Hello community, here is the log from the commit of package mysql checked in at Tue Jun 3 16:29:05 CEST 2008. -------- --- mysql/mysql.changes 2008-04-10 12:59:32.000000000 +0200 +++ /mounts/work_src_done/STABLE/mysql/mysql.changes 2008-05-30 15:36:00.000000000 +0200 @@ -1,0 +2,19 @@ +Fri May 30 15:35:17 CEST 2008 - mmarek@suse.cz + +- fix a race in rcmysql restart between the old mysql removing it's + pid file and exiting - use checkproc -p (bnc#359522, bnc#332530, + #395710) + +------------------------------------------------------------------- +Thu May 22 22:02:23 CEST 2008 - mmarek@suse.cz + +- increase timeout in rcmysql stop, should fix failed restarts + (bnc#359522, bnc#332530) + +------------------------------------------------------------------- +Mon May 19 15:02:38 CEST 2008 - mmarek@suse.cz + +- fixed a privilege bypass with DATA/INDEX DIRECTORY + (bnc#387746, mysql#32167, CVE-2008-2079) + +------------------------------------------------------------------- Old: ---- minmem New: ---- mysql-5.0.51a-CVE-2008-2079.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mysql.spec ++++++ --- /var/tmp/diff_new_pack.B32685/_old 2008-06-03 16:26:28.000000000 +0200 +++ /var/tmp/diff_new_pack.B32685/_new 2008-06-03 16:26:28.000000000 +0200 @@ -16,7 +16,7 @@ License: GPL v2 only Group: Productivity/Databases/Servers Version: 5.0.51a -Release: 14 +Release: 25 # required by rcmysql Requires: mysql-client = %{version} Url: http://www.mysql.com @@ -42,6 +42,7 @@ Patch16: mybug30069.patch Patch19: mysql-5.0.51-mybug25359.patch Patch21: mysql-5.0.51-mybug33050.patch +Patch22: mysql-5.0.51a-CVE-2008-2079.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -259,6 +260,7 @@ %patch16 %patch19 %patch21 +%patch22 # remove unneeded man manpages rm man/mysqlman.1 man/safe_mysqld.1 man/mysql.server.1 man/make_win_*.1 rm man/mysqlmanager-pwgen.1 man/mysqlmanagerc.1 @@ -576,6 +578,16 @@ %files tools -f mysql-tools.files %changelog +* Fri May 30 2008 mmarek@suse.cz +- fix a race in rcmysql restart between the old mysql removing it's + pid file and exiting - use checkproc -p (bnc#359522, bnc#332530, + [#395710]) +* Fri May 23 2008 mmarek@suse.cz +- increase timeout in rcmysql stop, should fix failed restarts + (bnc#359522, bnc#332530) +* Mon May 19 2008 mmarek@suse.cz +- fixed a privilege bypass with DATA/INDEX DIRECTORY + (bnc#387746, mysql#32167, CVE-2008-2079) * Thu Apr 10 2008 ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support ++++++ mysql-5.0.51a-CVE-2008-2079.patch ++++++ From: http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d674xBscPm_ztIMnZI3dj2r7IQ http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7d8f2Z15kczRJRewvyFNHM6lheA http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c7e6a0CyEvUOiqbdlN1JWAu7pcsA http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47c80109fGl7Wudvu2CM0pXMSbzYNg http://mysql.bkbits.net:8080/mysql-5.0/?PAGE=cset&REV=47cbdacaZc2nF4NS9WyTkT_6nTPp_Q --- mysql-test/r/symlink.result | 77 ++++++++++++++++---------------- mysql-test/t/symlink.test | 104 ++++++++++++++++++++++++-------------------- sql/mysql_priv.h | 1 sql/mysqld.cc | 8 ++- sql/sql_parse.cc | 60 +++++++++++++++++++++++++ 5 files changed, 163 insertions(+), 87 deletions(-) --- mysql-test/r/symlink.result.orig +++ mysql-test/r/symlink.result @@ -100,23 +100,15 @@ t1 CREATE TABLE `t1` ( ) ENGINE=MyISAM DEFAULT CHARSET=latin1 drop table t1; CREATE TABLE t1(a INT) -DATA DIRECTORY='TEST_DIR/master-data/mysql' -INDEX DIRECTORY='TEST_DIR/master-data/mysql'; -RENAME TABLE t1 TO user; -ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17) -DROP TABLE t1; -show create table t1; -Table Create Table -t1 CREATE TABLE `t1` ( - `i` int(11) default NULL -) ENGINE=MyISAM DEFAULT CHARSET=latin1 -drop table t1; -show create table t1; -Table Create Table -t1 CREATE TABLE `t1` ( - `i` int(11) default NULL -) ENGINE=MyISAM DEFAULT CHARSET=latin1 -drop table t1; +DATA DIRECTORY='TEST_DIR/tmp' +INDEX DIRECTORY='TEST_DIR/tmp'; +ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17) +CREATE TABLE t2(a