Bug #49124 Security issue with /*!-versioned */ SQL statements on Slave
Submitted: 26 Nov 2009 6:56 Modified: 28 Jan 2011 12:20
Reporter: Libing Song Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:any, 5.0.86, 5.1.43 OS:Any
Assigned to: Libing Song CPU Architecture:Any
Triage: Needs Triage: D1 (Critical) / R1 (None/Negligible)

[26 Nov 2009 6:56] Libing Song
Description:
  /*!50200 Query Code */ is a special comment, it can be executed on those servers which's version is larger than the version appearing in the comments.
  It leads to a security issue when slave's version is larger than master's. A malicious user can improve his privileges on slaves, even he/her can execute any query on slave. Because slave SQL thread is running on super mode, so it can execute all queries which are replicated from master.

How to repeat:
1, Setup a replication. Slave's version must larger than master's. Set binlog-format as statement.
2, On master
   CREATE TABLE t1(c1 INT);
   CREATE USER 'user1'@'localhost'.
   GRANT UPDATE ON t1 TO 'user1'@'localhost'.

3. Connect to master by using 'user1'.
   #This statement will fail because user1 does not have the privilege.
   UPDATE mysql.user SET mysql.user.Super_priv='Y'.
   #but user1 can executed a statement like this,if master's version is lower than 50200. only t1 is updated, but the whole statement is binlogged.
   UPDATE t1 /*!50200 , mysql.user */ SET t1.c1=1 /*!50200 , mysql.user.Super_priv='Y' */;
4. On slave.
   #the following log event will be executed and mysql.user be updated if slave's version is larger than 50200. user1 now have super privileges on slave.
   UPDATE t1 /*!50200 , mysql.user */ SET t1.c1=1 /*!50200 , mysql.user.Super_priv='Y' */;

Suggested fix:
1. If a special comment is not executed on master, it should not be binlogged.
[23 Dec 2009 16:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/95564

2822 Li-Bing.Song@sun.com	2009-12-24
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
      
      Execpt the special comments which have be executed on master, all other
      comments(#, -- , /**/, /*!9000 not be executed on master*/) are deleted
      from the binlog queries.
[24 Dec 2009 7:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/95640

2830 Li-Bing.Song@sun.com	2009-12-24
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
      
      Execpt the special comments which have be executed on master, all other
      comments(#, -- , /**/, /*!9000 not be executed on master*/) are deleted
      from the binlog queries.
[30 Dec 2009 4:48] Libing Song
After my analysis, the patch shall be a bit complex. So I set Risk as R3.
Please reassess whether it is worthy to fix it on mysql5.0 and lower version.
[6 Jan 2010 14:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/96130

2830 Li-Bing.Song@sun.com	2010-01-06
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
      
      This bug is fixed with the logic below: 
      Even though the slave's version is larger than the spcial comments' version,
      they are not executed on slave if their versions are larger than master's
      version which appears in FORMAT_DESCRIPTION_EVENT
[7 Jan 2010 9:29] Libing Song
There is another way to fix this bug. It is easier and risk free.
[7 Jan 2010 9:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/96228

2830 Li-Bing.Song@sun.com	2010-01-07
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
      
      This bug is fixed with the logic below: 
      Even though the slave's version is larger than the spcial comments' version,
      they are not executed on slave if their versions are larger than master's
      version which appears in FORMAT_DESCRIPTION_EVENT
[21 Jan 2010 4:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/97676

2841 Li-Bing.Song@sun.com	2010-01-21
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
      
      This bug is fixed with the logic below: 
      Even though the slave's version is larger than the spcial comments' version,
      they are not executed on slave if their versions are larger than master's
      version which appears in FORMAT_DESCRIPTION_EVENT
[30 Jan 2010 15:11] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/98712

3343 Li-Bing.Song@sun.com	2010-01-30
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
            
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
            
      This bug is fixed with the logic below: 
      - If the clause in a special comment is executed on master, only
        '/*!VERSION' and '*/' are removed, the clause is reserved.  
      - If the clause in a special comment is not executed on master, the whole
        comment is removed from binlog query.
[24 Feb 2010 8:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/101295

3348 Li-Bing.Song@sun.com	2010-02-24
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
            
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers which's version is larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves, even he/her can execute any query on slave. 
      Because slave SQL thread is running on super mode, so it can execute 
      all queries which are replicated from master.
            
