ports/127915: Security port patch for mysql-client51.28
Michael Scheidell
scheidell at secnap.net
Tue Oct 7 10:40:02 UTC 2008
>Number: 127915
>Category: ports
>Synopsis: Security port patch for mysql-client51.28
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 07 10:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Michael Scheidell
>Release: FreeBSD 6.3-RELEASE-p1 i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #0: Mon Apr 28 20:18:31 EDT 2008 admin at tpa.link.hackertrap.net:/usr/obj/usr/src/sys/TPA_LINK i386
>Description:
portaudit and bugtraq
http://bugs.mysql.com/bug.php?id=27884
portaudit
portaudit
Affected package: mysql-client-5.1.28
Type of problem: mysql -- command line client input validation
vulnerability.
Reference:
<http://www.FreeBSD.org/ports/portaudit/4775c807-8f30-11dd-821f-001cc0377035.html>
>How-To-Repeat:
mysql --html --execute "select '<a>'"
(note, original report shows -execute. correct option is --execute)
if bad, will show:
mysql --html --execute "select '<a>'"
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
>Fix:
patches from http://bugs.mysql.com/file.php?id=9232
changed locations for mysql51-28rc
tested, looks like it fixed it.
if you make full (client/server) and cd to $WORK/mysql* make test runs
fine now
after patches: note the escaped <>.
note this is the correct test results, not as per patch
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
please inform portsaudit/security of fix and update portsaudit.
How serious? serious enough to be in portsaudit :-)
added files
Only in ./files: patch-client:mysql.cc
Only in ./files: patch-mysql-test:mysql.result
Only in ./files: patch-mysql-test:mysql.test
diff -bBru /var/tmp/mysql51-server ./
diff -bBru /var/tmp/mysql51-server/Makefile ./Makefile
--- /var/tmp/mysql51-server/Makefile 2008-09-23 01:43:45.000000000 -0400
+++ ./Makefile 2008-10-07 05:50:21.000000000 -0400
@@ -7,7 +7,7 @@
PORTNAME?= mysql
PORTVERSION= 5.1.28
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES= databases
MASTER_SITES= ${MASTER_SITE_MYSQL}
MASTER_SITE_SUBDIR= MySQL-5.1
diff -bBru /var/tmp/mysql51-server/files/patch-client:mysql.cc ./files/patch-client:mysql.cc
--- /var/tmp/mysql51-server/files/patch-client:mysql.cc 2008-10-07 06:20:40.000000000 -0400
+++ ./files/patch-client:mysql.cc 2008-10-07 05:51:58.000000000 -0400
@@ -0,0 +1,27 @@
+--- client/mysql.cc.orig 2008-08-28 11:39:27.000000000 -0400
++++ client/mysql.cc 2008-10-07 05:44:20.000000000 -0400
+@@ -3372,9 +3372,12 @@
+ {
+ while((field = mysql_fetch_field(result)))
+ {
+- tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ?
+- (field->name[0] ? field->name :
+- " ") : "NULL"));
++ tee_fputs("<TH>", PAGER);
++ if (field->name && field->name[0])
++ xmlencode_print(field->name, field->name_length);
++ else
++ tee_fputs(field->name ? " " : "NULL", PAGER);
++ tee_fputs("</TH>", PAGER);
+ }
+ (void) tee_fputs("</TR>", PAGER);
+ }
+@@ -3387,7 +3390,7 @@
+ for (uint i=0; i < mysql_num_fields(result); i++)
+ {
+ (void) tee_fputs("<TD>", PAGER);
+- safe_put_field(cur[i],lengths[i]);
++ xmlencode_print(cur[i],lengths[i]);
+ (void) tee_fputs("</TD>", PAGER);
+ }
+ (void) tee_fputs("</TR>", PAGER);
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result ./files/patch-mysql-test:mysql.result
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result 2008-10-07 06:20:49.000000000 -0400
+++ ./files/patch-mysql-test:mysql.result 2008-10-07 06:13:49.000000000 -0400
@@ -0,0 +1,11 @@
+--- mysql-test/r/mysql.result.orig 2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/r/mysql.result 2008-10-07 05:45:48.000000000 -0400
+@@ -182,6 +182,8 @@
+ This is a file starting with UTF8 BOM 0xEFBBBF
+ End of 5.0 tests
+ WARNING: --server-arg option not supported in this configuration.
+<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
++End of 5.1 tests
+ Warning (Code 1286): Unknown table engine 'nonexistent'
+ Warning (Code 1266): Using storage engine MyISAM for table 't2'
+ Warning (Code 1286): Unknown table engine 'nonexistent2'
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test ./files/patch-mysql-test:mysql.test
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test 2008-10-07 06:21:00.000000000 -0400
+++ ./files/patch-mysql-test:mysql.test 2008-10-07 05:54:12.000000000 -0400
@@ -0,0 +1,17 @@
+--- mysql-test/t/mysql.test.orig 2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/t/mysql.test 2008-10-07 05:48:59.000000000 -0400
+@@ -301,6 +301,14 @@
+ --enable_query_log
+
+ #
++# Bug #27884: mysql --html does not quote HTML special characters in output
++#
++--exec $MYSQL --html test -e "select '< & >' as \`<\`"
++
++--echo
++--echo End of 5.1 tests
++
++#
+ # Bug #25146: Some warnings/errors not shown when using --show-warnings
+ #
+
>Release-Note:
>Audit-Trail:
>Unformatted:
Class: sw-bug
More information about the freebsd-ports-bugs
mailing list