This repository has been archived on 2024-11-07. You can view files and clone it, but cannot push or open issues or pull requests.
mysql51/mysql-4.1.19-CVE-2006-0903.patch

82 lines
2.5 KiB
Diff
Raw Normal View History

diff -pur mysql-4.1.19/sql/sql_lex.cc mysql-4.1.19-secfix/sql/sql_lex.cc
--- mysql-4.1.19/sql/sql_lex.cc 2006-04-29 07:35:53.000000000 +0200
+++ mysql-4.1.19-secfix/sql/sql_lex.cc 2006-05-15 12:52:06.000000000 +0200
@@ -912,6 +912,9 @@ int yylex(void *arg, void *yythd)
while (lex->ptr != lex->end_of_query &&
((c=yyGet()) != '*' || yyPeek() != '/'))
{
+ if (c == '\0')
+ return(ABORT_SYM); // NULLs illegal even in comments
+
if (c == '\n')
lex->yylineno++;
}
diff -pur mysql-4.1.19/tests/mysql_client_test.c mysql-4.1.19-secfix/tests/mysql_client_test.c
--- mysql-4.1.19/tests/mysql_client_test.c 2006-04-29 07:35:53.000000000 +0200
+++ mysql-4.1.19-secfix/tests/mysql_client_test.c 2006-05-15 12:59:49.000000000 +0200
@@ -22,6 +22,7 @@
***************************************************************************/
#include <my_global.h>
+#include <mysqld_error.h>
#include <my_sys.h>
#include <mysql.h>
#include <errmsg.h>
@@ -11849,6 +11850,48 @@ static void test_bug15613()
}
/*
++ Bug #17667: An attacker has the opportunity to bypass query logging.
++*/
+
+static void test_bug17667()
+{
+ NET *net= &mysql->net;
+ int rc;
+ myheader("test_bug17667");
+
+ /* I. Prepare the table */
+ mysql_real_query(mysql, "drop table if exists t1", 23);
+
+ rc= mysql_real_query(mysql, "create table t1 (i int)", 23);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "insert into t1 (i) values (1)", 29);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "insert into /* NUL=\0 */ t1 (i) values (2)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+ mysql_real_query(mysql, "/* NUL=\0 */ insert into t1 (i) values (3)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+ mysql_real_query(mysql, "insert into /* TAB=\t */ t1 (i) values (4)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ mysql_real_query(mysql, "/* TAB=\t */ insert into t1 (i) values (5)", 41);
+ myquery(rc);
+ DIE_UNLESS(net->last_errno == 0);
+
+ /* II. Cleanup */
+ rc= mysql_real_query(mysql, "drop table t1", 13);
+ myquery(rc);
+}
+
+/*
Read and parse arguments and MySQL options from my.cnf
*/
@@ -12071,6 +12114,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug11718", test_bug11718 },
{ "test_bug12925", test_bug12925 },
{ "test_bug15613", test_bug15613 },
+ { "test_bug17667", test_bug17667 },
{ 0, 0 }
};