,7 @@
if (open_tables(new_thd, &tables))
{
DBUG_PRINT("error",("Can't open udf table"));
- sql_print_error("Can't open mysql/func table");
+ sql_print_error("Can't open mysql.func table. Please run the mysql_install_db script to create it.");
close_thread_tables(new_thd);
delete new_thd;
DBUG_VOID_RETURN;
@@ -169,10 +189,22 @@
if (table->fields >= 4) // New func table
udftype=(Item_udftype) table->field[3]->val_int();
+ /*
+ Ensure that the .dll doesn't have a path
+ This is done to ensure that only approved dll from the system
+ directories are used (to make this even remotely secure).
+ */
+ if (strchr(dl_name, '/') || strlen(name) > NAME_LEN)
+ {
+ sql_print_error("Invalid row in mysql.func table for function '%.64s'",
+ name);
+ continue;
+ }
+
if (!(tmp = add_udf(name,(Item_result) table->field[1]->val_int(),
dl_name, udftype)))
{
- sql_print_error("Can't alloc memory for udf function: name");
+ sql_print_error("Can't alloc memory for udf function: '%.64s'", name);
continue;
}
@@ -189,13 +221,15 @@
new_dl=1;
}
tmp->dlhandle = dl;
- init_syms(tmp);
- if (!tmp->func)
{
- sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name);
- del_udf(tmp);
- if (new_dl)
- dlclose(dl);
+ char buf[MAX_FIELD_NAME+16], *missing;
+ if ((missing= init_syms(tmp, buf)))
+ {
+ sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing);
+ del_udf(tmp);
+ if (new_dl)
+ dlclose(dl);
+ }
}
}
if (error > 0)
@@ -382,13 +416,15 @@
new_dl=1;
}
udf->dlhandle=dl;
- init_syms(udf);
-
- if (udf->func == NULL)
{
- net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, udf->name);
- goto err;
+ char buf[MAX_FIELD_NAME+16], *missing;
+ if ((missing= init_syms(udf, buf)))
+ {
+ net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, missing);
+ goto err;
+ }
}
+
udf->name=strdup_root(&mem,udf->name);
udf->dl=strdup_root(&mem,udf->dl);
if (!udf->name || !udf->dl ||
@@ -404,7 +440,7 @@
u_d->func_reset=udf->func_reset;
u_d->func_add=udf->func_add;
- /* create entry in mysql/func table */
+ /* create entry in mysql.func table */
bzero((char*) &tables,sizeof(tables));
tables.db= (char*) "mysql";
@@ -424,7 +460,7 @@
close_thread_tables(thd);
if (error)
{
- net_printf(&thd->net, ER_ERROR_ON_WRITE, "func at mysql",error);
+ net_printf(&thd->net, ER_ERROR_ON_WRITE, "mysql.func",error);
del_udf(u_d);
goto err;
}
diff -Naur mysql-3.23.58.orig/sql/table.cc mysql-3.23.58/sql/table.cc
--- mysql-3.23.58.orig/sql/table.cc 2003-09-11 07:49:21.000000000 -0400
+++ mysql-3.23.58/sql/table.cc 2005-03-18 17:03:59.000000000 -0500
@@ -956,6 +956,10 @@
uint key_length;
ulong length;
char fill[IO_SIZE];
+ int create_flags= O_RDWR | O_TRUNC;
+
+ if (create_info->options & HA_LEX_CREATE_TMP_TABLE)
+ create_flags|= O_EXCL | O_NOFOLLOW;
#if SIZEOF_OFF_T > 4
/* Fix this in MySQL 4.0; The current limit is 4G rows (QQ) */
@@ -965,7 +969,7 @@
create_info->min_rows= ~(ulong) 0;
#endif
- if ((file=my_create(name,CREATE_MODE,O_RDWR | O_TRUNC,MYF(MY_WME))) >= 0)
+ if ((file= my_create(name, CREATE_MODE, create_flags, MYF(MY_WME))) >= 0)
{
bzero((char*) fileinfo,64);
fileinfo[0]=(uchar) 254; fileinfo[1]= 1; fileinfo[2]= FRM_VER+1; // Header
Index: mysql.spec
===================================================================
RCS file: /cvs/dist/rpms/mysql/FC-3/mysql.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- mysql.spec 5 Jan 2005 18:06:23 -0000 1.32
+++ mysql.spec 19 Mar 2005 03:56:34 -0000 1.33
@@ -1,6 +1,6 @@
Name: mysql
Version: 3.23.58
-Release: 14
+Release: 15.FC3.1
Source0: http://www.mysql.com/Downloads/MySQL-3.23/mysql-%{version}.tar.gz
Source1: mysql.init
Source2: mysql.logrotate
@@ -19,6 +19,7 @@
Patch8: mysql-3.23.58-config.patch
Patch9: mysql-3.23.58-security.patch
Patch10: mysql-3.23.58-selinux.patch
+Patch11: mysql-3.23.58-security2.patch
URL: http://www.mysql.com
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Summary: MySQL client programs and shared libraries.
@@ -101,6 +102,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
libtoolize --force
aclocal
@@ -311,6 +313,9 @@
%{_datadir}/sql-bench
%changelog
+* Fri Mar 18 2005 Tom Lane <tgl at redhat.com> 3.23.58-15.FC3.1
+- Backpatch repair for CAN-2005-0709, CAN-2005-0710, CAN-2005-0711 (bz#151051).
+
* Wed Jan 5 2005 Tom Lane <tgl at redhat.com> 3.23.58-14
- work around SELinux restriction that breaks mysql_install_db (bug #141062)
- Add a restorecon to keep the mysql.log file in the right context (bz#143887)
More information about the fedora-cvs-commits
mailing list