INT) +DATA DIRECTORY='TEST_DIR/tmp' +INDEX DIRECTORY='TEST_DIR/tmp'; +RENAME TABLE t2 TO t1; +ERROR HY000: Can't create/write to file 'TEST_DIR/tmp/t1.MYI' (Errcode: 17) +DROP TABLE t2; show create table t1; Table Create Table t1 CREATE TEMPORARY TABLE `t1` ( @@ -138,27 +130,38 @@ select * from t1; a 42 drop table t1; +execute stmt; +show create table t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` char(10) default NULL +) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/' +drop table t1; +execute stmt; +show create table t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` char(10) default NULL +) ENGINE=MyISAM DEFAULT CHARSET=latin1 DATA DIRECTORY='MYSQLTEST_VARDIR/tmp/' +drop table t1; +deallocate prepare stmt; +CREATE TABLE t1(a INT) +DATA DIRECTORY='TEST_DIR/var/master-data/test'; +Got one of the listed errors +CREATE TABLE t1(a INT) +DATA DIRECTORY='TEST_DIR/var/master-data/'; +Got one of the listed errors +CREATE TABLE t1(a INT) +INDEX DIRECTORY='TEST_DIR/var/master-data'; +Got one of the listed errors +CREATE TABLE t1(a INT) +INDEX DIRECTORY='TEST_DIR/var/master-data_var'; +Got one of the listed errors End of 4.1 tests -CREATE DATABASE db1; -CREATE DATABASE db2; -USE db2; -INSERT INTO db2.t1 VALUES (1); -SELECT * FROM db2.t1; -b -1 -RESET QUERY CACHE; -USE db1; SET SESSION keep_files_on_create = TRUE; CREATE TABLE t1 (a INT) ENGINE MYISAM; -ERROR HY000: Can't create/write to file './db1/t1.MYD' (Errcode: 17) -CREATE TABLE t3 (a INT) Engine=MyISAM; -INSERT INTO t3 VALUES (1),(2),(3); -TRUNCATE TABLE t3; -SELECT * from t3; -a -SET SESSION keep_files_on_create = DEFAULT; -DROP TABLE db2.t1, db1.t3; -DROP DATABASE db1; -DROP DATABASE db2; -USE test; +ERROR HY000: Can't create/write to file './test/t1.MYD' (Errcode: 17) +SET SESSION keep_files_on_create = FALSE; +CREATE TABLE t1 (a INT) ENGINE MYISAM; +DROP TABLE t1; End of 5.0 tests --- mysql-test/t/symlink.test.orig +++ mysql-test/t/symlink.test @@ -127,29 +127,22 @@ drop table t1; # # BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE # +--write_file $MYSQLTEST_VARDIR/tmp/t1.MYI +EOF --replace_result $MYSQLTEST_VARDIR TEST_DIR +--error 1 eval CREATE TABLE t1(a INT) -DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql' -INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'; +DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp' +INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp'; +--replace_result $MYSQLTEST_VARDIR TEST_DIR +eval CREATE TABLE t2(a INT) +DATA DIRECTORY='$MYSQLTEST_VARDIR/tmp' +INDEX DIRECTORY='$MYSQLTEST_VARDIR/tmp'; --replace_result $MYSQLTEST_VARDIR TEST_DIR --error 1 -RENAME TABLE t1 TO user; -DROP TABLE t1; - -# -# Test specifying DATA DIRECTORY that is the same as what would normally -# have been chosen. (Bug #8707) -# -disable_query_log; -eval create table t1 (i int) data directory = "$MYSQLTEST_VARDIR/master-data/test/"; -enable_query_log; -show create table t1; -drop table t1; -disable_query_log; -eval create table t1 (i int) index directory = "$MYSQLTEST_VARDIR/master-data/test/"; -enable_query_log; -show create table t1; -drop table t1; +RENAME TABLE t2 TO t1; +DROP TABLE t2; +--remove_file $MYSQLTEST_VARDIR/tmp/t1.MYI # # Bug#8706 - temporary table with data directory option fails @@ -188,44 +181,61 @@ connection default; select * from t1; drop table t1; ---echo End of 4.1 tests - # -# Bug #29325: create table overwrites .MYD file of other table (datadir) +# CREATE TABLE with DATA DIRECTORY option # - -CREATE DATABASE db1; -CREATE DATABASE db2; - -USE db2; +# Protect ourselves from data left in tmp/ by a previos possibly failed +# test +--system rm -f $MYSQLTEST_VARDIR/tmp/t1.