From 1d1616dee3d76ef31f01bd4423ceff3831ce855b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 22 Dec 2010 08:25:37 +0100 Subject: more work on MySQL 5.5.8 --- mysql-cve-2008-7247.patch | 58 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 mysql-cve-2008-7247.patch (limited to 'mysql-cve-2008-7247.patch') diff --git a/mysql-cve-2008-7247.patch b/mysql-cve-2008-7247.patch new file mode 100644 index 0000000..acd460f --- /dev/null +++ b/mysql-cve-2008-7247.patch @@ -0,0 +1,58 @@ +Back-ported patch for upstream bug #39277. + + +diff -Naur mysql-5.1.42.orig/sql/sql_table.cc mysql-5.1.42/sql/sql_table.cc +--- mysql-5.1.42.orig/sql/sql_table.cc 2009-12-16 12:57:30.000000000 -0500 ++++ mysql-5.1.42/sql/sql_table.cc 2010-01-28 14:33:52.000000000 -0500 +@@ -3892,15 +3892,43 @@ + create_info->table_existed= 0; // Mark that table is created + + #ifdef HAVE_READLINK +- if (test_if_data_home_dir(create_info->data_file_name)) + { +- my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY"); +- goto unlock_and_end; +- } +- if (test_if_data_home_dir(create_info->index_file_name)) +- { +- my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY"); +- goto unlock_and_end; ++ size_t dirlen; ++ char dirpath[FN_REFLEN]; ++ ++ /* ++ data_file_name and index_file_name include the table name without ++ extension. Mostly this does not refer to an existing file. When ++ comparing data_file_name or index_file_name against the data ++ directory, we try to resolve all symbolic links. On some systems, ++ we use realpath(3) for the resolution. This returns ENOENT if the ++ resolved path does not refer to an existing file. my_realpath() ++ does then copy the requested path verbatim, without symlink ++ resolution. Thereafter the comparison can fail even if the ++ requested path is within the data directory. E.g. if symlinks to ++ another file system are used. To make realpath(3) return the ++ resolved path, we strip the table name and compare the directory ++ path only. If the directory doesn't exist either, table creation ++ will fail anyway. ++ */ ++ if (create_info->data_file_name) ++ { ++ dirname_part(dirpath, create_info->data_file_name, &dirlen); ++ if (test_if_data_home_dir(dirpath)) ++ { ++ my_error(ER_WRONG_ARGUMENTS, MYF(0), "DATA DIRECTORY"); ++ goto unlock_and_end; ++ } ++ } ++ if (create_info->index_file_name) ++ { ++ dirname_part(dirpath, create_info->index_file_name, &dirlen); ++ if (test_if_data_home_dir(dirpath)) ++ { ++ my_error(ER_WRONG_ARGUMENTS, MYF(0), "INDEX DIRECTORY"); ++ goto unlock_and_end; ++ } ++ } + } + + #ifdef WITH_PARTITION_STORAGE_ENGINE -- cgit