1. 04 Dec, 2016 1 commit
  2. 29 Nov, 2016 2 commits
    • Shishir Jaiswal's avatar
      Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT · 52b0c814
      Shishir Jaiswal authored
      DESCRIPTION
      ===========
      Performing a pattern match of a Regex resulting into a very
      large string, leads to crash due to integer wraparound.
      
      ANALYSIS
      ========
      doinsert() - The length calculated here (to copy the
      number of bytes) comes out to be too large to be stored in
      the "int" variable 'length'. We need to ensure that the
      variable can accommodate large lengths.
      
      FIX
      ===
      'length' in doinsert() is now defined as of type "size_t"
      instead of "int"
      52b0c814
    • Shishir Jaiswal's avatar
      Bug#24449090 - BUFFER OVERFLOW IN FUNCTION DUPL · 8f297058
      Shishir Jaiswal authored
      DESCRIPTION
      ===========
      Performing a pattern match of a Regex resulting into a very
      large string, leads to crash due to failed realloc().
      
      ANALYSIS
      ========
      dupl() calls enlarge(). It in turn calls realloc() for
      pointer p->strip. This eventually fails due to OOM.
      However we are still using the same pointer in memcpy()
      causing a SEGFAULT!
      
      FIX
      ===
      1) In dupl(), checking for error code (which would be set
      if realloc fails) immediately after call to enlarge().
      Returning now with this error code.
      
      2) Handling the same in the caller functions.
      8f297058
  3. 28 Nov, 2016 3 commits
  4. 26 Nov, 2016 1 commit
  5. 24 Nov, 2016 2 commits
  6. 16 Nov, 2016 1 commit
    • Terje Rosten's avatar
      Bug#25088048 ADDITIONAL ISSUES IN MYSQLD_SAFE · cdd57aa7
      Terje Rosten authored
      Don't read --ledir option from config file.
      Ignore current working for finding location of mysqld
      Remove use of chown/chmod in scripts.
      Be helpful only when basedir is /var/log or /var/lib.
      Removed unused systemd files for SLES.
      Set explicit basedir in scripts.
      cdd57aa7
  7. 10 Nov, 2016 1 commit
    • Karthik Kamath's avatar
      BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE · a63185e8
      Karthik Kamath authored
      ANALYSIS:
      =========
      'CREATE TABLE' query with a large value for 'CONNECTION'
      string reports an incorrect error.
      
      The length of connection string is stored in .frm in two
      bytes (max value= 65535). When the string length exceeds
      the max value, the length is truncated to fit the two
      bytes limit. Further processing leads to reading only a
      part of the string as the length stored is incorrect. The
      remaining part of the string is treated as engine type and
      hence results in an error.
      
      FIX:
      ====
      We are now restricting the connection string length to 1024.
      An appropriate error is reported if the length crosses this
      limit.
      
      NOTE:
      =====
      The 'PASSWORD' table option is documented as unused and
      processed within a dead code. Hence it will not cause
      similar issue with large strings.
      a63185e8
  8. 09 Nov, 2016 1 commit
  9. 05 Nov, 2016 1 commit
  10. 31 Oct, 2016 1 commit
  11. 28 Oct, 2016 1 commit
    • Thayumanavar S's avatar
      BUG#24487120 - SLAVE'S SLAVE_SQL_RUNNING IS STOPPED DURING · c3cf7f47
      Thayumanavar S authored
       LOAD DATA AT MASTER.
      
      Revert "BUG#23080148 - BACKPORT BUG 14653594 AND BUG 20683959 TO"
      
      This reverts commit 1d31f5b3090d129382b50b95512f2f79305715a1.
      The commit causes replication incompatibility between minor revisions
      and based on discussion with Srinivasarao, the patch is reverted.
      c3cf7f47
  12. 24 Oct, 2016 1 commit
    • Terje Rosten's avatar
      Bug#24925181 INCORRECT ISA DETECTION CODE IN OEL RPM SPEC · 63b2c976
      Terje Rosten authored
      Wrapper for mysql_config used in multilib installs modified to work as
      intended, added more archs (aarch64, ppc64le, s390x, s390, sparc and
      sparc64) to lists in fallback mode and use same script for EL and
      Fedora.
      
