ports/127915: Security port patch for mysql-client51.28

Michael Scheidell scheidell at secnap.net
Tue Oct 7 10:40:02 UTC 2008 

>Number:         127915
>Category:       ports
>Synopsis:       Security port patch for mysql-client51.28
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 10:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Michael Scheidell
>Release:        FreeBSD 6.3-RELEASE-p1 i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #0: Mon Apr 28 20:18:31 EDT 2008 admin at tpa.link.hackertrap.net:/usr/obj/usr/src/sys/TPA_LINK i386

>Description:
portaudit and bugtraq
http://bugs.mysql.com/bug.php?id=27884
portaudit
portaudit
Affected package: mysql-client-5.1.28
Type of problem: mysql -- command line client input validation 
vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/4775c807-8f30-11dd-821f-001cc0377035.html>

>How-To-Repeat:
 mysql --html --execute "select '<a>'"
(note, original report shows -execute. correct option is --execute)
if bad, will show:
mysql --html --execute "select '<a>'"
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
>Fix:

patches from http://bugs.mysql.com/file.php?id=9232
changed locations for mysql51-28rc

tested, looks like it fixed it.
if you make full (client/server) and cd to $WORK/mysql* make test runs 
fine now
after patches: note the escaped <>.
note this is the correct test results, not as per patch
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
please inform portsaudit/security of fix and update portsaudit.
How serious? serious enough to be in portsaudit :-)

added files
Only in ./files: patch-client:mysql.cc
Only in ./files: patch-mysql-test:mysql.result
Only in ./files: patch-mysql-test:mysql.test


diff -bBru /var/tmp/mysql51-server ./
diff -bBru /var/tmp/mysql51-server/Makefile ./Makefile
--- /var/tmp/mysql51-server/Makefile    2008-09-23 01:43:45.000000000 -0400
+++ ./Makefile  2008-10-07 05:50:21.000000000 -0400
@@ -7,7 +7,7 @@
 
 PORTNAME?=     mysql
 PORTVERSION=   5.1.28
-PORTREVISION?= 0
+PORTREVISION?= 1
 CATEGORIES=    databases
 MASTER_SITES=  ${MASTER_SITE_MYSQL}
 MASTER_SITE_SUBDIR=    MySQL-5.1
diff -bBru /var/tmp/mysql51-server/files/patch-client:mysql.cc ./files/patch-client:mysql.cc
--- /var/tmp/mysql51-server/files/patch-client:mysql.cc 2008-10-07 06:20:40.000000000 -0400
+++ ./files/patch-client:mysql.cc       2008-10-07 05:51:58.000000000 -0400
@@ -0,0 +1,27 @@
+--- client/mysql.cc.orig       2008-08-28 11:39:27.000000000 -0400
++++ client/mysql.cc    2008-10-07 05:44:20.000000000 -0400
+@@ -3372,9 +3372,12 @@
+   {
+     while((field = mysql_fetch_field(result)))
+     {
+-      tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? 
+-                                       (field->name[0] ? field->name : 
+-                                        "   ") : "NULL"));
++      tee_fputs("<TH>", PAGER);
++      if (field->name && field->name[0])
++      xmlencode_print(field->name, field->name_length);
++      else
++      tee_fputs(field->name ? "   " : "NULL", PAGER);
++      tee_fputs("</TH>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
+   }
+@@ -3387,7 +3390,7 @@
+     for (uint i=0; i < mysql_num_fields(result); i++)
+     {
+       (void) tee_fputs("<TD>", PAGER);
+-      safe_put_field(cur[i],lengths[i]);
++      xmlencode_print(cur[i],lengths[i]);
+       (void) tee_fputs("</TD>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result ./files/patch-mysql-test:mysql.result
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result 2008-10-07 06:20:49.000000000 -0400
+++ ./files/patch-mysql-test:mysql.result       2008-10-07 06:13:49.000000000 -0400
@@ -0,0 +1,11 @@
+--- mysql-test/r/mysql.result.orig     2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/r/mysql.result  2008-10-07 05:45:48.000000000 -0400
+@@ -182,6 +182,8 @@
+ This is a file starting with UTF8 BOM 0xEFBBBF
+ End of 5.0 tests
+ WARNING: --server-arg option not supported in this configuration.
+<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
++End of 5.1 tests
+ Warning (Code 1286): Unknown table engine 'nonexistent'
+ Warning (Code 1266): Using storage engine MyISAM for table 't2'
+ Warning (Code 1286): Unknown table engine 'nonexistent2'
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test ./files/patch-mysql-test:mysql.test
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test   2008-10-07 06:21:00.000000000 -0400
+++ ./files/patch-mysql-test:mysql.test 2008-10-07 05:54:12.000000000 -0400
@@ -0,0 +1,17 @@
+--- mysql-test/t/mysql.test.orig       2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/t/mysql.test    2008-10-07 05:48:59.000000000 -0400
+@@ -301,6 +301,14 @@
+ --enable_query_log
+ 
+ #
++# Bug #27884: mysql --html does not quote HTML special characters in output
++# 
++--exec $MYSQL --html test -e "select '< & >' as \`<\`"
++
++--echo
++--echo End of 5.1 tests
++
++#
+ # Bug #25146: Some warnings/errors not shown when using --show-warnings
+ #
+ 



>Release-Note:
>Audit-Trail:
>Unformatted:
 Class:		sw-bug

More information about the freebsd-ports-bugs mailing list