1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
# Description: fix arbitrary code execution via yassl stack overflow
3
# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3311.1.3
4
# Bug: http://bugs.mysql.com/bug.php?id=50227
7
diff -urNad mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/include/asn.hpp mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/include/asn.hpp
8
--- mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/include/asn.hpp 2009-11-04 13:28:12.000000000 -0500
9
+++ mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/include/asn.hpp 2010-02-22 16:28:36.000000000 -0500
11
bool ValidateSignature(SignerList*);
12
bool ConfirmSignature(Source&);
14
+ char* AddTag(char*, const char*, const char*, word32, word32);
15
void GetName(NameType);
17
void GetDate(DateType);
18
diff -urNad mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/src/asn.cpp mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/src/asn.cpp
19
--- mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/src/asn.cpp 2009-11-04 13:28:13.000000000 -0500
20
+++ mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/src/asn.cpp 2010-02-22 16:28:36.000000000 -0500
25
+char *CertDecoder::AddTag(char *ptr, const char *buf_end,
26
+ const char *tag_name, word32 tag_name_length,
27
+ word32 tag_value_length)
29
+ if (ptr + tag_name_length + tag_value_length > buf_end)
32
+ memcpy(ptr, tag_name, tag_name_length);
33
+ ptr+= tag_name_length;
35
+ memcpy(ptr, source_.get_current(), tag_value_length);
36
+ ptr+= tag_value_length;
42
// process NAME, either issuer or subject
43
void CertDecoder::GetName(NameType nt)
48
word32 length = GetSequence(); // length of all distinguished names
49
- assert (length < ASN_NAME_MAX);
51
+ if (length >= ASN_NAME_MAX)
53
length += source_.get_index();
55
- char* ptr = (nt == ISSUER) ? issuer_ : subject_;
57
+ char *ptr, *buf_end;
61
+ buf_end= ptr + sizeof(issuer_) - 1; // 1 byte for trailing 0
65
+ buf_end= ptr + sizeof(subject_) - 1; // 1 byte for trailing 0
68
while (source_.get_index() < length) {
71
byte id = source_.next();
72
b = source_.next(); // strType
73
word32 strLen = GetLength(source_);
76
- if (id == COMMON_NAME) {
77
- memcpy(&ptr[idx], "/CN=", 4);
81
- else if (id == SUR_NAME) {
82
- memcpy(&ptr[idx], "/SN=", 4);
86
- else if (id == COUNTRY_NAME) {
87
- memcpy(&ptr[idx], "/C=", 3);
91
- else if (id == LOCALITY_NAME) {
92
- memcpy(&ptr[idx], "/L=", 3);
96
- else if (id == STATE_NAME) {
97
- memcpy(&ptr[idx], "/ST=", 4);
101
- else if (id == ORG_NAME) {
102
- memcpy(&ptr[idx], "/O=", 3);
106
- else if (id == ORGUNIT_NAME) {
107
- memcpy(&ptr[idx], "/OU=", 4);
113
- memcpy(&ptr[idx], source_.get_current(), strLen);
117
+ if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen)))
121
+ if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen)))
125
+ if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen)))
128
+ case LOCALITY_NAME:
129
+ if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen)))
133
+ if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen)))
137
+ if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen)))
141
+ if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen)))
146
sha.Update(source_.get_current(), strLen);
147
@@ -739,23 +755,20 @@
148
source_.advance(oidSz + 1);
149
word32 length = GetLength(source_);
152
- memcpy(&ptr[idx], "/emailAddress=", 14);
155
- memcpy(&ptr[idx], source_.get_current(), length);
158
+ if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length)))
161
source_.advance(length);
168
- sha.Final(issuerHash_);
170
- sha.Final(subjectHash_);
171
+ sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_);
176
+ source_.SetError(CONTENT_E);