      Thanks to Alexey Kopytov for report and fix.
      63b2c976
  13. 13 Oct, 2016 1 commit
    • Karthik Kamath's avatar
      BUG#23499695: MYSQL SERVER NORMAL SHUTDOWN WITH TIME STAMP · 14921277
      Karthik Kamath authored
                    700101
      
      ANALYSIS:
      =========
      To set the time 'start_time' of query in THD, current time
      is obtained by calling 'gettimeofday()'. On Solaris
      platform, due to some system level issues, time obtained is
      invalid i.e. its either greater than 2038 (max signed value
      to hold microseconds since 1970) or 1970 (0 microseconds
      since 1970). In these cases, validation checks infer that
      the 'start_time' is invalid and mysql server initiates the
      shutdown process. But the reason for shutdown is not logged.
      
      FIX:
      ====
      We are now logging appropriate message when shutdown is
      triggered in the above mentioned scenarios. Now, even if
      the initial validation checks infer that the 'start_time'
      is invalid, server shutdown is not initiated immediately.
      Before initiating the server shutdown, the process of
      setting 'start_time' and validating it is reiterated (for
      max 5 times). If correct time is obtained in these 5
      iterations then server continues to run.
      14921277
  14. 12 Oct, 2016 1 commit
  15. 06 Oct, 2016 1 commit
    • Terje Rosten's avatar
      Bug#24483092 UNSAFE USE OF VARIOUS SHELL UTILITIES · 1f93f438
      Terje Rosten authored
       - Remove use of touch and chmod.
       - Restrict usage of chown to cases where target directory is /var/log.
       - Due to limited feature set in /bin/sh on Solaris, /bin/bash will be
         used on this platform.
       - Give error if directory for UNIX socket file is missing.
       - Privileged user should not log to files owned by different user
         (mysqld will log as before).
      1f93f438
  16. 03 Oct, 2016 1 commit
  17. 29 Sep, 2016 1 commit
  18. 28 Sep, 2016 3 commits
  19. 27 Sep, 2016 1 commit
  20. 26 Sep, 2016 2 commits
  21. 08 Sep, 2016 1 commit
    • Georgi Kodinov's avatar
      Bug #24496214: MISLEADING ERROR EXECUTING MYSQLADMIN SHUTDOWN AGAINST A SERVER · 0d43e570
      Georgi Kodinov authored
      RUNNING FIREWALL
      
      mysqladmin shutdown will try to extract the server's pid file before executing
      the actual shutdown command.
      It will do that by executing a SHOW VARIABLES query and processing the result.
      However if that query fails it print a (somewhat confusing) error mesasage
      and will still continue to do the shutdown command.
      If that passes then the mysqladmin user will get an error but the shutdown will
      still be successful.
      This is confusing so the error message text is changed to say that this is a
      non-fatal error and execution continues.
      No test case added since it'd require a selective query failure device that's
      not available in 5.5.
      0d43e570
  22. 06 Sep, 2016 1 commit
  23. 02 Sep, 2016 1 commit
    • Kailasnath Nagarkar's avatar
      Bug #24489302 : ZEROFILL CAUSE MEMORY-CORRUPTION AND CRASH · 91ddaff9
      Kailasnath Nagarkar authored
      ISSUE: Heap corruption occurs and hence mysql server
             terminates abnormally in String variable destructor
             when ZEROFILL is used for a column.
             Though the abnormal termination is observed in the
             String destructor, heap corruption occurs at earlier
             stage when function Field_num::prepend_zeros() is called.
             This function, prepends zeros to the actual data and
             works on entire field length. Since the allocated memory
             could be less than the field length, heap corruption occurs.
             Later, when String destructor tries to free heap, the server
             terminates abnormally since the heap is corrupt.
      
