[debian-mysql] Bug#536726: Regarding CVE-2009-2446: Problems with COM_CREATE_DB etc.
Sergei Golubchik
serg at mysql.com
Tue Jul 21 07:29:04 UTC 2009
Hi, Christian!
On Jul 21, Christian Hammers wrote:
> Hello MysQL
>
> Debian was notified about
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446
> and we would like to backport the fix to our already release 5.0.51
> package.
>
> Can you confirm that the below snipped is a proper fix?
> It comments out the two commands COM_CREATE_DB and COM_DROP_DB like
> I saw it in the 5.1 branch.
Yes, your fix should be fine.
If you want to have these commands working, you can apply a standard fix
for these kinds of problems, like
- mysql_log.write(thd,command,packet);
+ mysql_log.write(thd,command,"%s",packet);
> Sadly the sql_parse.cc file is too big to be viewed using bazaar (gives
> timeouts) and I cannot find the original commit or a bug in
> bugs.mysql.com which would give me some hints if other changes were
> necessary.
This is our fix for 5.0:
http://lists.mysql.com/commits/77649
you probably won't be able to see the bug itself, it's private until the
released version will be out.
But according to comments the fix was pushed to 5.0.84
Regards / Mit vielen Grüßen,
Sergei
--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg at sun.com>
/ /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect
/_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB München 161028
<___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Häring
More information about the pkg-mysql-maint
mailing list