* --disable_query_log -eval CREATE TABLE t1 (b INT) ENGINE MYISAM -DATA DIRECTORY = '$MYSQLTEST_VARDIR/master-data/db1/'; +eval prepare stmt from "create table t1 (c char(10)) data directory='$MYSQLTEST_VARDIR/tmp'"; --enable_query_log +execute stmt; +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +show create table t1; +drop table t1; +execute stmt; +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +show create table t1; +drop table t1; +deallocate prepare stmt; -INSERT INTO db2.t1 VALUES (1); -SELECT * FROM db2.t1; -RESET QUERY CACHE; +# +# Bug#32167 another privilege bypass with DATA/INDEX DIRECORY +# +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/test'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1,1210 +eval CREATE TABLE t1(a INT) +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data_var'; -USE db1; +--echo End of 4.1 tests -#no warning from create table +# +# Bug #29325: create table overwrites .MYD file of other table (datadir) +# SET SESSION keep_files_on_create = TRUE; +--write_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD +EOF --disable_abort_on_error +--error 1 CREATE TABLE t1 (a INT) ENGINE MYISAM; +--error 0,1 +--remove_file $MYSQLTEST_VARDIR/master-data/test/t1.MYD; --enable_abort_on_error - -CREATE TABLE t3 (a INT) Engine=MyISAM; -INSERT INTO t3 VALUES (1),(2),(3); -TRUNCATE TABLE t3; -SELECT * from t3; - -SET SESSION keep_files_on_create = DEFAULT; - -DROP TABLE db2.t1, db1.t3; -DROP DATABASE db1; -DROP DATABASE db2; -USE test; - +SET SESSION keep_files_on_create = FALSE; +CREATE TABLE t1 (a INT) ENGINE MYISAM; +DROP TABLE t1; --echo End of 5.0 tests --- sql/mysql_priv.h.orig +++ sql/mysql_priv.h @@ -1255,6 +1255,7 @@ void my_dbopt_free(void); extern time_t server_start_time, flush_status_time; extern char *mysql_data_home,server_version[SERVER_VERSION_LENGTH], mysql_real_data_home[], *opt_mysql_tmpdir, mysql_charsets_dir[], + mysql_unpacked_real_data_home[], def_ft_boolean_syntax[sizeof(ft_boolean_syntax)]; #define mysql_tmpdir (my_tmpdir(&mysql_tmpdir_list)) extern MY_TMPDIR mysql_tmpdir_list; --- sql/mysqld.cc.orig +++ sql/mysqld.cc @@ -453,14 +453,13 @@ char log_error_file[FN_REFLEN], glob_hos char mysql_real_data_home[FN_REFLEN], language[FN_REFLEN], reg_ext[FN_EXTLEN], mysql_charsets_dir[FN_REFLEN], *opt_init_file, *opt_tc_log_file, + mysql_unpacked_real_data_home[FN_REFLEN], def_ft_boolean_syntax[sizeof(ft_boolean_syntax)]; - +char *mysql_data_home= mysql_real_data_home; const key_map key_map_empty(0); key_map key_map_full(0); // Will be initialized later const char *opt_date_time_formats[3]; - -char *mysql_data_home= mysql_real_data_home; char server_version[SERVER_VERSION_LENGTH]; char *mysqld_unix_port, *opt_mysql_tmpdir; const char **errmesg; /* Error messages */ @@ -7565,6 +7564,9 @@ static void fix_paths(void) pos[1]= 0; } convert_dirname(mysql_real_data_home,mysql_real_data_home,NullS); + (void) fn_format(buff, mysql_real_data_home, "", "", + (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS)); + (void) unpack_dirname(mysql_unpacked_real_data_home, buff); convert_dirname(language,language,NullS); (void) my_load_path(mysql_home,mysql_home,""); // Resolve current dir (void) my_load_path(mysql_real_data_home,mysql_real_data_home,mysql_home); --- sql/sql_parse.cc.orig +++ sql/sql_parse.cc @@ -76,6 +76,7 @@ static void remove_escape(char *name); static bool append_file_to_dir(THD *thd, const char **filename_ptr, const char *table_name); static bool check_show_create_table_access(THD *thd, TABLE_LIST *table); +static bool test_if_data_home_dir(const char *dir); const char *any_db="*any*"; // Special symbol for check_access @@ -3001,6 +3002,20 @@ mysql_execute_command(THD *thd) "INDEX DIRECTORY option ignored"); create_info.data_file_name= create_info.index_file_name= NULL; #else + + if (test_if_data_home_dir(lex->create_info.data_file_name)) + { + my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY"); + res= -1; + break; + } + if (test_if_data_home_dir(lex->create_info.index_file_name)) + { + my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY"); + res= -1; + break; + } + /* Fix names if symlinked tables */ if (append_file_to_dir(thd, &create_info.data_file_name, create_table->table_name) || @@ -7843,3 +7858,48 @@ bool check_string_length(LEX_STRING *str return TRUE; } + + +/* + Check if path does not contain mysql data home directory + + SYNOPSIS + test_if_data_home_dir() + dir directory + conv_home_dir