Date: Sat, 27 Dec 2008 19:31:17 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129979: [vuxml] [patch] document CVE-2008-4097, CVE-2008-4098 and update databases/mysql50-* to 5.0.75 Message-ID: <20081227163117.34175B8023@phoenix.codelabs.ru> Resent-Message-ID: <200812271810.mBRIA5Sg061428@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129979 >Category: ports >Synopsis: [vuxml] [patch] document CVE-2008-4097, CVE-2008-4098 and update databases/mysql50-* to 5.0.75 >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 27 18:10:05 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: http://www.vuxml.org/freebsd/388d9ee4-7f22-11dd-a66a-0019666436c2.html describes the first attempt to fix the symlink-related vulnerability with MyISAM tables, but the fix is incomplete. >How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25 http://bugs.mysql.com/bug.php?id=32167 >Fix: The following patch upgrades mysql50-* to 5.0.75, because 5.0.67 contains only the partial fix. --- mysql50-server-upgrade-to-5.0.75.diff begins here --- >From 0f7073f615a88b2d2f240ab0067c3a2f2d109644 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 27 Dec 2008 18:06:52 +0300 Eventually fix CVE-2008-4097 and CVE-2008-4098. I had tested only compilability and proper FreeBSD packaging for mysql50-{server,client,scripts). Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- databases/mysql50-server/Makefile | 3 +-- databases/mysql50-server/distinfo | 6 +++--- .../files/patch-client_mysql_upgrade.c | 13 ------------- 3 files changed, 4 insertions(+), 18 deletions(-) delete mode 100644 databases/mysql50-server/files/patch-client_mysql_upgrade.c diff --git a/databases/mysql50-server/Makefile b/databases/mysql50-server/Makefile index f767eda..24c7650 100644 --- a/databases/mysql50-server/Makefile +++ b/databases/mysql50-server/Makefile @@ -6,8 +6,7 @@ # PORTNAME?= mysql -PORTVERSION= 5.0.67 -PORTREVISION?= 1 +PORTVERSION= 5.0.75 CATEGORIES= databases MASTER_SITES= ${MASTER_SITE_MYSQL} MASTER_SITE_SUBDIR= MySQL-5.0 diff --git a/databases/mysql50-server/distinfo b/databases/mysql50-server/distinfo index 0d84b3c..416a630 100644 --- a/databases/mysql50-server/distinfo +++ b/databases/mysql50-server/distinfo @@ -1,3 +1,3 @@ -MD5 (mysql-5.0.67.tar.gz) = 7164483a5ffb8f7aa59b761c13cdbd6e -SHA256 (mysql-5.0.67.tar.gz) = 7b64e609849ff64f2fcb82a2b72883f79adc893e9f6fc0d35465ef7d97542058 -SIZE (mysql-5.0.67.tar.gz) = 28370810 +MD5 (mysql-5.0.75.tar.gz) = a234f0a60a7f8c290d9875cba3a2c5a2 +SHA256 (mysql-5.0.75.tar.gz) = c0985da988217e88456c39d2ab2f24d802f5ea5f2a3190dc0011447550bdc2b9 +SIZE (mysql-5.0.75.tar.gz) = 32514150 diff --git a/databases/mysql50-server/files/patch-client_mysql_upgrade.c b/databases/mysql50-server/files/patch-client_mysql_upgrade.c deleted file mode 100644 index 36cdf88..0000000 --- a/databases/mysql50-server/files/patch-client_mysql_upgrade.c +++ /dev/null @@ -1,13 +0,0 @@ ---- client/mysql_upgrade.c.orig 2007-11-15 15:06:52.000000000 +0100 -+++ client/mysql_upgrade.c 2007-12-12 10:07:23.000000000 +0100 -@@ -411,10 +411,6 @@ - - verbose("Looking for '%s' in: %s", tool_name, tool_path); - -- /* Make sure the tool exists */ -- if (my_access(tool_path, F_OK) != 0) -- die("Can't find '%s'", tool_path); -- - /* - Make sure it can be executed - */ -- 1.6.0.5 --- mysql50-server-upgrade-to-5.0.75.diff ends here --- I had tested the basic compilability and good packaging for the databases/mysql50-*, but was not able to test the server in production: have no 5.0 databases at hand. I was not able to extract the fix for 5.0.67, because launchpad.net Bazaar interface isn't working properly. The fix was committed in the patch http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-community/revision/2579.1.5 but there were another symlink-related cleanups in http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-community/changes/2579.1.9 I feel that update to 5.0.75 is the best way to handle this problem. I will try to extract the fixes for 4.1 and will post the follow-up. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="6b535a9a-d412-11dd-9f32-001fc66e7203"> <topic>mysql -- MyISAM table privileges security bypass vulnerability for symlinked paths</topic> <affects> <package> <name>mysql-server</name> <range><ge>4.1</ge><lt>4.1.25</lt></range> <range><ge>5.0</ge><lt>5.0.75</lt></range> <range><ge>5.1</ge><lt>5.1.28</lt></range> <range><ge>6.0</ge><lt>6.0.6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Paul DuBois from MySQL reports:</p> <blockquote cite="http://bugs.mysql.com/bug.php?id=32167"> <p>Additional corrections were made for the symlink-related privilege problem originally addressed. The original fix did not correctly handle the data directory pathname if it contained symlinked directories in its path, and the check was made only at table-creation time, not at table-opening time later.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4097</cvename> <cvename>CVE-2008-4098</cvename> <url>http://bugs.mysql.com/bug.php?id=32167</url> <url>http://dev.mysql.com/doc/refman/4.1/en/news-4-1-25.html</url> <url>http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-75.html</url> <url>http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html</url> <url>http://dev.mysql.com/doc/refman/6.0/en/news-6-0-6.html</url> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25</url> </references> <dates> <discovery>03-07-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081227163117.34175B8023>