~clint-fewbar/ubuntu/lucid/mysql-dfsg-5.1/sru-576949

Viewing changes to debian/patches/53_CVE-2009-4484.dpatch

Committer: Bazaar Package Importer
Author(s): Marc Deslauriers
Date: 2010-02-22 16:29:37 UTC
Revision ID: james.westby@ubuntu.com-20100222162937-lvj5tpszlw3iukef

Tags: 5.1.41-3ubuntu7

* SECURITY UPDATE: privilege restriction bypass via incorrect calculation
  of the mysql_unpacked_real_data_home value
  - debian/patches/52_CVE-2009-4030.dpatch: fix initialization order in
    sql/mysqld.cc.
  - CVE-2009-4030
* SECURITY UPDATE: arbitrary code execution via yassl stack overflow
  - debian/patches/53_CVE-2009-4484.dpatch: validate lengths in
    extra/yassl/taocrypt/src/asn.*.
  - CVE-2009-4484
* SECURITY UPDATE: access restriction bypass via symlink
  - debian/patches/54_CVE-2008-7247.dpatch: improve symlink handling in
    sql/sql_table.cc.
  - CVE-2008-7247

files added:
debian/patches/52_CVE-2009-4030.dpatch

debian/patches/53_CVE-2009-4484.dpatch

debian/patches/54_CVE-2008-7247.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/53_CVE-2009-4484.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

# Description: fix arbitrary code execution via yassl stack overflow

# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3311.1.3

# Bug: http://bugs.mysql.com/bug.php?id=50227

@DPATCH@

diff -urNad mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/include/asn.hpp mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/include/asn.hpp

--- mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/include/asn.hpp 2009-11-04 13:28:12.000000000 -0500

+++ mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/include/asn.hpp 2010-02-22 16:28:36.000000000 -0500

@@ -305,6 +305,7 @@

bool ValidateSignature(SignerList*);

bool ConfirmSignature(Source&);

void GetKey();

+ char* AddTag(char*, const char*, const char*, word32, word32);

void GetName(NameType);

void GetValidity();

void GetDate(DateType);

diff -urNad mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/src/asn.cpp mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/src/asn.cpp

--- mysql-dfsg-5.1-5.1.41~/extra/yassl/taocrypt/src/asn.cpp 2009-11-04 13:28:13.000000000 -0500

+++ mysql-dfsg-5.1-5.1.41/extra/yassl/taocrypt/src/asn.cpp 2010-02-22 16:28:36.000000000 -0500

@@ -652,6 +652,23 @@

}

+char *CertDecoder::AddTag(char *ptr, const char *buf_end,

+ const char *tag_name, word32 tag_name_length,

+ word32 tag_value_length)

+ if (ptr + tag_name_length + tag_value_length > buf_end)

+ return 0;

+ memcpy(ptr, tag_name, tag_name_length);

+ ptr+= tag_name_length;

+ memcpy(ptr, source_.get_current(), tag_value_length);

+ ptr+= tag_value_length;

+ return ptr;

// process NAME, either issuer or subject

void CertDecoder::GetName(NameType nt)

{

@@ -659,11 +676,21 @@

SHA sha;

word32 length = GetSequence(); // length of all distinguished names

- assert (length < ASN_NAME_MAX);

+ if (length >= ASN_NAME_MAX)

+ goto err;

length += source_.get_index();

- char* ptr = (nt == ISSUER) ? issuer_ : subject_;

- word32 idx = 0;

+ char *ptr, *buf_end;

+ if (nt == ISSUER) {

+ ptr= issuer_;

+ buf_end= ptr + sizeof(issuer_) - 1; // 1 byte for trailing 0

+ }

+ else {

+ ptr= subject_;

+ buf_end= ptr + sizeof(subject_) - 1; // 1 byte for trailing 0

+ }

while (source_.get_index() < length) {

GetSet();

@@ -685,47 +712,36 @@

byte id = source_.next();

b = source_.next(); // strType

word32 strLen = GetLength(source_);

- bool copy = false;

- if (id == COMMON_NAME) {

- memcpy(&ptr[idx], "/CN=", 4);

- idx += 4;

- copy = true;

- }

- else if (id == SUR_NAME) {

- memcpy(&ptr[idx], "/SN=", 4);

- idx += 4;

- copy = true;

- }

- else if (id == COUNTRY_NAME) {

- memcpy(&ptr[idx], "/C=", 3);

- idx += 3;

- copy = true;

- }

- else if (id == LOCALITY_NAME) {

- memcpy(&ptr[idx], "/L=", 3);

- idx += 3;

- copy = true;

- }

- else if (id == STATE_NAME) {

- memcpy(&ptr[idx], "/ST=", 4);

- idx += 4;

- copy = true;

100

- }

101

- else if (id == ORG_NAME) {

102

- memcpy(&ptr[idx], "/O=", 3);

103

- idx += 3;

104

- copy = true;

105

- }

106

- else if (id == ORGUNIT_NAME) {

107

- memcpy(&ptr[idx], "/OU=", 4);

108

- idx += 4;

109

- copy = true;

110

- }

111

112

- if (copy) {

113

- memcpy(&ptr[idx], source_.get_current(), strLen);

114

- idx += strLen;

115

+ switch (id) {

116

+ case COMMON_NAME:

117

+ if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen)))

118

+ goto err;

119

+ break;

120

+ case SUR_NAME:

121

+ if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen)))

122

+ goto err;

123

+ break;

124

+ case COUNTRY_NAME:

125

+ if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen)))

126

+ goto err;

127

+ break;

128

+ case LOCALITY_NAME:

129

+ if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen)))

130

+ goto err;

131

+ break;

132

+ case STATE_NAME:

133

+ if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen)))

134

+ goto err;

135

+ break;

136

+ case ORG_NAME:

137

+ if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen)))

138

+ goto err;

139

+ break;

140

+ case ORGUNIT_NAME:

141

+ if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen)))

142

+ goto err;

143

+ break;

144

}

145

146

sha.Update(source_.get_current(), strLen);

147

@@ -739,23 +755,20 @@

148

source_.advance(oidSz + 1);

149

word32 length = GetLength(source_);

150

151

- if (email) {

152

- memcpy(&ptr[idx], "/emailAddress=", 14);

153

- idx += 14;

154

155

- memcpy(&ptr[idx], source_.get_current(), length);

156

- idx += length;

157

- }

158

+ if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length)))

159

+ goto err;

160

161

source_.advance(length);

162

}

163

}

164

- ptr[idx++] = 0;

165

+ *ptr= 0;

166

167

- if (nt == ISSUER)

168

- sha.Final(issuerHash_);

169

- else

170

- sha.Final(subjectHash_);

171

+ sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_);

172

173

+ return;

174

175

+err:

176

+ source_.SetError(CONTENT_E);

177

}

178

179

Older »