Bug #28499 27337 *not* fixed in 5.0.40
Submitted: 17 May 2007 16:33 Modified: 19 May 2007 12:32
Reporter: sean finney Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S1 (Critical)
Version:5.0.41 OS:Linux (debian gnu/linux)
Assigned to: CPU Architecture:Any

[17 May 2007 16:33] sean finney
Description:
sorry if i'm breaking protocol by opening a new bug when i should be following up on a closed bug, but wasn't sure if anyone would recieve comments on a closed bug or not.  so....

just fyi CVE-2007-2692 as well as the info in #27337 state that this bug is fixed in 5.0.40, but on my 5.0.41 system i can reproduce the bug:

copelandia[~]18:15:25$ mysql -u u1 db2
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17
Server version: 5.0.41-Debian_2-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table t1(c int);
ERROR 1142 (42000): CREATE command denied to user 'u1'@'localhost' for table 't1'
mysql> call db1.p1();
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

mysql> create table t1(c int);
Query OK, 0 rows affected (0.01 sec)

furthermore, the changeset given in the mentioned br does not cleanly apply against 41:

patching file sql/mysql_priv.h
Hunk #1 succeeded at 965 with fuzz 2 (offset 10 lines).
patching file sql/sql_db.cc
Hunk #1 FAILED at 1308.
1 out of 1 hunk FAILED -- saving rejects to file sql/sql_db.cc.rej
patching file sql/sql_parse.cc
Hunk #1 succeeded at 2234 (offset -3 lines).
Hunk #2 succeeded at 2243 (offset -3 lines).
Hunk #3 succeeded at 2255 (offset -3 lines).
Hunk #4 succeeded at 2282 (offset -3 lines).
Hunk #5 succeeded at 2325 (offset -3 lines).
Hunk #6 succeeded at 5396 (offset 19 lines).
Hunk #7 succeeded at 5533 (offset 19 lines).
patching file sql/sql_show.cc
Hunk #1 succeeded at 2151 (offset 3 lines).

namely wrt sql_db.cc, the changeset is a diff against other uncommitted changes to sql_db.cc . you can see in the context that an attempted fix for this bug was added in an seemingly unrelated commit earlier:

http://lists.mysql.com/commits/23056

which is lumped together with another couple hundred lines of diff.

given that the latest GA release is still vulnerable, would it be possible to get a changeset/patch with only the changes needed to fix this?

thanks!

How to repeat:
follow instructions in #27337
[17 May 2007 20:15] Sveta Smirnova
Thank you for the report.

Bug #27337 has been fixed in version 5.0.42 and hasn't in MySQL 5.0.41. So I mark this report as "Not a Bug".

Note about fix of bug #27337 in 5.0.40 has been made by mistake. Simple ignore it.
[18 May 2007 12:36] Sergei Golubchik
just fyi - we do receive comments on closed bug :)
[19 May 2007 12:32] sean finney
hi sveta, sergei,

thanks for following up on this.  i'll remove that hunk from the patch and follow up if there are any more problems.

wrt 5.0.42, is there any timeline for releasing it?  i.e. if it's going to be more than a few days i'll include the fix in an updated 5.0.41, which i uploaded to debian unstable last weekend, but if it's coming out any day i might as well just wait :)