Attachment 52403 Details for Bug 83163 – security patch

[patch] security patch

CAN-2004-0957.diff (text/plain), 9.04 KB, created by Tavis Ormandy (RETIRED) on 2005-03-01 11:18:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tavis Ormandy (RETIRED)

Created: 2005-03-01 11:18:28 UTC

Size: 9.04 KB

patch

obsolete

>--- mysql-dfsg-4.0.20.orig/debian/patches/SECURITY-CAN-2004-0957.diff
>+++ mysql-dfsg-4.0.20/debian/patches/SECURITY-CAN-2004-0957.diff
>@@ -0,0 +1,262 @@
>+diff -Nru a/include/my_sys.h b/include/my_sys.h
>+--- a/include/my_sys.h	2004-11-08 07:12:16 -08:00
>++++ b/include/my_sys.h	2004-11-08 07:12:16 -08:00
>+@@ -620,7 +620,7 @@
>+ 			 const char *own_pathname_part);
>+ extern my_string my_load_path(my_string to, const char *path,
>+ 			      const char *own_path_prefix);
>+-extern int wild_compare(const char *str,const char *wildstr);
>++extern int wild_compare(const char *str,const char *wildstr,pbool str_is_pattern);
>+ extern my_string my_strcasestr(const char *src,const char *suffix);
>+ extern int my_strcasecmp(const char *s,const char *t);
>+ extern int my_strsortcmp(const char *s,const char *t);
>+diff -Nru a/mysys/mf_wcomp.c b/mysys/mf_wcomp.c
>+--- a/mysys/mf_wcomp.c	2004-11-08 07:12:16 -08:00
>++++ b/mysys/mf_wcomp.c	2004-11-08 07:12:16 -08:00
>+@@ -23,11 +23,12 @@
>+ 
>+ char wild_many='*';
>+ char wild_one='?';
>+-char wild_prefix=0;
>++char wild_prefix=0; /* QQ this can potentially cause a SIGSEGV */
>+ 
>+-int wild_compare(register const char *str, register const char *wildstr)
>++int wild_compare(register const char *str, register const char *wildstr,
>++                 pbool str_is_pattern)
>+ {
>+-  reg3 int flag;
>++  char cmp;
>+   DBUG_ENTER("wild_compare");
>+ 
>+   while (*wildstr)
>+@@ -35,33 +36,55 @@
>+     while (*wildstr && *wildstr != wild_many && *wildstr != wild_one)
>+     {
>+       if (*wildstr == wild_prefix && wildstr[1])
>++      {
>+ 	wildstr++;
>+-      if (*wildstr++ != *str++) DBUG_RETURN(1);
>++        if (str_is_pattern && *str++ != wild_prefix)
>++          DBUG_RETURN(1);
>++      }
>++      if (*wildstr++ != *str++)
>++        DBUG_RETURN(1);
>+     }
>+-    if (! *wildstr ) DBUG_RETURN (*str != 0);
>++    if (! *wildstr )
>++      DBUG_RETURN(*str != 0);
>+     if (*wildstr++ == wild_one)
>+     {
>+-      if (! *str++) DBUG_RETURN (1);	/* One char; skipp */
>++      if (! *str || (str_is_pattern && *str == wild_many))
>++        DBUG_RETURN(1);                     /* One char; skip */
>++      if (*str++ == wild_prefix && str_is_pattern && *str)
>++        str++;
>+     }
>+     else
>+     {						/* Found '*' */
>+-      if (!*wildstr) DBUG_RETURN(0);		/* '*' as last char: OK */
>+-      flag=(*wildstr != wild_many && *wildstr != wild_one);
>+-      do
>++      while (str_is_pattern && *str == wild_many)
>++        str++;
>++      for (; *wildstr ==  wild_many || *wildstr == wild_one; wildstr++)
>++        if (*wildstr == wild_many)
>++        {
>++          while (str_is_pattern && *str == wild_many)
>++            str++;
>++        }
>++        else
>++        {
>++          if (str_is_pattern && *str == wild_prefix && str[1])
>++            str+=2;
>++          else if (! *str++)
>++            DBUG_RETURN (1);
>++        }
>++      if (!*wildstr)
