patch is from http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26 this fixes an undisclosed security issue CVE-2012-5579. Upon disclosure, see https://mariadb.atlassian.net/browse/MDEV-3884 for more information. === modified file 'mysql-test/r/information_schema.result' --- a/mysql-test/r/information_schema.result 2012-11-09 19:15:23 +0000 +++ b/mysql-test/r/information_schema.result 2012-11-12 18:56:51 +0000 @@ -1678,6 +1678,10 @@ length(CAST(b AS CHAR)) 20 DROP TABLE ubig; +grant usage on *.* to mysqltest_1@localhost; +select 1 from information_schema.tables where table_schema=repeat('a', 2000); +1 +drop user mysqltest_1@localhost; End of 5.1 tests. # # Additional test for WL#3726 "DDL locking for all metadata objects" === modified file 'mysql-test/t/information_schema.test' --- a/mysql-test/t/information_schema.test 2012-11-09 19:15:23 +0000 +++ b/mysql-test/t/information_schema.test 2012-11-12 18:56:51 +0000 @@ -1442,6 +1442,13 @@ DROP TABLE ubig; +grant usage on *.* to mysqltest_1@localhost; +connect (con1, localhost, mysqltest_1,,); +connection con1; +select 1 from information_schema.tables where table_schema=repeat('a', 2000); +connection default; +disconnect con1; +drop user mysqltest_1@localhost; --echo End of 5.1 tests. === modified file 'sql/sql_acl.cc' --- a/sql/sql_acl.cc 2011-11-21 17:13:14 +0000 +++ b/sql/sql_acl.cc 2012-11-12 18:56:51 +0000 @@ -1631,14 +1631,20 @@ acl_entry *entry; DBUG_ENTER("acl_get"); - mysql_mutex_lock(&acl_cache->lock); - end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); + tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1; + end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db); + + if (end >= key + sizeof(key)) // db name was truncated + DBUG_RETURN(0); // no privileges for an invalid db name + if (lower_case_table_names) { my_casedn_str(files_charset_info, tmp_db); db=tmp_db; } key_length= (size_t) (end-key); + + mysql_mutex_lock(&acl_cache->lock); if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key, key_length))) { @@ -4952,11 +4958,17 @@ bool check_grant_db(THD *thd,const char *db) { Security_context *sctx= thd->security_ctx; - char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2]; + char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end; uint len; bool error= TRUE; - len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; + end= strmov(helping, sctx->priv_user) + 1; + end= strnmov(end, db, helping + sizeof(helping) - end); + + if (end >= helping + sizeof(helping)) // db name was truncated + return 1; // no privileges for an invalid db name + + len= (uint) (end - helping) + 1; mysql_rwlock_rdlock(&LOCK_grant);