1 #! /bin/sh /usr/share/dpatch/dpatch-run
2 ## 91_SECURITY_CVE-2007-5925.dpatch by <nobse@debian.org>
4 ## All lines beginning with `## DP:' are a description of the patch.
5 ## DP: Fix for CVE-2007-5925: The convert_search_mode_to_innobase function in
6 ## DP: ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
7 ## DP: remote authenticated users to cause a denial of service (database crash)
8 ## DP: via a certain CONTAINS operation on an indexed column, which triggers an
9 ## DP: assertion error. (closes: #451235)
12 diff -ru old/innobase/include/db0err.h new/innobase/include/db0err.h
13 --- old/innobase/include/db0err.h 2007-07-04 16:06:59.000000000 +0300
14 +++ new/innobase/include/db0err.h 2007-11-15 10:23:51.000000000 +0200
16 buffer pool (for big transactions,
17 InnoDB stores the lock structs in the
19 +#define DB_FOREIGN_DUPLICATE_KEY 46 /* foreign key constraints
20 + activated by the operation would
21 + lead to a duplicate key in some
23 +#define DB_TOO_MANY_CONCURRENT_TRXS 47 /* when InnoDB runs out of the
24 + preconfigured undo slots, this can
25 + only happen when there are too many
26 + concurrent transactions */
27 +#define DB_UNSUPPORTED 48 /* when InnoDB sees any artefact or
28 + a feature that it can't recoginize or
29 + work with e.g., FT indexes created by
30 + a later version of the engine. */
32 /* The following are partial failure codes */
34 diff -ru old/innobase/include/page0cur.h new/innobase/include/page0cur.h
35 --- old/innobase/include/page0cur.h 2007-07-04 16:06:10.000000000 +0300
36 +++ new/innobase/include/page0cur.h 2007-11-15 10:23:51.000000000 +0200
39 /* Page cursor search modes; the values must be in this order! */
41 +#define PAGE_CUR_UNSUPP 0
45 diff -ru old/sql/ha_innodb.cc new/sql/ha_innodb.cc
46 --- old/sql/ha_innodb.cc 2007-07-04 16:06:48.000000000 +0300
47 +++ new/sql/ha_innodb.cc 2007-11-15 10:25:55.000000000 +0200
51 return(HA_ERR_LOCK_TABLE_FULL);
52 + } else if (error == DB_UNSUPPORTED) {
54 + return(HA_ERR_UNSUPPORTED);
56 return(-1); // Unknown error
58 @@ -3689,11 +3692,21 @@
59 and comparison of non-latin1 char type fields in
60 innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to
64 + case HA_READ_MBR_CONTAIN:
65 + case HA_READ_MBR_INTERSECT:
66 + case HA_READ_MBR_WITHIN:
67 + case HA_READ_MBR_DISJOINT:
68 + my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0));
69 + return(PAGE_CUR_UNSUPP);
70 + /* do not use "default:" in order to produce a gcc warning:
71 + enumeration value '...' not handled in switch
72 + (if -Wswitch or -Wall is used)
77 + my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality");
79 + return(PAGE_CUR_UNSUPP);
83 @@ -3831,11 +3844,18 @@
85 last_match_mode = (uint) match_mode;
87 - innodb_srv_conc_enter_innodb(prebuilt->trx);
88 + if (mode != PAGE_CUR_UNSUPP) {
90 - ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0);
91 + innodb_srv_conc_enter_innodb(prebuilt->trx);
93 - innodb_srv_conc_exit_innodb(prebuilt->trx);
94 + ret = row_search_for_mysql((byte*) buf, mode, prebuilt,
97 + innodb_srv_conc_exit_innodb(prebuilt->trx);
100 + ret = DB_UNSUPPORTED;
103 if (ret == DB_SUCCESS) {
105 @@ -5150,8 +5170,16 @@
106 mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag :
109 - n_rows = btr_estimate_n_rows_in_range(index, range_start,
110 - mode1, range_end, mode2);
111 + if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) {
113 + n_rows = btr_estimate_n_rows_in_range(index, range_start,
121 dtuple_free_for_mysql(heap1);
122 dtuple_free_for_mysql(heap2);