Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 52403 Details for
Bug 83163
dev-db/mysql-4.0.22-r2 enables any user to create database without having the required privileges
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
security patch
CAN-2004-0957.diff (text/plain), 9.04 KB, created by
Tavis Ormandy (RETIRED)
on 2005-03-01 11:18:28 UTC
(
hide
)
Description:
security patch
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2005-03-01 11:18:28 UTC
Size:
9.04 KB
patch
obsolete
>--- mysql-dfsg-4.0.20.orig/debian/patches/SECURITY-CAN-2004-0957.diff >+++ mysql-dfsg-4.0.20/debian/patches/SECURITY-CAN-2004-0957.diff >@@ -0,0 +1,262 @@ >+diff -Nru a/include/my_sys.h b/include/my_sys.h >+--- a/include/my_sys.h 2004-11-08 07:12:16 -08:00 >++++ b/include/my_sys.h 2004-11-08 07:12:16 -08:00 >+@@ -620,7 +620,7 @@ >+ const char *own_pathname_part); >+ extern my_string my_load_path(my_string to, const char *path, >+ const char *own_path_prefix); >+-extern int wild_compare(const char *str,const char *wildstr); >++extern int wild_compare(const char *str,const char *wildstr,pbool str_is_pattern); >+ extern my_string my_strcasestr(const char *src,const char *suffix); >+ extern int my_strcasecmp(const char *s,const char *t); >+ extern int my_strsortcmp(const char *s,const char *t); >+diff -Nru a/mysys/mf_wcomp.c b/mysys/mf_wcomp.c >+--- a/mysys/mf_wcomp.c 2004-11-08 07:12:16 -08:00 >++++ b/mysys/mf_wcomp.c 2004-11-08 07:12:16 -08:00 >+@@ -23,11 +23,12 @@ >+ >+ char wild_many='*'; >+ char wild_one='?'; >+-char wild_prefix=0; >++char wild_prefix=0; /* QQ this can potentially cause a SIGSEGV */ >+ >+-int wild_compare(register const char *str, register const char *wildstr) >++int wild_compare(register const char *str, register const char *wildstr, >++ pbool str_is_pattern) >+ { >+- reg3 int flag; >++ char cmp; >+ DBUG_ENTER("wild_compare"); >+ >+ while (*wildstr) >+@@ -35,33 +36,55 @@ >+ while (*wildstr && *wildstr != wild_many && *wildstr != wild_one) >+ { >+ if (*wildstr == wild_prefix && wildstr[1]) >++ { >+ wildstr++; >+- if (*wildstr++ != *str++) DBUG_RETURN(1); >++ if (str_is_pattern && *str++ != wild_prefix) >++ DBUG_RETURN(1); >++ } >++ if (*wildstr++ != *str++) >++ DBUG_RETURN(1); >+ } >+- if (! *wildstr ) DBUG_RETURN (*str != 0); >++ if (! *wildstr ) >++ DBUG_RETURN(*str != 0); >+ if (*wildstr++ == wild_one) >+ { >+- if (! *str++) DBUG_RETURN (1); /* One char; skipp */ >++ if (! *str || (str_is_pattern && *str == wild_many)) >++ DBUG_RETURN(1); /* One char; skip */ >++ if (*str++ == wild_prefix && str_is_pattern && *str) >++ str++; >+ } >+ else >+ { /* Found '*' */ >+- if (!*wildstr) DBUG_RETURN(0); /* '*' as last char: OK */ >+- flag=(*wildstr != wild_many && *wildstr != wild_one); >+- do >++ while (str_is_pattern && *str == wild_many) >++ str++; >++ for (; *wildstr == wild_many || *wildstr == wild_one; wildstr++) >++ if (*wildstr == wild_many) >++ { >++ while (str_is_pattern && *str == wild_many) >++ str++; >++ } >++ else >++ { >++ if (str_is_pattern && *str == wild_prefix && str[1]) >++ str+=2; >++ else if (! *str++) >++ DBUG_RETURN (1); >++ } >++ if (!