      This bug is fixed with the logic below: 
      master's version is added into query log event as a variable. 
      When applying a query log event, the special comments will be
      executed only when its version is larger than both of master's
      and slave's version. 
      For the log events before the patch for BUG#49124, the master's
      version is not written into query log event. we see the version in
      FORMAT_DESCRIPTION_EVENTit as the master's version.
[7 Mar 2010 13:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/102512

3369 Li-Bing.Song@sun.com	2010-03-07
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
            
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
            
      This bug is fixed with the logic below: 
      Master's version is added into query log event as a status variable. 
      When applying a query log event, the special comments will be
      executed only when master's version record in the event and the slave's 
      are both larger than the version in the special comments.
      
      For the log events before the patch for BUG#49124, the master's
      version is not written into query log event. we use the version in
      FORMAT_DESCRIPTION_EVENTit as the master's version.
[18 Mar 2010 10:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/98712
[12 May 2010 11:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/108107

3378 Li-Bing.Song@sun.com	2010-05-12
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
            
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
            
      This bug is fixed with the logic below: 
      For the statements which have at least on version comment not existing on master
      - Strip the whole version comments(include '/*!xxxxxx' and '*/') which
        are not executed on master
      - Strip only '/*!xxxxxx' and '*/', the clause in the comments are kept.
      
        example:        INSERT /*!10000 INTO t1 */ /*!99999 ,t2 */ VALUES(1)
        is binlogged as INSERT INTO t1 VALUES(1)
      
      For others, the original statements are binlogged.
         example:        INSERT /*!10000 INTO t1 */ VALUES(1)
        is binlogged as  INSERT /*!10000 INTO t1 */ VALUES(1)
[17 May 2010 3:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/108419

3378 Li-Bing.Song@sun.com	2010-05-17
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
            
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
            
      This bug is fixed with the logic below: 
      - Strip the whole version comments(include '/*!xxxxxx' and '*/') which
        are not executed on master
      - Strip only '/*!xxxxxx' and '*/', the clause in the comments are kept.
      
        example:        INSERT /*!10000 INTO t1 */ /*!99999 ,t2 */ VALUES(1)
        is binlogged as INSERT INTO t1 VALUES(1)
[6 Jun 2010 15:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/110299

3416 Li-Bing.Song@sun.com	2010-06-06
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
                  
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when 
      slave's version is larger than master's. A malicious user can improve 
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
                  
      This bug is fixed with the logic below: 
      - Strip the whole version comments(include '/*!xxxxxx' and '*/') which
        are not executed on master
      - Strip only '/*!xxxxxx' and '*/', the clause in the comments are kept.
            
        example:        INSERT /*!10000 INTO t1 */ /*!99999 ,t2 */ VALUES(1)
        is binlogged as INSERT INTO t1 VALUES(1)
     @ sql/events.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/item.cc
        Add pos_in_binlog_query to record the params position in cpp_query.
     @ sql/item.h
        Add pos_in_binlog_query to record the params position in cpp_query.
     @ sql/sp.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_acl.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_class.h
        Add get_binlog_query() and variable binlog_query_string.
     @ sql/sql_db.cc
        Remove thd->query() to simplify the call of write_bin_log.
        Use thd->get_binlog_query() instead of thd->query().
     @ sql/sql_delete.cc
        Remove thd->query() to simplify the call of write_bin_log and binlog_query.
     @ sql/sql_insert.cc
        Remove thd->query() to simplify the call of binlog_query.
     @ sql/sql_lex.cc
        Initialize cpp_query.
     @ sql/sql_lex.h
        Define cpp_query.
     @ sql/sql_parse.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_partition.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_prepare.cc
        Expand binlog_query if there are some question marks in it.
     @ sql/sql_rename.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_table.cc
        Remove thd->query() to simplify the call of binlog_query and write_bin_log.
     @ sql/sql_tablespace.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_trigger.cc
        Use thd->get_binlog_query() instead of thd->query().
     @ sql/sql_udf.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_update.cc
        Remove thd->query() to simplify the call of binlog_query.
     @ sql/sql_view.cc
        Remove thd->query() to simplify the call of write_bin_log.
     @ sql/sql_yacc.yy
        Set cpp_query.
[24 Jun 2010 10:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112045

