127731 – [patch] databases/mysql41-server fix for CVE-2008-2079

Bug 127731 - [patch] databases/mysql41-server fix for CVE-2008-2079

Summary: [patch] databases/mysql41-server fix for CVE-2008-2079

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Alex Dupre

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-29 23:50 UTC by Andrew Daugherity
Modified:	2008-10-10 20:10 UTC (History)
CC List:	0 users

See Also:

Attachments
mysql41-server.patch (11.80 KB, patch) 2008-09-29 23:50 UTC, Andrew Daugherity	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Daugherity 2008-09-29 23:50:01 UTC

	Fix for mysql41-server for the vulnerability referred to in http://www.freebsd.org/ports/portaudit/388d9ee4-7f22-11dd-a66a-0019666436c2.html

Fix: Patch attached.  Because MySQL 4.1 is in the "extended support" phase of the
lifecycle, there are no tarballs newer than 4.1.22 available, but security
patches are still issued, and code is available from the bzr repo.  Rather
than upgrading to 4.1.24 (the latest tagged version), which would require
a build-dep on bzr, or self-hosting a bzr export tarball, I generated a bzr
diff for this specific fix.

This is the commit log from mysql bzr:
    ------------------------------------------------------------
    revno: 2704.3.2
    committer: gluh@mysql.com/eagle.(none)
    timestamp: Fri 2008-02-29 13:55:00 +0400
    message:
      Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)
      added new function test_if_data_home_dir() which checks that
      path does not contain mysql data home directory.
      Using of mysql data home directory in
      DATA DIRECTORY & INDEX DIRECTORY is disallowed.
    ------------------------------------------------------------

The attached patch is the output of 'bzr diff -r 2704.3.1..2704.3.2' against
a checkout of mysql-4.1 branch, split into multiple files as per FreeBSD
ports policy, with the exception of the two files under mysql-test/, which
had intervening changes.  The diff for those two files came from
'bzr diff -r tag:mysql-4.1.22..tag:mysql-4.1.24 mysql-test/r/symlink.result'
and likewise for mysql-test/t/symlink.test.

All patches are new files, except for patch-sql::mysqld.cc, which has hunks
added to it.

Of course, the vulnerabilities database also needs to be updated once
this patch is committed.

Comment 1 Edwin Groothuis freebsd_committer

2008-09-29 23:50:11 UTC

Responsible Changed
From-To: freebsd-ports-bugs->ale

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 Eugene Grosbein 2008-10-01 21:27:43 UTC

Hi!

I've compile-checked this patch, it compiles and runs,
so I vote for it.

Andrew, does this patch contain all differences between
4.1.22 and 4.1.24 source codes? If so, we should name the port 4.1.24
and not 4.1.22_1 to we get right packages numbering and more correct
record in vulnerability databases later. So, next patch above yours
(or just replace first chunk with it):

--- Makefile.orig	2008-10-02 04:24:33.000000000 +0800
+++ Makefile	2008-10-02 04:18:34.000000000 +0800
@@ -6,8 +6,9 @@
 #
 
 PORTNAME?=	mysql
-PORTVERSION=	4.1.22
-PORTREVISION?=	1
+PORTVERSION=	4.1.24
+PORTREVISION?=	0
+DISTNAME=	mysql-4.1.22
 CATEGORIES=	databases
 MASTER_SITES=	${MASTER_SITE_MYSQL}
 MASTER_SITE_SUBDIR=	MySQL-4.1


Eugene Grosbein

Comment 3 Andrew Daugherity 2008-10-01 23:07:39 UTC

 >>> Eugene Grosbein <eugen@kuzbass.ru> 10/01/08 3:27 PM >>>=20
Andrew, does this patch contain all differences between
4.1.22 and 4.1.24 source codes?


No, this patch is just the diff of the revision claiming to fix this bug =
with the previous revision*, which is why I changed the version to =
4.1.22_1 rather than 4.1.24.  It applies cleanly to the 4.1.22 source =
(with some lines of offset, but I didn't bother changing that because the =
patch succeeded).

I first tried to update the port to 4.1.24, but decided it was too much =
work, since the bzr checkout requires autoreconf to be run first, and then =
most of the existing FreeBSD patches didn't apply.  Also, a diff between =
the 4.1.22 tarball and the 4.1.24 checkout was over 100k lines and changed =
472 files, so I decided to go this route instead.

* With the exception of a couple test files, as I noted in the bug report.


Andrew

Comment 4 Alex Dupre freebsd_committer

2008-10-10 19:42:36 UTC

State Changed
From-To: open->closed

Committed, thanks!

Comment 5 dfilter service freebsd_committer

2008-10-10 20:01:19 UTC

ale         2008-10-10 19:01:11 UTC

  FreeBSD ports repository

  Modified files:
    databases/mysql41-server Makefile 
    databases/mysql41-server/files patch-sql::mysqld.cc 
  Added files:
    databases/mysql41-server/files patch-sql_mysql_priv.h 
                                   patch-sql_sql_parse.cc 
  Log:
  Fix for CVE-2008-2079.
  
  PR:             ports/127731
  Submitted by:   Andrew Daugherity <adaugherity@tamu.edu>
  
  Revision  Changes    Path
  1.228     +1 -1      ports/databases/mysql41-server/Makefile
  1.5       +21 -0     ports/databases/mysql41-server/files/patch-sql::mysqld.cc
  1.1       +11 -0     ports/databases/mysql41-server/files/patch-sql_mysql_priv.h (new)
  1.1       +82 -0     ports/databases/mysql41-server/files/patch-sql_sql_parse.cc (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"