From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Oct  7 10:40:02 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 20D521065693
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue,  7 Oct 2008 10:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id F1CFF8FC16
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue,  7 Oct 2008 10:40:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m97Ae1nf088729
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 7 Oct 2008 10:40:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m97Ae1rc088728;
	Tue, 7 Oct 2008 10:40:01 GMT (envelope-from gnats)
Resent-Date: Tue, 7 Oct 2008 10:40:01 GMT
Resent-Message-Id: <200810071040.m97Ae1rc088728@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Michael Scheidell <scheidell@secnap.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2F66A1065688
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  7 Oct 2008 10:37:53 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: from scanner.secnap.net (corp.secnap.com [204.89.241.135])
	by mx1.freebsd.org (Postfix) with ESMTP id F2D1E8FC25
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  7 Oct 2008 10:37:52 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: by scanner.secnap.net (Postfix, from userid 1001)
	id 8BAC91CF34; Tue,  7 Oct 2008 06:22:48 -0400 (EDT)
Message-Id: <20081007102248.8BAC91CF34@scanner.secnap.net>
Date: Tue,  7 Oct 2008 06:22:48 -0400 (EDT)
From: Michael Scheidell <scheidell@secnap.net>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: ale@FreeBSD.org
Subject: ports/127915: Security port patch for mysql-client51.28
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2008 10:40:02 -0000


>Number:         127915
>Category:       ports
>Synopsis:       Security port patch for mysql-client51.28
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 10:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Michael Scheidell
>Release:        FreeBSD 6.3-RELEASE-p1 i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #0: Mon Apr 28 20:18:31 EDT 2008 admin@tpa.link.hackertrap.net:/usr/obj/usr/src/sys/TPA_LINK i386

>Description:
portaudit and bugtraq
http://bugs.mysql.com/bug.php?id=27884
portaudit
portaudit
Affected package: mysql-client-5.1.28
Type of problem: mysql -- command line client input validation 
vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/4775c807-8f30-11dd-821f-001cc0377035.html>

>How-To-Repeat:
 mysql --html --execute "select '<a>'"
(note, original report shows -execute. correct option is --execute)
if bad, will show:
mysql --html --execute "select '<a>'"
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
>Fix:

patches from http://bugs.mysql.com/file.php?id=9232
changed locations for mysql51-28rc

tested, looks like it fixed it.
if you make full (client/server) and cd to $WORK/mysql* make test runs 
fine now
after patches: note the escaped <>.
note this is the correct test results, not as per patch
<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
please inform portsaudit/security of fix and update portsaudit.
How serious? serious enough to be in portsaudit :-)

added files
Only in ./files: patch-client:mysql.cc
Only in ./files: patch-mysql-test:mysql.result
Only in ./files: patch-mysql-test:mysql.test


diff -bBru /var/tmp/mysql51-server ./
diff -bBru /var/tmp/mysql51-server/Makefile ./Makefile
--- /var/tmp/mysql51-server/Makefile    2008-09-23 01:43:45.000000000 -0400
+++ ./Makefile  2008-10-07 05:50:21.000000000 -0400
@@ -7,7 +7,7 @@
 
 PORTNAME?=     mysql
 PORTVERSION=   5.1.28
-PORTREVISION?= 0
+PORTREVISION?= 1
 CATEGORIES=    databases
 MASTER_SITES=  ${MASTER_SITE_MYSQL}
 MASTER_SITE_SUBDIR=    MySQL-5.1
diff -bBru /var/tmp/mysql51-server/files/patch-client:mysql.cc ./files/patch-client:mysql.cc
--- /var/tmp/mysql51-server/files/patch-client:mysql.cc 2008-10-07 06:20:40.000000000 -0400
+++ ./files/patch-client:mysql.cc       2008-10-07 05:51:58.000000000 -0400
@@ -0,0 +1,27 @@
+--- client/mysql.cc.orig       2008-08-28 11:39:27.000000000 -0400
++++ client/mysql.cc    2008-10-07 05:44:20.000000000 -0400
+@@ -3372,9 +3372,12 @@
+   {
+     while((field = mysql_fetch_field(result)))
+     {
+-      tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? 
+-                                       (field->name[0] ? field->name : 
+-                                        " &nbsp; ") : "NULL"));
++      tee_fputs("<TH>", PAGER);
++      if (field->name && field->name[0])
++      xmlencode_print(field->name, field->name_length);
++      else
++      tee_fputs(field->name ? " &nbsp; " : "NULL", PAGER);
++      tee_fputs("</TH>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
+   }
+@@ -3387,7 +3390,7 @@
+     for (uint i=0; i < mysql_num_fields(result); i++)
+     {
+       (void) tee_fputs("<TD>", PAGER);
+-      safe_put_field(cur[i],lengths[i]);
++      xmlencode_print(cur[i],lengths[i]);
+       (void) tee_fputs("</TD>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result ./files/patch-mysql-test:mysql.result
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result 2008-10-07 06:20:49.000000000 -0400
+++ ./files/patch-mysql-test:mysql.result       2008-10-07 06:13:49.000000000 -0400
@@ -0,0 +1,11 @@
+--- mysql-test/r/mysql.result.orig     2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/r/mysql.result  2008-10-07 05:45:48.000000000 -0400
+@@ -182,6 +182,8 @@
+ This is a file starting with UTF8 BOM 0xEFBBBF
+ End of 5.0 tests
+ WARNING: --server-arg option not supported in this configuration.
+<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
++End of 5.1 tests
+ Warning (Code 1286): Unknown table engine 'nonexistent'
+ Warning (Code 1266): Using storage engine MyISAM for table 't2'
+ Warning (Code 1286): Unknown table engine 'nonexistent2'
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test ./files/patch-mysql-test:mysql.test
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test   2008-10-07 06:21:00.000000000 -0400
+++ ./files/patch-mysql-test:mysql.test 2008-10-07 05:54:12.000000000 -0400
@@ -0,0 +1,17 @@
+--- mysql-test/t/mysql.test.orig       2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/t/mysql.test    2008-10-07 05:48:59.000000000 -0400
+@@ -301,6 +301,14 @@
+ --enable_query_log
+ 
+ #
++# Bug #27884: mysql --html does not quote HTML special characters in output
++# 
++--exec $MYSQL --html test -e "select '< & >' as \`<\`"
++
++--echo
++--echo End of 5.1 tests
++
++#
+ # Bug #25146: Some warnings/errors not shown when using --show-warnings
+ #
+ 



>Release-Note:
>Audit-Trail:
>Unformatted:
 Class:		sw-bug