mysql-CVE-2007-5925.patch

   1 #! /bin/sh /usr/share/dpatch/dpatch-run
   2 ## 91_SECURITY_CVE-2007-5925.dpatch by  <nobse@debian.org>
   3 ##
   4 ## All lines beginning with `## DP:' are a description of the patch.
   5 ## DP: Fix for CVE-2007-5925: The convert_search_mode_to_innobase function in
   6 ## DP: ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
   7 ## DP: remote authenticated users to cause a denial of service (database crash)
   8 ## DP: via a certain CONTAINS operation on an indexed column, which triggers an
   9 ## DP: assertion error. (closes: #451235)
  10
  11 @DPATCH@
  12 diff -ru old/innobase/include/db0err.h new/innobase/include/db0err.h
  13 --- old/innobase/include/db0err.h       2007-07-04 16:06:59.000000000 +0300
  14 +++ new/innobase/include/db0err.h       2007-11-15 10:23:51.000000000 +0200
  15 @@ -57,6 +57,18 @@
  16                                         buffer pool (for big transactions,
  17                                         InnoDB stores the lock structs in the
  18                                         buffer pool) */
  19 +#define DB_FOREIGN_DUPLICATE_KEY 46    /* foreign key constraints
  20 +                                       activated by the operation would
  21 +                                       lead to a duplicate key in some
  22 +                                       table */
  23 +#define DB_TOO_MANY_CONCURRENT_TRXS 47 /* when InnoDB runs out of the
  24 +                                       preconfigured undo slots, this can
  25 +                                       only happen when there are too many
  26 +                                       concurrent transactions */
  27 +#define DB_UNSUPPORTED         48      /* when InnoDB sees any artefact or
  28 +                                       a feature that it can't recoginize or
  29 +                                       work with e.g., FT indexes created by
  30 +                                       a later version of the engine. */
  31
  32  /* The following are partial failure codes */
  33  #define DB_FAIL                1000
  34 diff -ru old/innobase/include/page0cur.h new/innobase/include/page0cur.h
  35 --- old/innobase/include/page0cur.h     2007-07-04 16:06:10.000000000 +0300
  36 +++ new/innobase/include/page0cur.h     2007-11-15 10:23:51.000000000 +0200
  37 @@ -22,6 +22,7 @@
  38
  39  /* Page cursor search modes; the values must be in this order! */
  40
  41 +#define        PAGE_CUR_UNSUPP 0
  42  #define        PAGE_CUR_G      1
  43  #define        PAGE_CUR_GE     2
  44  #define        PAGE_CUR_L      3
  45 diff -ru old/sql/ha_innodb.cc new/sql/ha_innodb.cc
  46 --- old/sql/ha_innodb.cc        2007-07-04 16:06:48.000000000 +0300
  47 +++ new/sql/ha_innodb.cc        2007-11-15 10:25:55.000000000 +0200
  48 @@ -526,6 +526,9 @@
  49                 }
  50
  51                 return(HA_ERR_LOCK_TABLE_FULL);
  52 +       } else if (error == DB_UNSUPPORTED) {
  53 +
  54 +               return(HA_ERR_UNSUPPORTED);
  55         } else {
  56                 return(-1);                     // Unknown error
  57         }
  58 @@ -3689,11 +3692,21 @@
  59                   and comparison of non-latin1 char type fields in
  60                   innobase_mysql_cmp() to get PAGE_CUR_LE_OR_EXTENDS to
  61                   work correctly. */
  62 -
  63 -               default:                        assert(0);
  64 +               case HA_READ_MBR_CONTAIN:
  65 +               case HA_READ_MBR_INTERSECT:
  66 +               case HA_READ_MBR_WITHIN:
  67 +               case HA_READ_MBR_DISJOINT:
  68 +                       my_error(ER_TABLE_CANT_HANDLE_SPKEYS, MYF(0));
  69 +                       return(PAGE_CUR_UNSUPP);
  70 +               /* do not use "default:" in order to produce a gcc warning:
  71 +               enumeration value '...' not handled in switch
  72 +               (if -Wswitch or -Wall is used)
  73 +               */
  74         }
  75
  76 -       return(0);
  77 +       my_error(ER_CHECK_NOT_IMPLEMENTED, MYF(0), "this functionality");
  78 +
  79 +       return(PAGE_CUR_UNSUPP);
  80  }
  81
  82  /*
  83 @@ -3831,11 +3844,18 @@
  84
  85         last_match_mode = (uint) match_mode;
  86
  87 -       innodb_srv_conc_enter_innodb(prebuilt->trx);
  88 +       if (mode != PAGE_CUR_UNSUPP) {
  89
  90 -       ret = row_search_for_mysql((byte*) buf, mode, prebuilt, match_mode, 0);
  91 +               innodb_srv_conc_enter_innodb(prebuilt->trx);
  92
  93 -       innodb_srv_conc_exit_innodb(prebuilt->trx);
  94 +               ret = row_search_for_mysql((byte*) buf, mode, prebuilt,
  95 +                                          match_mode, 0);
  96 +
  97 +               innodb_srv_conc_exit_innodb(prebuilt->trx);
  98 +       } else {
  99 +
 100 +               ret = DB_UNSUPPORTED;
 101 +       }
 102
 103         if (ret == DB_SUCCESS) {
 104                 error = 0;
 105 @@ -5150,8 +5170,16 @@
 106         mode2 = convert_search_mode_to_innobase(max_key ? max_key->flag :
 107                                                  HA_READ_KEY_EXACT);
 108
 109 -       n_rows = btr_estimate_n_rows_in_range(index, range_start,
 110 -                                               mode1, range_end, mode2);
 111 +       if (mode1 != PAGE_CUR_UNSUPP && mode2 != PAGE_CUR_UNSUPP) {
 112 +
 113 +               n_rows = btr_estimate_n_rows_in_range(index, range_start,
 114 +                                                     mode1, range_end,
 115 +                                                     mode2);
 116 +       } else {
 117 +
 118 +               n_rows = 0;
 119 +       }
 120 +
 121         dtuple_free_for_mysql(heap1);
 122         dtuple_free_for_mysql(heap2);
 123