ports/129979: [vuxml] [patch] document CVE-2008-4097, CVE-2008-4098 and update databases/mysql50-* to 5.0.75
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Dec 27 18:10:05 UTC 2008
>Number: 129979
>Category: ports
>Synopsis: [vuxml] [patch] document CVE-2008-4097, CVE-2008-4098 and update databases/mysql50-* to 5.0.75
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 27 18:10:05 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
http://www.vuxml.org/freebsd/388d9ee4-7f22-11dd-a66a-0019666436c2.html
describes the first attempt to fix the symlink-related vulnerability
with MyISAM tables, but the fix is incomplete.
>How-To-Repeat:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25
http://bugs.mysql.com/bug.php?id=32167
>Fix:
The following patch upgrades mysql50-* to 5.0.75, because 5.0.67
contains only the partial fix.
--- mysql50-server-upgrade-to-5.0.75.diff begins here ---
>From 0f7073f615a88b2d2f240ab0067c3a2f2d109644 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sat, 27 Dec 2008 18:06:52 +0300
Eventually fix CVE-2008-4097 and CVE-2008-4098.
I had tested only compilability and proper FreeBSD packaging
for mysql50-{server,client,scripts).
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
databases/mysql50-server/Makefile | 3 +--
databases/mysql50-server/distinfo | 6 +++---
.../files/patch-client_mysql_upgrade.c | 13 -------------
3 files changed, 4 insertions(+), 18 deletions(-)
delete mode 100644 databases/mysql50-server/files/patch-client_mysql_upgrade.c
diff --git a/databases/mysql50-server/Makefile b/databases/mysql50-server/Makefile
index f767eda..24c7650 100644
--- a/databases/mysql50-server/Makefile
+++ b/databases/mysql50-server/Makefile
@@ -6,8 +6,7 @@
#
PORTNAME?= mysql
-PORTVERSION= 5.0.67
-PORTREVISION?= 1
+PORTVERSION= 5.0.75
CATEGORIES= databases
MASTER_SITES= ${MASTER_SITE_MYSQL}
MASTER_SITE_SUBDIR= MySQL-5.0
diff --git a/databases/mysql50-server/distinfo b/databases/mysql50-server/distinfo
index 0d84b3c..416a630 100644
--- a/databases/mysql50-server/distinfo
+++ b/databases/mysql50-server/distinfo
@@ -1,3 +1,3 @@
-MD5 (mysql-5.0.67.tar.gz) = 7164483a5ffb8f7aa59b761c13cdbd6e
-SHA256 (mysql-5.0.67.tar.gz) = 7b64e609849ff64f2fcb82a2b72883f79adc893e9f6fc0d35465ef7d97542058
-SIZE (mysql-5.0.67.tar.gz) = 28370810
+MD5 (mysql-5.0.75.tar.gz) = a234f0a60a7f8c290d9875cba3a2c5a2
+SHA256 (mysql-5.0.75.tar.gz) = c0985da988217e88456c39d2ab2f24d802f5ea5f2a3190dc0011447550bdc2b9
+SIZE (mysql-5.0.75.tar.gz) = 32514150
diff --git a/databases/mysql50-server/files/patch-client_mysql_upgrade.c b/databases/mysql50-server/files/patch-client_mysql_upgrade.c
deleted file mode 100644
index 36cdf88..0000000
--- a/databases/mysql50-server/files/patch-client_mysql_upgrade.c
+++ /dev/null
@@ -1,13 +0,0 @@
---- client/mysql_upgrade.c.orig 2007-11-15 15:06:52.000000000 +0100
-+++ client/mysql_upgrade.c 2007-12-12 10:07:23.000000000 +0100
-@@ -411,10 +411,6 @@
-
- verbose("Looking for '%s' in: %s", tool_name, tool_path);
-
-- /* Make sure the tool exists */
-- if (my_access(tool_path, F_OK) != 0)
-- die("Can't find '%s'", tool_path);
--
- /*
- Make sure it can be executed
- */
--
1.6.0.5
--- mysql50-server-upgrade-to-5.0.75.diff ends here ---
I had tested the basic compilability and good packaging for the
databases/mysql50-*, but was not able to test the server in production:
have no 5.0 databases at hand.
I was not able to extract the fix for 5.0.67, because launchpad.net
Bazaar interface isn't working properly. The fix was committed in
the patch
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-community/revision/2579.1.5
but there were another symlink-related cleanups in
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-community/changes/2579.1.9
I feel that update to 5.0.75 is the best way to handle this problem.
I will try to extract the fixes for 4.1 and will post the follow-up.
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="6b535a9a-d412-11dd-9f32-001fc66e7203">
<topic>mysql -- MyISAM table privileges security bypass vulnerability for symlinked paths</topic>
<affects>
<package>
<name>mysql-server</name>
<range><ge>4.1</ge><lt>4.1.25</lt></range>
<range><ge>5.0</ge><lt>5.0.75</lt></range>
<range><ge>5.1</ge><lt>5.1.28</lt></range>
<range><ge>6.0</ge><lt>6.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Paul DuBois from MySQL reports:</p>
<blockquote
cite="http://bugs.mysql.com/bug.php?id=32167">
<p>Additional corrections were made for the symlink-related
privilege problem originally addressed. The original fix did
not correctly handle the data directory pathname if it
contained symlinked directories in its path, and the check was
made only at table-creation time, not at table-opening time
later.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4097</cvename>
<cvename>CVE-2008-4098</cvename>
<url>http://bugs.mysql.com/bug.php?id=32167</url>
<url>http://dev.mysql.com/doc/refman/4.1/en/news-4-1-25.html</url>
<url>http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-75.html</url>
<url>http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html</url>
<url>http://dev.mysql.com/doc/refman/6.0/en/news-6-0-6.html</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25</url>
</references>
<dates>
<discovery>03-07-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list