3438 Li-Bing.Song@sun.com	2010-06-24
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when
      slave's version is larger than master's. A malicious user can improve
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
      
      This bug is fixed with the logic below: 
      - Use '#' instead of '!' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*#99999 ,(3)*/
[1 Jul 2010 9:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112654

3455 Li-Bing.Song@sun.com	2010-07-01
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when
      slave's version is larger than master's. A malicious user can improve
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
      
      This bug is fixed with the logic below: 
      - Use ' ' instead of '!' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
[15 Jul 2010 5:39] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/113649

3455 Li-Bing.Song@sun.com	2010-07-15
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
     @ mysql-test/suite/rpl/t/rpl_conditional_comments.test
        Test the patch for this bug.
     @ sql/mysql_priv.h
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_lex.cc
        To replace '!' with ' ' in the magic comments which are not applied on
        master.
     @ sql/sql_lex.h
        Remove the const limitation on parameter buff, as it can be modified in the function since
        this patch.
        Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
     @ sql/sql_parse.cc
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_partition.cc
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/sql_partition.h
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/table.h
        Remove the const limitation on variable partition_info, as it can be modified since
        this patch.
[23 Jul 2010 5:54] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114202

3499 Li-Bing.Song@sun.com	2010-07-23
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
     @ mysql-test/suite/rpl/t/rpl_conditional_comments.test
        Test the patch for this bug.
     @ sql/mysql_priv.h
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_lex.cc
        To replace '!' with ' ' in the magic comments which are not applied on
        master.
     @ sql/sql_lex.h
        Remove the const limitation on parameter buff, as it can be modified in the function since
        this patch.
        Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
     @ sql/sql_parse.cc
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_partition.cc
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/sql_partition.h
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/table.h
        Remove the const limitation on variable partition_info, as it can be modified since
        this patch.
[25 Jul 2010 3:50] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114297

3456 Li-Bing.Song@sun.com	2010-07-25
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
     @ mysql-test/suite/rpl/t/rpl_conditional_comments.test
        Test the patch for this bug.
     @ sql/mysql_priv.h
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_lex.cc
        To replace '!' with ' ' in the magic comments which are not applied on
        master.
     @ sql/sql_lex.h
        Remove the const limitation on parameter buff, as it can be modified in the function since
        this patch.
        Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
     @ sql/sql_parse.cc
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_partition.cc
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/sql_partition.h
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/table.h
        Remove the const limitation on variable partition_info, as it can be modified since
        this patch.
[25 Jul 2010 3:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114298

3456 Li-Bing.Song@sun.com	2010-07-25
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
      
      ******
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
     @ mysql-test/suite/rpl/t/rpl_conditional_comments.test
        Test the patch for this bug.
     @ sql/mysql_priv.h
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_lex.cc
        To replace '!' with ' ' in the magic comments which are not applied on
        master.
     @ sql/sql_lex.h
        Remove the const limitation on parameter buff, as it can be modified in the function since
        this patch.
        Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
     @ sql/sql_parse.cc
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_partition.cc
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/sql_partition.h
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/table.h
        Remove the const limitation on variable partition_info, as it can be modified since
        this patch.
[29 Jul 2010 2:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114578

3459 Li-Bing.Song@sun.com	2010-07-29
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
     @ mysql-test/suite/rpl/t/rpl_conditional_comments.test
        Test the patch for this bug.
     @ sql/mysql_priv.h
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_lex.cc
        To replace '!' with ' ' in the magic comments which are not applied on
        master.
     @ sql/sql_lex.h
        Remove the const limitation on parameter buff, as it can be modified in the function since
        this patch.
        Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
     @ sql/sql_parse.cc
        Rename inBuf as rawBuf and remove the const limitation.
     @ sql/sql_partition.cc
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/sql_partition.h
        Remove the const limitation on parameter part_buff, as it can be modified in the function since
        this patch.
     @ sql/table.h
        Remove the const limitation on variable partition_info, as it can be modified since
        this patch.
[29 Jul 2010 3:31] Libing Song
Pushed into mysql-5.1-bugteam and merged into mysql-trunk-merge
[4 Aug 2010 7:50] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:09] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:25] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:04] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 9:40] Jon Stephens
Also documented in the 5.5.6 and 5.6.1 changelogs (entries unpublished pending next 5.1 release).

