← Back to branch summary

~ubuntu-branches/ubuntu/lucid/mysql-dfsg-5.1/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/56_CVE-2010-1850.dpatch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2012-02-22 22:33:55 UTC
  • mfrom: (1.1.5)
  • Revision ID: package-import@ubuntu.com-20120222223355-or06x1euyk8n0ldi
Tags: 5.1.61-0ubuntu0.10.04.1
https://launchpad.net/bugs/937869
* SECURITY UPDATE: Update to 5.1.61 to fix multiple security issues
  (LP: #937869)
  - http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
  - CVE-2011-2262
  - CVE-2012-0075
  - CVE-2012-0112
  - CVE-2012-0113
  - CVE-2012-0114
  - CVE-2012-0115
  - CVE-2012-0116
  - CVE-2012-0117
  - CVE-2012-0118
  - CVE-2012-0119
  - CVE-2012-0120
  - CVE-2012-0484
  - CVE-2012-0485
  - CVE-2012-0486
  - CVE-2012-0487
  - CVE-2012-0488
  - CVE-2012-0489
  - CVE-2012-0490
  - CVE-2012-0491
  - CVE-2012-0492
  - CVE-2012-0493
  - CVE-2012-0494
  - CVE-2012-0495
  - CVE-2012-0496
* Dropped patches unnecessary with 5.1.61:
  - debian/patches/90_mysql_safer_strmov.dpatch
  - debian/patches/51_ssl_test_certs.dpatch
  - debian/patches/52_CVE-2009-4030.dpatch
  - debian/patches/53_CVE-2009-4484.dpatch
  - debian/patches/54_CVE-2008-7247.dpatch
  - debian/patches/55_CVE-2010-1621.dpatch
  - debian/patches/56_CVE-2010-1850.dpatch
  - debian/patches/57_CVE-2010-1849.dpatch
  - debian/patches/58_CVE-2010-1848.dpatch
  - debian/patches/59_CVE-2010-1626.dpatch
  - debian/patches/60_CVE-2010-2008.dpatch
  - debian/patches/60_CVE-2010-3677.dpatch
  - debian/patches/60_CVE-2010-3678.dpatch
  - debian/patches/60_CVE-2010-3679.dpatch
  - debian/patches/60_CVE-2010-3680.dpatch
  - debian/patches/60_CVE-2010-3681.dpatch
  - debian/patches/60_CVE-2010-3682.dpatch
  - debian/patches/60_CVE-2010-3683.dpatch
  - debian/patches/60_CVE-2010-3833.dpatch
  - debian/patches/60_CVE-2010-3834.dpatch
  - debian/patches/60_CVE-2010-3835.dpatch
  - debian/patches/60_CVE-2010-3836.dpatch
  - debian/patches/60_CVE-2010-3837.dpatch
  - debian/patches/60_CVE-2010-3838.dpatch
  - debian/patches/60_CVE-2010-3839.dpatch
  - debian/patches/60_CVE-2010-3840.dpatch
  - debian/patches/61_disable_longfilename_test.dpatch
  - debian/patches/62_alter_table_fix.dpatch
  - debian/patches/63_cherrypick-upstream-49479.dpatch
  - debian/patches/10_readline_build_fix.dpatch
* debian/mysql-client-5.1.docs: removed EXCEPTIONS-CLIENT file
* debian/mysql-server-5.1.docs,debian/libmysqlclient16.docs,
  debian/libmysqlclient-dev.docs: removed, no longer necessary.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/56_CVE-2010-1850.dpatch
1
 
#! /bin/sh /usr/share/dpatch/dpatch-run
2
 
# Description: arbitrary code execution via crafted table name argument
3
 
#  to COM_FIELD_LIST
4
 
# Origin: backport, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/1810.3987.13
5
 
# Bug: http://bugs.mysql.com/bug.php?id=53237
6
 
# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582526
7
 
 
8
 
@DPATCH@
9
 
diff -urNad mysql-dfsg-5.1-5.1.41~/sql/sql_parse.cc mysql-dfsg-5.1-5.1.41/sql/sql_parse.cc
10
 
--- mysql-dfsg-5.1-5.1.41~/sql/sql_parse.cc     2009-11-04 13:31:05.000000000 -0500
11
 
+++ mysql-dfsg-5.1-5.1.41/sql/sql_parse.cc      2010-05-21 14:58:25.000000000 -0400
12
 
@@ -1298,8 +1298,16 @@
13
 
       We have name + wildcard in packet, separated by endzero
14
 
     */
15
 
     arg_end= strend(packet);
16
 
+    uint arg_length= arg_end - packet;
17
 
+    
18
 
+    /* Check given table name length. */
19
 
+    if (arg_length >= packet_length || arg_length > NAME_LEN)
20
 
+    {
21
 
+      my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
22
 
+      break;
23
 
+    }
24
 
     thd->convert_string(&conv_name, system_charset_info,
25
 
-                       packet, (uint) (arg_end - packet), thd->charset());
26
 
+                       packet, arg_length, thd->charset());
27
 
     table_list.alias= table_list.table_name= conv_name.str;
28
 
     packet= arg_end + 1;
29