>++        DBUG_RETURN(0);		/* '*' as last char: OK */
>++      if ((cmp= *wildstr) == wild_prefix && wildstr[1] && !str_is_pattern)
>++        cmp=wildstr[1];
>++      for (;;str++)
>+       {
>+-	if (flag)
>+-	{
>+-	  char cmp;
>+-	  if ((cmp= *wildstr) == wild_prefix && wildstr[1])
>+-	    cmp=wildstr[1];
>+-	  while (*str && *str != cmp)
>+-	    str++;
>+-	  if (!*str) DBUG_RETURN (1);
>+-	}
>+-	if (wild_compare(str,wildstr) == 0) DBUG_RETURN (0);
>+-      } while (*str++ && wildstr[0] != wild_many);
>+-      DBUG_RETURN(1);
>++        while (*str && *str != cmp)
>++          str++;
>++        if (!*str)
>++          DBUG_RETURN (1);
>++	if (wild_compare(str,wildstr,str_is_pattern) == 0)
>++          DBUG_RETURN (0);
>++      }
>++      /* We will never come here */
>+     }
>+   }
>+-  DBUG_RETURN (*str != '\0');
>++  DBUG_RETURN (*str != 0);
>+ } /* wild_compare */
>+diff -Nru a/mysys/mf_wfile.c b/mysys/mf_wfile.c
>+--- a/mysys/mf_wfile.c	2004-11-08 07:12:16 -08:00
>++++ b/mysys/mf_wfile.c	2004-11-08 07:12:16 -08:00
>+@@ -106,7 +106,7 @@
>+ 
>+   not_pos=wf_pack->not_pos;
>+   for (i=0 ; i < not_pos; i++)
>+-    if (wild_compare(name,wf_pack->wild[i]) == 0)
>++    if (wild_compare(name,wf_pack->wild[i],0) == 0)
>+       goto found;
>+   if (i)
>+     DBUG_RETURN(1);			/* No-match */
>+@@ -115,7 +115,7 @@
>+ /* Test that it isn't in not-list */
>+ 
>+   for (i=not_pos ; i < wf_pack->wilds; i++)
>+-    if (wild_compare(name,wf_pack->wild[i]) == 0)
>++    if (wild_compare(name,wf_pack->wild[i],0) == 0)
>+       DBUG_RETURN(1);
>+   DBUG_RETURN(0);
>+ } /* wf_test */
>+diff -Nru a/sql/sql_acl.cc b/sql/sql_acl.cc
>+--- a/sql/sql_acl.cc	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_acl.cc	2004-11-08 07:12:16 -08:00
>+@@ -834,7 +834,7 @@
>+ */
>+ 
>+ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
>+-	     const char *user, const char *db)
>++	     const char *user, const char *db, my_bool db_is_pattern)
>+ {
>+   ulong host_access,db_access;
>+   uint i,key_length;
>+@@ -868,7 +868,7 @@
>+     {
>+       if (compare_hostname(&acl_db->host,host,ip))
>+       {
>+-	if (!acl_db->db || !wild_compare(db,acl_db->db))
>++	if (!acl_db->db || !wild_compare(db,acl_db->db,db_is_pattern))
>+ 	{
>+ 	  db_access=acl_db->access;
>+ 	  if (acl_db->host.hostname)
>+@@ -890,7 +890,7 @@
>+     ACL_HOST *acl_host=dynamic_element(&acl_hosts,i,ACL_HOST*);
>+     if (compare_hostname(&acl_host->host,host,ip))
>+     {
>+-      if (!acl_host->db || !wild_compare(db,acl_host->db))
>++      if (!acl_host->db || !wild_compare(db,acl_host->db,0))
>+       {
>+ 	host_access=acl_host->access;		// Fully specified. Take it
>+ 	break;
>+@@ -1222,7 +1222,7 @@
>+   }
>+   return (!host->hostname ||
>+ 	  (hostname && !wild_case_compare(hostname,host->hostname)) ||
>+-	  (ip && !wild_compare(ip,host->hostname)));
>++	  (ip && !wild_compare(ip,host->hostname,0)));
>+ }
>+ 
>+ 
>+@@ -1300,7 +1300,7 @@
>+     tl.db=	   (char*) "mysql";
>+     tl.real_name=  (char*) "user";
>+     db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
>+-		      thd->priv_user, tl.db);
>++		      thd->priv_user, tl.db, 0);
>+     if (!(db_access & INSERT_ACL))
>+     {
>+       if (check_grant(thd,INSERT_ACL,&tl,0,1))
>+diff -Nru a/sql/sql_acl.h b/sql/sql_acl.h