converted data home directory + home_dir_len converted data home directory length + + RETURN VALUES + 0 ok + 1 error +*/ + +static bool test_if_data_home_dir(const char *dir) +{ + char path[FN_REFLEN], conv_path[FN_REFLEN]; + uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home); + DBUG_ENTER("test_if_data_home_dir"); + + if (!dir) + DBUG_RETURN(0); + + (void) fn_format(path, dir, "", "", + (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS)); + dir_len= unpack_dirname(conv_path, dir); + + if (home_dir_len <= dir_len) + { + if (lower_case_file_system) + { + if (!my_strnncoll(default_charset_info, (const uchar*) conv_path, + home_dir_len, + (const uchar*) mysql_unpacked_real_data_home, + home_dir_len)) + DBUG_RETURN(1); + } + else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len)) + DBUG_RETURN(1); + } + DBUG_RETURN(0); +} + ++++++ rc.mysql ++++++ --- mysql/rc.mysql 2007-08-21 10:24:42.000000000 +0200 +++ /mounts/work_src_done/STABLE/mysql/rc.mysql 2008-05-30 15:30:49.000000000 +0200 @@ -103,7 +103,7 @@ # Don't run killproc -TERM, as it could send a SIGKILL as well, possibly # resulting in database corruption. Run kill -TERM manually instead, wait -# approximately 60 seconds and fail if mysql doesn't respond. This will at +# approximately 300 seconds and fail if mysql doesn't respond. This will at # least prevent the SIGKILL when doing 'rcmysql stop' manually. During system # shutdown, we are out of luck... # See https://bugzilla.novell.com/show_bug.cgi?id=223209 @@ -122,7 +122,7 @@ kill -STOP "$pid" kill -TERM "$pid" || return 4 # suboptimal kill -CONT "$pid" - for i in `seq 600`; do + for i in `seq 3000`; do # mysqld removes its pid file test -e "$pid_file" || return 0 LC_ALL=C sleep 0.1 @@ -147,7 +147,7 @@ case "$1" in start) # exit gracefully, if we are already running - checkproc $MYSQLD && echo -n "Starting service MySQL " && \ + $0 status >/dev/null && echo -n "Starting service MySQL " && \ rc_status -v && rc_exit # Test, if safe_mysqld actually exists @@ -315,7 +315,7 @@ # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc $MYSQLD + checkproc -p $pid_file $MYSQLD rc_status -v ;; ++++++ rc.mysql-multi ++++++ --- mysql/rc.mysql-multi 2008-03-13 15:57:57.000000000 +0100 +++ /mounts/work_src_done/STABLE/mysql/rc.mysql-multi 2008-05-30 15:32:49.000000000 +0200 @@ -73,7 +73,7 @@ # Don't run killproc -TERM, as it could send a SIGKILL as well, possibly # resulting in database corruption. Run kill -TERM manually instead, wait -# approximately 60 seconds and fail if mysql doesn't respond. This will at +# approximately 300 seconds and fail if mysql doesn't respond. This will at # least prevent the SIGKILL when doing 'rcmysql stop' manually. During system # shutdown, we are out of luck... # See https://bugzilla.novell.com/show_bug.cgi?id=223209 @@ -92,7 +92,7 @@ kill -STOP "$pid" kill -TERM "$pid" || return 4 # suboptimal kill -CONT "$pid" - for i in `seq 600`; do + for i in `seq 3000`; do # mysqld removes its pid file test -e "$pid_file" || return 0 LC_ALL=C sleep 0.1 @@ -167,19 +167,6 @@ ;; status) - ## Check status with checkproc(8), if process is running - ## checkproc will return with exit status 0. - - # Status has a slightly different for the status command: - # 0 - service running - # 1 - service dead, but /var/run/ pid file exists - # 2 - service dead, but /var/lock/ lock file exists - # 3 - service not running - - # NOTE: checkproc returns LSB compliant status values. - # echo -n "Checking for service MySQL: " - # checkproc $MYSQLD - STATUS=$(mysqld_multi report) echo -n "$STATUS" # Set the status for rc_status @@ -242,7 +229,7 @@ case "$1" in start) # exit gracefully, if we are already running - checkproc $MYSQLD && echo -n "Starting service MySQL " && \ + $0 status >/dev/null && echo -n "Starting service MySQL " && \ rc_status -v && rc_exit # Test, if safe_mysqld actually exists @@ -410,7 +397,7 @@ # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc $MYSQLD + checkproc -p $pid_file $MYSQLD rc_status -v ;; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org