SOURCES: mysql-rename-table.patch (NEW) BUG#32111 - Security Breach via DA...

arekm arekm at pld-linux.org
Thu May 22 10:47:15 CEST 2008 

Author: arekm                        Date: Thu May 22 08:47:14 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
 BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
  
  RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites
  the file to which the symlink points.
  
  This is security issue, because it is possible to create a table with
  some name in some non-system database and set DATA/INDEX DIRECTORY
  to mysql system database. Renaming this table to one of mysql system
  tables (e.g. user, host) would overwrite the system table.
  
  Return an error when the file to which the symlink points exist.

---- Files affected:
SOURCES:
   mysql-rename-table.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/mysql-rename-table.patch
diff -u /dev/null SOURCES/mysql-rename-table.patch:1.1
--- /dev/null	Thu May 22 10:47:15 2008
+++ SOURCES/mysql-rename-table.patch	Thu May 22 10:47:08 2008
@@ -0,0 +1,93 @@
+
+#### ChangeSet ####
+2007-11-06 18:09:33+04:00, svoj at mysql.com 
+  BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
+  
+  RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites
+  the file to which the symlink points.
+  
+  This is security issue, because it is possible to create a table with
+  some name in some non-system database and set DATA/INDEX DIRECTORY
+  to mysql system database. Renaming this table to one of mysql system
+  tables (e.g. user, host) would overwrite the system table.
+  
+  Return an error when the file to which the symlink points exist.
+
+==== mysql-test/r/symlink.result ====
+2007-11-06 18:09:32+04:00, svoj at mysql.com +6 -0
+  A test case for BUG#32111.
+
+--- 1.7/mysql-test/r/symlink.result	2003-12-12 12:26:56 -08:00
++++ 1.8/mysql-test/r/symlink.result	2007-11-06 06:09:32 -08:00
+@@ -84,3 +84,9 @@ t1	CREATE TABLE `t1` (
+   `b` int(11) default NULL
+ ) TYPE=MyISAM
+ drop table t1;
++CREATE TABLE t1(a INT)
++DATA DIRECTORY='TEST_DIR/var/master-data/mysql'
++INDEX DIRECTORY='TEST_DIR/var/master-data/mysql';
++RENAME TABLE t1 TO user;
++Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17)
++DROP TABLE t1;
+
+==== mysql-test/t/symlink.test ====
+2007-11-06 18:09:32+04:00, svoj at mysql.com +12 -0
+  A test case for BUG#32111.
+
+--- 1.6/mysql-test/t/symlink.test	2003-12-12 12:26:56 -08:00
++++ 1.7/mysql-test/t/symlink.test	2007-11-06 06:09:32 -08:00
+@@ -112,3 +112,15 @@ eval alter table t1 index directory="$MY
+ enable_query_log;
+ show create table t1;
+ drop table t1;
++
++#
++# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
++#
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++eval CREATE TABLE t1(a INT)
++DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql'
++INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql';
++--replace_result $MYSQL_TEST_DIR TEST_DIR
++--error 1
++RENAME TABLE t1 TO user;
++DROP TABLE t1;
+
+==== mysys/my_symlink2.c ====
+2007-11-06 18:09:32+04:00, svoj at mysql.com +10 -1
+  Return an error when the file to which the symlink points exist.
+
+--- 1.6/mysys/my_symlink2.c	2003-12-12 12:26:56 -08:00
++++ 1.7/mysys/my_symlink2.c	2007-11-06 06:09:32 -08:00
+@@ -120,6 +120,7 @@ int my_rename_with_symlink(const char *f
+   int was_symlink= (!my_disable_symlinks &&
+ 		    !my_readlink(link_name, from, MYF(0)));
+   int result=0;
++  int name_is_different;
+   DBUG_ENTER("my_rename_with_symlink");
+ 
+   if (!was_symlink)
+@@ -128,6 +129,14 @@ int my_rename_with_symlink(const char *f
+   /* Change filename that symlink pointed to */
+   strmov(tmp_name, to);
+   fn_same(tmp_name,link_name,1);		/* Copy dir */
++  name_is_different= strcmp(link_name, tmp_name);
++  if (name_is_different && !access(tmp_name, F_OK))
++  {
++    my_errno= EEXIST;
++    if (MyFlags & MY_WME)
++      my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
++    DBUG_RETURN(1);
++  }
+ 
+   /* Create new symlink */
+   if (my_symlink(tmp_name, to, MyFlags))
+@@ -139,7 +148,7 @@ int my_rename_with_symlink(const char *f
+     the same basename and different directories.
+    */
+ 
+-  if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
++  if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
+   {
+     int save_errno=my_errno;
+     my_delete(to, MyFlags);			/* Remove created symlink */
================================================================

More information about the pld-cvs-commit mailing list