← Back to branch summary

~ubuntu-branches/ubuntu/lucid/mysql-dfsg-5.1/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/60_CVE-2010-3840.dpatch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2012-02-22 22:33:55 UTC
  • mfrom: (1.1.5)
  • Revision ID: package-import@ubuntu.com-20120222223355-or06x1euyk8n0ldi
Tags: 5.1.61-0ubuntu0.10.04.1
https://launchpad.net/bugs/937869
* SECURITY UPDATE: Update to 5.1.61 to fix multiple security issues
  (LP: #937869)
  - http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
  - CVE-2011-2262
  - CVE-2012-0075
  - CVE-2012-0112
  - CVE-2012-0113
  - CVE-2012-0114
  - CVE-2012-0115
  - CVE-2012-0116
  - CVE-2012-0117
  - CVE-2012-0118
  - CVE-2012-0119
  - CVE-2012-0120
  - CVE-2012-0484
  - CVE-2012-0485
  - CVE-2012-0486
  - CVE-2012-0487
  - CVE-2012-0488
  - CVE-2012-0489
  - CVE-2012-0490
  - CVE-2012-0491
  - CVE-2012-0492
  - CVE-2012-0493
  - CVE-2012-0494
  - CVE-2012-0495
  - CVE-2012-0496
* Dropped patches unnecessary with 5.1.61:
  - debian/patches/90_mysql_safer_strmov.dpatch
  - debian/patches/51_ssl_test_certs.dpatch
  - debian/patches/52_CVE-2009-4030.dpatch
  - debian/patches/53_CVE-2009-4484.dpatch
  - debian/patches/54_CVE-2008-7247.dpatch
  - debian/patches/55_CVE-2010-1621.dpatch
  - debian/patches/56_CVE-2010-1850.dpatch
  - debian/patches/57_CVE-2010-1849.dpatch
  - debian/patches/58_CVE-2010-1848.dpatch
  - debian/patches/59_CVE-2010-1626.dpatch
  - debian/patches/60_CVE-2010-2008.dpatch
  - debian/patches/60_CVE-2010-3677.dpatch
  - debian/patches/60_CVE-2010-3678.dpatch
  - debian/patches/60_CVE-2010-3679.dpatch
  - debian/patches/60_CVE-2010-3680.dpatch
  - debian/patches/60_CVE-2010-3681.dpatch
  - debian/patches/60_CVE-2010-3682.dpatch
  - debian/patches/60_CVE-2010-3683.dpatch
  - debian/patches/60_CVE-2010-3833.dpatch
  - debian/patches/60_CVE-2010-3834.dpatch
  - debian/patches/60_CVE-2010-3835.dpatch
  - debian/patches/60_CVE-2010-3836.dpatch
  - debian/patches/60_CVE-2010-3837.dpatch
  - debian/patches/60_CVE-2010-3838.dpatch
  - debian/patches/60_CVE-2010-3839.dpatch
  - debian/patches/60_CVE-2010-3840.dpatch
  - debian/patches/61_disable_longfilename_test.dpatch
  - debian/patches/62_alter_table_fix.dpatch
  - debian/patches/63_cherrypick-upstream-49479.dpatch
  - debian/patches/10_readline_build_fix.dpatch
* debian/mysql-client-5.1.docs: removed EXCEPTIONS-CLIENT file
* debian/mysql-server-5.1.docs,debian/libmysqlclient16.docs,
  debian/libmysqlclient-dev.docs: removed, no longer necessary.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/60_CVE-2010-3840.dpatch
1
 
#! /bin/sh /usr/share/dpatch/dpatch-run
2
 
# Description: fix denial of service via PolyFromWKB() function and improper data.
3
 
# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3452.1.42
4
 
# Bug: http://bugs.mysql.com/bug.php?id=51875
5
 
 
6
 
@DPATCH@
7
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-dfsg-5.1-5.1.41~/mysql-test/r/gis.result mysql-dfsg-5.1-5.1.41/mysql-test/r/gis.result
8
 
--- mysql-dfsg-5.1-5.1.41~/mysql-test/r/gis.result      2009-11-04 14:01:11.000000000 -0500
9
 
+++ mysql-dfsg-5.1-5.1.41/mysql-test/r/gis.result       2010-11-08 13:03:38.000000000 -0500
10
 
@@ -1044,4 +1044,11 @@
11
 
 SELECT Polygon(12345123,'');
12
 
 Polygon(12345123,'')
13
 
 NULL
14
 
+#
15
 
+# BUG#51875: crash when loading data into geometry function polyfromwkb
16
 
+#
17
 
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
18
 
+SET @a=POLYFROMWKB(@a);
19
 
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
20
 
+SET @a=POLYFROMWKB(@a);
21
 
 End of 5.1 tests
22
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-dfsg-5.1-5.1.41~/mysql-test/t/gis.test mysql-dfsg-5.1-5.1.41/mysql-test/t/gis.test
23
 
--- mysql-dfsg-5.1-5.1.41~/mysql-test/t/gis.test        2009-11-04 14:00:43.000000000 -0500
24
 
+++ mysql-dfsg-5.1-5.1.41/mysql-test/t/gis.test 2010-11-08 13:03:38.000000000 -0500
25
 
@@ -707,4 +707,14 @@
26
 
 SELECT Polygon(1234512,'');
27
 
 SELECT Polygon(12345123,'');
28
 
 
29
 
+
30
 
+--echo #
31
 
+--echo # BUG#51875: crash when loading data into geometry function polyfromwkb
32
 
+--echo #
33
 
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
34
 
+SET @a=POLYFROMWKB(@a);
35
 
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
36
 
+SET @a=POLYFROMWKB(@a);
37
 
+
38
 
+
39
 
 --echo End of 5.1 tests
40
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-dfsg-5.1-5.1.41~/sql/spatial.cc mysql-dfsg-5.1-5.1.41/sql/spatial.cc
41
 
--- mysql-dfsg-5.1-5.1.41~/sql/spatial.cc       2009-11-04 13:31:03.000000000 -0500
42
 
+++ mysql-dfsg-5.1-5.1.41/sql/spatial.cc        2010-11-08 13:03:38.000000000 -0500
43
 
@@ -522,7 +522,7 @@
44
 
   n_points= wkb_get_uint(wkb, bo);
45
 
   proper_length= 4 + n_points * POINT_DATA_SIZE;
46
 
 
47
 
-  if (len < proper_length || res->reserve(proper_length))
48
 
+  if (!n_points || len < proper_length || res->reserve(proper_length))
49
 
     return 0;
50
 
 
51
 
   res->q_append(n_points);
52
 
@@ -740,7 +740,9 @@
53
 
   if (len < 4)
54
 
     return 0;
55
 
 
56
 
-  n_linear_rings= wkb_get_uint(wkb, bo);
57
 
+  if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
58
 
+    return 0;
59
 
+
60
 
   if (res->reserve(4, 512))
61
 
     return 0;
62
 
   wkb+= 4;