*wildstr) >++ DBUG_RETURN(0); /* '*' as last char: OK */ >++ if ((cmp= *wildstr) == wild_prefix && wildstr[1] && !str_is_pattern) >++ cmp=wildstr[1]; >++ for (;;str++) >+ { >+- if (flag) >+- { >+- char cmp; >+- if ((cmp= *wildstr) == wild_prefix && wildstr[1]) >+- cmp=wildstr[1]; >+- while (*str && *str != cmp) >+- str++; >+- if (!*str) DBUG_RETURN (1); >+- } >+- if (wild_compare(str,wildstr) == 0) DBUG_RETURN (0); >+- } while (*str++ && wildstr[0] != wild_many); >+- DBUG_RETURN(1); >++ while (*str && *str != cmp) >++ str++; >++ if (!*str) >++ DBUG_RETURN (1); >++ if (wild_compare(str,wildstr,str_is_pattern) == 0) >++ DBUG_RETURN (0); >++ } >++ /* We will never come here */ >+ } >+ } >+- DBUG_RETURN (*str != '\0'); >++ DBUG_RETURN (*str != 0); >+ } /* wild_compare */ >+diff -Nru a/mysys/mf_wfile.c b/mysys/mf_wfile.c >+--- a/mysys/mf_wfile.c 2004-11-08 07:12:16 -08:00 >++++ b/mysys/mf_wfile.c 2004-11-08 07:12:16 -08:00 >+@@ -106,7 +106,7 @@ >+ >+ not_pos=wf_pack->not_pos; >+ for (i=0 ; i < not_pos; i++) >+- if (wild_compare(name,wf_pack->wild[i]) == 0) >++ if (wild_compare(name,wf_pack->wild[i],0) == 0) >+ goto found; >+ if (i) >+ DBUG_RETURN(1); /* No-match */ >+@@ -115,7 +115,7 @@ >+ /* Test that it isn't in not-list */ >+ >+ for (i=not_pos ; i < wf_pack->wilds; i++) >+- if (wild_compare(name,wf_pack->wild[i]) == 0) >++ if (wild_compare(name,wf_pack->wild[i],0) == 0) >+ DBUG_RETURN(1); >+ DBUG_RETURN(0); >+ } /* wf_test */ >+diff -Nru a/sql/sql_acl.cc b/sql/sql_acl.cc >+--- a/sql/sql_acl.cc 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_acl.cc 2004-11-08 07:12:16 -08:00 >+@@ -834,7 +834,7 @@ >+ */ >+ >+ ulong acl_get(const char *host, const char *ip, const char *bin_ip, >+- const char *user, const char *db) >++ const char *user, const char *db, my_bool db_is_pattern) >+ { >+ ulong host_access,db_access; >+ uint i,key_length; >+@@ -868,7 +868,7 @@ >+ { >+ if (compare_hostname(&acl_db->host,host,ip)) >+ { >+- if (!acl_db->db || !wild_compare(db,acl_db->db)) >++ if (!acl_db->db || !wild_compare(db,acl_db->db,db_is_pattern)) >+ { >+ db_access=acl_db->access; >+ if (acl_db->host.hostname) >+@@ -890,7 +890,7 @@ >+ ACL_HOST *acl_host=dynamic_element(&acl_hosts,i,ACL_HOST*); >+ if (compare_hostname(&acl_host->host,host,ip)) >+ { >+- if (!acl_host->db || !wild_compare(db,acl_host->db)) >++ if (!acl_host->db || !wild_compare(db,acl_host->db,0)) >+ { >+ host_access=acl_host->access; // Fully specified. Take it >+ break; >+@@ -1222,7 +1222,7 @@ >+ } >+ return (!host->hostname || >+ (hostname && !wild_case_compare(hostname,host->hostname)) || >+- (ip && !wild_compare(ip,host->hostname))); >++ (ip && !wild_compare(ip,host->hostname,0))); >+ } >+ >+ >+@@ -1300,7 +1300,7 @@ >+ tl.db= (char*) "mysql"; >+ tl.real_name= (char*) "user"; >+ db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, >+- thd->priv_user, tl.db); >++ thd->priv_user, tl.db, 0); >+ if (!