[debian-mysql] Bug#475159: mysql-server-5.0: MySQL parser interprets null characters in SQL input as whitespace.
Tim Small
tim at buttersideup.com
Wed Apr 9 12:54:48 UTC 2008
Package: mysql-server-5.0
Version: 5.0.32-7etch5
Severity: important
Tags: patch
The attached patch went into MySQL upstream in version 5.0.36. Without the
patch, the MySQL parser will interpret a null character in the SQL input
stream as a space, and so read past the end of the string. I haven't
analysed the code to see if this mistake can happen inside of quoted
strings in the SQL input stream, or not.
Although the server I'm working on does not crash (the SQL statement
simply does not parse correctly, and the SQL operation fails) - there
are reports in:
http://bugs.mysql.com/bug.php?id=25653
of a crash being caused, the crash appears to occur in the MySQL
server. I would assume that a local user with access to the database
could cause a DoS by exploiting this flaw, but it may be possible for
remote users to inject data into web forms etc. to trigger the same
crash. AFAIK, there is no CVE number for this flaw, and I have not
analysed the code to see if more serious compromises are possible.
Patch also cleans up .rej file from the current Etch package.
diff -Naur stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list
--- stock/mysql-dfsg-5.0-5.0.32/debian/patches/00list 2008-04-01 08:30:03.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/00list 2008-03-31 21:04:40.000000000 +0100
@@ -28,3 +28,4 @@
95_SECURITY_CVE-2007-5969.dpatch
95_SECURITY_CVE-2007-6304.dpatch
96_SECURITY_CVE-2008-0226+0227.dpatch
+97_InnoDB_parserbug.dpatch
diff -Naur stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch
--- stock/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/patches/97_InnoDB_parserbug.dpatch 2008-03-31 21:04:34.000000000 +0100
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 97_InnoDB_parserbug.dpatch by <tim at buttersideup.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix bug in InnoDB parser as per 97_InnoDB_parserbug.dpatch
+
+ at DPATCH@
+
+--- a/innobase/dict/dict0dict.c 2006-12-20 11:14:48.000000000 +0000
++++ b/innobase/dict/dict0dict.c 2008-01-11 14:43:37.000000000 +0000
+@@ -28,7 +28,7 @@
+ #include "rem0cmp.h"
+
+ /* Implement isspace() in a locale-independent way. (Bug #24299) */
+-#define ib_isspace(c) strchr(" \v\f\t\r\n", c)
++#define ib_isspace(c) ((char) (c) && strchr(" \v\f\t\r\n", c))
+
+ dict_sys_t* dict_sys = NULL; /* the dictionary system */
+
--- stock/mysql-dfsg-5.0-5.0.32/debian/changelog 2008-04-01 08:30:03.000000000 +0100
+++ i386/mysql-dfsg-5.0-5.0.32/debian/changelog 2008-04-01 08:32:49.000000000 +0100
@@ -1,3 +1,9 @@
+mysql-dfsg-5.0 (5.0.32-7etch5bright) stable-proposed-updates; urgency=low
+
+ * Fix upstream bug http://bugs.mysql.com/bug.php?id=25596
+
+ -- Tim Small <tim at buttersideup.com> Fri, 28 Mar 2008 20:03:42 +0000
+
mysql-dfsg-5.0 (5.0.32-7etch5) stable-security; urgency=high
* SECURITY:
--- mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch 2008-03-28 19:41:37.000000000 +0000
+++ mysql-dfsg-5.0-5.0.32/debian/patches/95_SECURITY_CVE-2007-3781.dpatch 2008-03-31 18:12:57.000000000 +0100
@@ -170,27 +170,6 @@
error= FALSE;
err:
-diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej
---- mysql-dfsg-5.0-5.0.32.orig/sql/sql_parse.cc.rej 1970-01-01 01:00:00.000000000 +0100
-+++ mysql-dfsg-5.0-5.0.32/sql/sql_parse.cc.rej 2007-12-22 20:15:32.790866404 +0100
-@@ -0,0 +1,17 @@
-+***************
-+*** 3061,3067 ****
-+ else
-+ {
-+ /* regular create */
-+- if (lex->name)
-+ res= mysql_create_like_table(thd, create_table, &create_info,
-+ (Table_ident *)lex->name);
-+ else
-+--- 3062,3068 ----
-+ else
-+ {
-+ /* regular create */
-++ if (lex->create_info.options & HA_LEX_CREATE_TABLE_LIKE)
-+ res= mysql_create_like_table(thd, create_table, &create_info,
-+ (Table_ident *)lex->name);
-+ else
diff -Nur mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy
--- mysql-dfsg-5.0-5.0.32.orig/sql/sql_yacc.yy 2006-12-20 12:14:38.000000000 +0100
+++ mysql-dfsg-5.0-5.0.32/sql/sql_yacc.yy 2007-12-22 20:15:32.790866404 +0100
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-1-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages mysql-server-5.0 depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf [debconf-2.0 1.5.11etch1 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libdbi-perl 1.53-1etch1 Perl5 database interface by Tim Bu
ii libgcc1 1:4.1.1-21 GCC support library
ii libmysqlclient15off 5.0.32-7etch5 mysql database client library
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libreadline5 5.2-2 GNU readline and history libraries
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii mysql-client-5.0 5.0.32-7etch5 mysql database client binaries
ii mysql-common 5.0.32-7etch5 mysql database common files (e.g.
ii passwd 1:4.0.18.1-7 change and administer password and
ii perl 5.8.8-7etch1 Larry Wall's Practical Extraction
ii psmisc 22.3-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages mysql-server-5.0 recommends:
ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent
-- debconf information excluded
More information about the pkg-mysql-maint
mailing list