• Venkata Sidagam's avatar
    Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE · de0e8a02
    Venkata Sidagam authored
    Description: Fix for bug CVE-2012-5611 (bug 67685) is 
    incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
    check_grant_db() can be overflown by up to two bytes. That's 
    probably not enough to do anything more serious than crashing 
    mysqld.
    Analysis: In acl_get() when "copy_length" is calculated it 
    just adding the variable lengths. But when we are using them 
    with strmov() we are adding +1 to each. This will lead to a 
    three byte buffer overflow (i.e two +1's at strmov() and one 
    byte for the null added by strmov() function). Similarly it 
    happens for check_grant_db() function as well.
    Fix: We need to add "+2" to "copy_length" in acl_get() 
    and "+1" to "copy_length" in check_grant_db(). 
    de0e8a02
sql_acl.cc 201 KB