(db_access & INSERT_ACL)) >+ { >+ if (check_grant(thd,INSERT_ACL,&tl,0,1)) >+diff -Nru a/sql/sql_acl.h b/sql/sql_acl.h >+--- a/sql/sql_acl.h 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_acl.h 2004-11-08 07:12:16 -08:00 >+@@ -85,7 +85,7 @@ >+ void acl_reload(THD *thd); >+ void acl_free(bool end=0); >+ ulong acl_get(const char *host, const char *ip, const char *bin_ip, >+- const char *user, const char *db); >++ const char *user, const char *db, my_bool db_is_pattern); >+ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, >+ const char *password,const char *scramble, >+ char **priv_user, char *priv_host, >+diff -Nru a/sql/sql_base.cc b/sql/sql_base.cc >+--- a/sql/sql_base.cc 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_base.cc 2004-11-08 07:12:16 -08:00 >+@@ -149,7 +149,7 @@ >+ if (wild) >+ { >+ strxmov(name,entry->table_cache_key,".",entry->real_name,NullS); >+- if (wild_compare(name,wild)) >++ if (wild_compare(name,wild,0)) >+ continue; >+ } >+ >+diff -Nru a/sql/sql_db.cc b/sql/sql_db.cc >+--- a/sql/sql_db.cc 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_db.cc 2004-11-08 07:12:16 -08:00 >+@@ -410,7 +410,7 @@ >+ db_access=DB_ACLS; >+ else >+ db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr, >+- thd->priv_user,dbname) | >++ thd->priv_user,dbname,0) | >+ thd->master_access); >+ if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname))) >+ { >+diff -Nru a/sql/sql_parse.cc b/sql/sql_parse.cc >+--- a/sql/sql_parse.cc 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_parse.cc 2004-11-08 07:12:16 -08:00 >+@@ -2672,7 +2672,7 @@ >+ if (!(thd->master_access & SELECT_ACL) && >+ (db && (!thd->db || strcmp(db,thd->db)))) >+ db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, >+- thd->priv_user, db); /* purecov: inspected */ >++ thd->priv_user, db, 0); /* purecov: inspected */ >+ *save_priv=thd->master_access | db_access; >+ DBUG_RETURN(FALSE); >+ } >+@@ -2692,7 +2692,7 @@ >+ >+ if (db && (!thd->db || strcmp(db,thd->db))) >+ db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, >+- thd->priv_user, db); /* purecov: inspected */ >++ thd->priv_user, db, 0); /* purecov: inspected */ >+ else >+ db_access=thd->db_access; >+ // Remove SHOW attribute and access rights we already have >+diff -Nru a/sql/sql_show.cc b/sql/sql_show.cc >+--- a/sql/sql_show.cc 2004-11-08 07:12:16 -08:00 >++++ b/sql/sql_show.cc 2004-11-08 07:12:16 -08:00 >+@@ -78,7 +78,7 @@ >+ { >+ if (thd->master_access & (DB_ACLS | SHOW_DB_ACL) || >+ acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, >+- thd->priv_user, file_name) || >++ thd->priv_user, file_name, 0) || >+ (grant_option && !check_grant_db(thd, file_name))) >+ { >+ thd->packet.length(0); >+@@ -214,7 +214,7 @@ >+ #endif >+ { >+ if (file->name[0] == '.' || !MY_S_ISDIR(file->mystat->st_mode) || >+- (wild && wild_compare(file->name,wild))) >++ (wild && wild_compare(file->name,wild, 0))) >+ continue; >+ } >+ } >+@@ -232,7 +232,7 @@ >+ if (wild_case_compare(file->name,wild)) >+ continue; >+ } >+- else if (wild_compare(file->name,wild)) >++ else if (wild_compare(file->name,wild, 0)) >+ continue; >+ } >+ }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 83163
:
52403