Date: Tue, 7 Oct 2008 06:22:48 -0400 (EDT) From: Michael Scheidell <scheidell@secnap.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ale@FreeBSD.org Subject: ports/127915: Security port patch for mysql-client51.28 Message-ID: <20081007102248.8BAC91CF34@scanner.secnap.net> Resent-Message-ID: <200810071040.m97Ae1rc088728@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127915 >Category: ports >Synopsis: Security port patch for mysql-client51.28 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 07 10:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Michael Scheidell >Release: FreeBSD 6.3-RELEASE-p1 i386 >Organization: SECNAP Network Security >Environment: System: FreeBSD scanner.secnap.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #0: Mon Apr 28 20:18:31 EDT 2008 admin@tpa.link.hackertrap.net:/usr/obj/usr/src/sys/TPA_LINK i386 >Description: portaudit and bugtraq http://bugs.mysql.com/bug.php?id=27884 portaudit portaudit Affected package: mysql-client-5.1.28 Type of problem: mysql -- command line client input validation vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/4775c807-8f30-11dd-821f-001cc0377035.html>; >How-To-Repeat: mysql --html --execute "select '<a>'" (note, original report shows -execute. correct option is --execute) if bad, will show: mysql --html --execute "select '<a>'" <TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE> >Fix: patches from http://bugs.mysql.com/file.php?id=9232 changed locations for mysql51-28rc tested, looks like it fixed it. if you make full (client/server) and cd to $WORK/mysql* make test runs fine now after patches: note the escaped <>. note this is the correct test results, not as per patch <TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE> please inform portsaudit/security of fix and update portsaudit. How serious? serious enough to be in portsaudit :-) added files Only in ./files: patch-client:mysql.cc Only in ./files: patch-mysql-test:mysql.result Only in ./files: patch-mysql-test:mysql.test diff -bBru /var/tmp/mysql51-server ./ diff -bBru /var/tmp/mysql51-server/Makefile ./Makefile --- /var/tmp/mysql51-server/Makefile 2008-09-23 01:43:45.000000000 -0400 +++ ./Makefile 2008-10-07 05:50:21.000000000 -0400 @@ -7,7 +7,7 @@ PORTNAME?= mysql PORTVERSION= 5.1.28 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= databases MASTER_SITES= ${MASTER_SITE_MYSQL} MASTER_SITE_SUBDIR= MySQL-5.1 diff -bBru /var/tmp/mysql51-server/files/patch-client:mysql.cc ./files/patch-client:mysql.cc --- /var/tmp/mysql51-server/files/patch-client:mysql.cc 2008-10-07 06:20:40.000000000 -0400 +++ ./files/patch-client:mysql.cc 2008-10-07 05:51:58.000000000 -0400 @@ -0,0 +1,27 @@ +--- client/mysql.cc.orig 2008-08-28 11:39:27.000000000 -0400 ++++ client/mysql.cc 2008-10-07 05:44:20.000000000 -0400 +@@ -3372,9 +3372,12 @@ + { + while((field = mysql_fetch_field(result))) + { +- tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? +- (field->name[0] ? field->name : +- " ") : "NULL")); ++ tee_fputs("<TH>", PAGER); ++ if (field->name && field->name[0]) ++ xmlencode_print(field->name, field->name_length); ++ else ++ tee_fputs(field->name ? " " : "NULL", PAGER); ++ tee_fputs("</TH>", PAGER); + } + (void) tee_fputs("</TR>", PAGER); + } +@@ -3387,7 +3390,7 @@ + for (uint i=0; i < mysql_num_fields(result); i++) + { + (void) tee_fputs("<TD>", PAGER); +- safe_put_field(cur[i],lengths[i]); ++ xmlencode_print(cur[i],lengths[i]); + (void) tee_fputs("</TD>", PAGER); + } + (void) tee_fputs("</TR>", PAGER); diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result ./files/patch-mysql-test:mysql.result --- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result 2008-10-07 06:20:49.000000000 -0400 +++ ./files/patch-mysql-test:mysql.result 2008-10-07 06:13:49.000000000 -0400 @@ -0,0 +1,11 @@ +--- mysql-test/r/mysql.result.orig 2008-08-28 12:08:36.000000000 -0400 ++++ mysql-test/r/mysql.result 2008-10-07 05:45:48.000000000 -0400 +@@ -182,6 +182,8 @@ + This is a file starting with UTF8 BOM 0xEFBBBF + End of 5.0 tests + WARNING: --server-arg option not supported in this configuration. +<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE> ++End of 5.1 tests + Warning (Code 1286): Unknown table engine 'nonexistent' + Warning (Code 1266): Using storage engine MyISAM for table 't2' + Warning (Code 1286): Unknown table engine 'nonexistent2' diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test ./files/patch-mysql-test:mysql.test --- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test 2008-10-07 06:21:00.000000000 -0400 +++ ./files/patch-mysql-test:mysql.test 2008-10-07 05:54:12.000000000 -0400 @@ -0,0 +1,17 @@ +--- mysql-test/t/mysql.test.orig 2008-08-28 12:08:36.000000000 -0400 ++++ mysql-test/t/mysql.test 2008-10-07 05:48:59.000000000 -0400 +@@ -301,6 +301,14 @@ + --enable_query_log + + # ++# Bug #27884: mysql --html does not quote HTML special characters in output ++# ++--exec $MYSQL --html test -e "select '< & >' as \`<\`" ++ ++--echo ++--echo End of 5.1 tests ++ ++# + # Bug #25146: Some warnings/errors not shown when using --show-warnings + # + >Release-Note: >Audit-Trail: >Unformatted: Class: sw-bug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081007102248.8BAC91CF34>