patch is from http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26
this fixes an undisclosed security issue CVE-2012-5579. Upon disclosure, see
https://mariadb.atlassian.net/browse/MDEV-3884 for more information.
=== modified file 'mysql-test/r/information_schema.result'
--- a/mysql-test/r/information_schema.result 2012-11-09 19:15:23 +0000
+++ b/mysql-test/r/information_schema.result 2012-11-12 18:56:51 +0000
@@ -1678,6 +1678,10 @@
length(CAST(b AS CHAR))
20
DROP TABLE ubig;
+grant usage on *.* to mysqltest_1@localhost;
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
+1
+drop user mysqltest_1@localhost;
End of 5.1 tests.
#
# Additional test for WL#3726 "DDL locking for all metadata objects"
=== modified file 'mysql-test/t/information_schema.test'
--- a/mysql-test/t/information_schema.test 2012-11-09 19:15:23 +0000
+++ b/mysql-test/t/information_schema.test 2012-11-12 18:56:51 +0000
@@ -1442,6 +1442,13 @@
DROP TABLE ubig;
+grant usage on *.* to mysqltest_1@localhost;
+connect (con1, localhost, mysqltest_1,,);
+connection con1;
+select 1 from information_schema.tables where table_schema=repeat('a', 2000);
+connection default;
+disconnect con1;
+drop user mysqltest_1@localhost;
--echo End of 5.1 tests.
=== modified file 'sql/sql_acl.cc'
--- a/sql/sql_acl.cc 2011-11-21 17:13:14 +0000
+++ b/sql/sql_acl.cc 2012-11-12 18:56:51 +0000
@@ -1631,14 +1631,20 @@
acl_entry *entry;
DBUG_ENTER("acl_get");
- mysql_mutex_lock(&acl_cache->lock);
- end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
+ tmp_db= strmov(strmov(key, ip ? ip : "") + 1, user) + 1;
+ end= strnmov(tmp_db, db, key + sizeof(key) - tmp_db);
+
+ if (end >= key + sizeof(key)) // db name was truncated
+ DBUG_RETURN(0); // no privileges for an invalid db name
+
if (lower_case_table_names)
{
my_casedn_str(files_charset_info, tmp_db);
db=tmp_db;
}
key_length= (size_t) (end-key);
+
+ mysql_mutex_lock(&acl_cache->lock);
if (!db_is_pattern && (entry=(acl_entry*) acl_cache->search((uchar*) key,
key_length)))
{
@@ -4952,11 +4958,17 @@
bool check_grant_db(THD *thd,const char *db)
{
Security_context *sctx= thd->security_ctx;
- char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2];
+ char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end;
uint len;
bool error= TRUE;
- len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;
+ end= strmov(helping, sctx->priv_user) + 1;
+ end= strnmov(end, db, helping + sizeof(helping) - end);
+
+ if (end >= helping + sizeof(helping)) // db name was truncated
+ return 1; // no privileges for an invalid db name
+
+ len= (uint) (end - helping) + 1;
mysql_rwlock_rdlock(&LOCK_grant);
distrib
>
Mageia
>
3
>
i586
>
media
>
core-release-src
>
by-pkgid
>
c05d78206daa5de0b42ebaa78271fb20
>
files
>
5