      
      
      SOLUTION: In Field_num::prepend_zeros() function, if allocated memory
                is less than the field length, re-allocate memory enough to
                hold field length size data.
      91ddaff9
  24. 29 Aug, 2016 1 commit
  25. 26 Aug, 2016 3 commits
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 754e7eff
      Terje Rosten authored
      Post push fix: Solaris 10 /bin/sh don't understand $().
      754e7eff
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 7603ac53
      Terje Rosten authored
      Post push fix: Solaris 10 /bin/sh don't understand $().
      7603ac53
    • Kailasnath Nagarkar's avatar
      Bug #23303485 : HANDLE_FATAL_SIGNAL (SIG=11) IN · 97fad851
      Kailasnath Nagarkar authored
                      SUBSELECT_UNION_ENGINE::NO_ROWS
      
      This patch is specific for mysql-5.5
      
      ISSUE: When max_join_size is used and union query
             results in evaluation of tuples greater than
             max_join_size, the join object is not created,
             and is set to NULL.
             However, this join object is further dereferenced
             by union logic to determine if query resulted in
             any number of rows being returned.
             Since, the object is NULL, it results in
             program terminating abnormally.
      
      SOLUTION: Added check to verify if join object is created.
                If join object is created, it will be used to
                determine if query resulted in any number of rows.
                Else, when join object is not created, we return
                'false' indicating that there were no rows for the
                query.
      97fad851
  26. 25 Aug, 2016 3 commits
    • Sivert Sorumgard's avatar
      Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE · 48bd8b16
      Sivert Sorumgard authored
      [This is the 5.5/5.6 version of the bugfix].
      
      The problem was that it was possible to write log files ending
      in .ini/.cnf that later could be parsed as an options file.
      This made it possible for users to specify startup options
      without the permissions to do so.
      
      This patch fixes the problem by disallowing general query log
      and slow query log to be written to files ending in .ini and .cnf.
      48bd8b16
    • Jon Olav Hauglid's avatar
      Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE · 4e547386
      Jon Olav Hauglid authored
      During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
      is created. When repair finishes, this file is renamed to the original
      .MYD file. The problem was that during this rename, we copied the
      stats from the old file to the new file with chmod/chown. If a user
      managed to replace the temporary file before chmod/chown was executed,
      it was possible to get an arbitrary file with the privileges of the
      mysql user.
      
      This patch fixes the problem by not copying stats from the old
      file to the new file. This is not needed as the new file was
      created with the correct stats. This fix only changes server
      behavior - external utilities such as myisamchk still does
      chmod/chown.
      
      No test case provided since the problem involves synchronization
      with file system operations.
      4e547386
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 684a165f
      Terje Rosten authored
      Argument to malloc-lib must be included in restricted list of
      directories, symlink guards added, and mysqld and mysqld-version
      options restricted to command line only. Don't redirect errors to
      stderr.
      684a165f
  27. 24 Aug, 2016 2 commits
    • Jon Olav Hauglid's avatar
      Bug#24400628: DEBUG ASSETION KICKS IN WHEN LONG SUBPARTITION NAME · 55a2babc
      Jon Olav Hauglid authored
                    IS USED IN CREATE TABLE
      
      The problem was that using a very long subpartition name could
      lead to the server exiting abnormally.
      
      This patch fixes the problem by reporting ER_TOO_LONG_IDENT
      if a name with more than 64 characters are used as partition
      and subpartition name.
      55a2babc
    • Sivert Sorumgard's avatar
      Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE · 8dc64211
      Sivert Sorumgard authored
      [This is the 5.5/5.6 version of the bugfix].
      
      The problem was that it was possible to write log files ending
      in .ini/.cnf that later could be parsed as an options file.
      This made it possible for users to specify startup options
      without the permissions to do so.
      
      This patch fixes the problem by disallowing general query log
      and slow query log to be written to files ending in .ini and .cnf.
      8dc64211
  28. 19 Aug, 2016 1 commit
    • Jon Olav Hauglid's avatar
      Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE · 033b1191
      Jon Olav Hauglid authored
      During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
      is created. When repair finishes, this file is renamed to the original
      .MYD file. The problem was that during this rename, we copied the
      stats from the old file to the new file with chmod/chown. If a user
      managed to replace the temporary file before chmod/chown was executed,
      it was possible to get an arbitrary file with the privileges of the
      mysql user.
      
      This patch fixes the problem by not copying stats from the old
      file to the new file. This is not needed as the new file was
      created with the correct stats. This fix only changes server
      behavior - external utilities such as myisamchk still does
      chmod/chown.
      
      No test case provided since the problem involves synchronization
      with file system operations.
      033b1191