Closed.
[19 Aug 2010 15:39] Bugs System
Pushed into mysql-5.1 5.1.51 (revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (version source revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (merge vers: 5.1.51) (pib:20)
[14 Oct 2010 8:36] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:51] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:06] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 12:26] Jon Stephens
No new changelog entry required. Setting back to Closed state.
[5 Jan 2011 8:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/127949

2895 anders.song@greatopensource.com	2011-01-05
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      Backport to 5.0.
[15 Jan 2011 6:10] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:anders.song@greatopensource.com-20110115055624-wugtr5ao77jn70ji) (version source revid:anders.song@greatopensource.com-20110115055624-wugtr5ao77jn70ji) (merge vers: 5.6.2) (pib:24)
[15 Jan 2011 6:11] Bugs System
Pushed into mysql-5.5 5.5.10 (revid:anders.song@greatopensource.com-20110115055451-dps4tyqx1bkn7vgv) (version source revid:anders.song@greatopensource.com-20110115055451-dps4tyqx1bkn7vgv) (merge vers: 5.5.10) (pib:24)
[15 Jan 2011 6:12] Bugs System
Pushed into mysql-5.1 5.1.56 (revid:anders.song@greatopensource.com-20110115055141-99bkbyyxjqy9fey9) (version source revid:anders.song@greatopensource.com-20110115055141-99bkbyyxjqy9fey9) (merge vers: 5.1.56) (pib:24)
[15 Jan 2011 6:13] Bugs System
Pushed into mysql-5.0 5.0.93 (revid:anders.song@greatopensource.com-20110115054816-5ddwpnha5314ww73) (version source revid:anders.song@greatopensource.com-20110115054816-5ddwpnha5314ww73) (merge vers: 5.0.93) (pib:24)
[17 Jan 2011 2:58] Libing Song
Backported to mysql-5.0 and NULL merge to mysql-5.1, mysql-5.5 and mysql-trunk.
[26 Jan 2011 7:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129611

2897 Libing Song	2011-01-26
      Postfix bug#49124
      Updated the copyright.
[26 Jan 2011 7:39] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:anders.song@greatopensource.com-20110126073718-vg8fn0n5o9cnqysf) (version source revid:anders.song@greatopensource.com-20110126073718-vg8fn0n5o9cnqysf) (merge vers: 5.6.2) (pib:24)
[26 Jan 2011 7:39] Bugs System
Pushed into mysql-5.5 5.5.10 (revid:anders.song@greatopensource.com-20110126073518-rhsv61qa4oarwxoo) (version source revid:anders.song@greatopensource.com-20110126073518-rhsv61qa4oarwxoo) (merge vers: 5.5.10) (pib:24)
[26 Jan 2011 7:40] Bugs System
Pushed into mysql-5.0 5.0.93 (revid:anders.song@greatopensource.com-20110126073006-7d0q4v4ygw08281k) (version source revid:anders.song@greatopensource.com-20110126073006-7d0q4v4ygw08281k) (merge vers: 5.0.93) (pib:24)
[26 Jan 2011 7:40] Bugs System
Pushed into mysql-5.1 5.1.56 (revid:anders.song@greatopensource.com-20110126073241-ablnxa0s5noj2enw) (version source revid:anders.song@greatopensource.com-20110126073241-ablnxa0s5noj2enw) (merge vers: 5.1.56) (pib:24)
[27 Jan 2011 20:04] Jon Stephens
Also documented in the 5.0.93 changelog. 

No other changelog entries required.

Closed.
[28 Jan 2011 12:20] Jon Stephens
Already documented in the appropriate changelogs; closed.