>+--- a/sql/sql_acl.h	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_acl.h	2004-11-08 07:12:16 -08:00
>+@@ -85,7 +85,7 @@
>+ void acl_reload(THD *thd);
>+ void acl_free(bool end=0);
>+ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
>+-	      const char *user, const char *db);
>++	      const char *user, const char *db, my_bool db_is_pattern);
>+ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
>+ 		  const char *password,const char *scramble,
>+                   char **priv_user, char *priv_host,
>+diff -Nru a/sql/sql_base.cc b/sql/sql_base.cc
>+--- a/sql/sql_base.cc	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_base.cc	2004-11-08 07:12:16 -08:00
>+@@ -149,7 +149,7 @@
>+     if (wild)
>+     {
>+       strxmov(name,entry->table_cache_key,".",entry->real_name,NullS);
>+-      if (wild_compare(name,wild))
>++      if (wild_compare(name,wild,0))
>+ 	continue;
>+     }
>+ 
>+diff -Nru a/sql/sql_db.cc b/sql/sql_db.cc
>+--- a/sql/sql_db.cc	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_db.cc	2004-11-08 07:12:16 -08:00
>+@@ -410,7 +410,7 @@
>+     db_access=DB_ACLS;
>+   else
>+     db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr,
>+-			thd->priv_user,dbname) |
>++			thd->priv_user,dbname,0) |
>+ 		thd->master_access);
>+   if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname)))
>+   {
>+diff -Nru a/sql/sql_parse.cc b/sql/sql_parse.cc
>+--- a/sql/sql_parse.cc	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_parse.cc	2004-11-08 07:12:16 -08:00
>+@@ -2672,7 +2672,7 @@
>+     if (!(thd->master_access & SELECT_ACL) &&
>+ 	(db && (!thd->db || strcmp(db,thd->db))))
>+       db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
>+-			thd->priv_user, db); /* purecov: inspected */
>++			thd->priv_user, db, 0); /* purecov: inspected */
>+     *save_priv=thd->master_access | db_access;
>+     DBUG_RETURN(FALSE);
>+   }
>+@@ -2692,7 +2692,7 @@
>+ 
>+   if (db && (!thd->db || strcmp(db,thd->db)))
>+     db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
>+-		      thd->priv_user, db); /* purecov: inspected */
>++		      thd->priv_user, db, 0); /* purecov: inspected */
>+   else
>+     db_access=thd->db_access;
>+   // Remove SHOW attribute and access rights we already have
>+diff -Nru a/sql/sql_show.cc b/sql/sql_show.cc
>+--- a/sql/sql_show.cc	2004-11-08 07:12:16 -08:00
>++++ b/sql/sql_show.cc	2004-11-08 07:12:16 -08:00
>+@@ -78,7 +78,7 @@
>+   {
>+     if (thd->master_access & (DB_ACLS | SHOW_DB_ACL) ||
>+ 	acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
>+-		thd->priv_user, file_name) ||
>++		thd->priv_user, file_name, 0) ||
>+ 	(grant_option && !check_grant_db(thd, file_name)))
>+     {
>+       thd->packet.length(0);
>+@@ -214,7 +214,7 @@
>+ #endif
>+       {
>+         if (file->name[0] == '.' || !MY_S_ISDIR(file->mystat->st_mode) ||
>+-            (wild && wild_compare(file->name,wild)))
>++            (wild && wild_compare(file->name,wild, 0)))
>+           continue;
>+       }
>+     }
>+@@ -232,7 +232,7 @@
>+ 	  if (wild_case_compare(file->name,wild))
>+ 	    continue;
>+ 	}
>+-	else if (wild_compare(file->name,wild))
>++	else if (wild_compare(file->name,wild, 0))
>+ 	  continue;
>+       }
>+     }

Actions: View | Diff

Attachments on bug 83163: 52403