Commit graph

2105 commits

Author SHA1 Message Date
Sergei Golubchik
82563c5fc0 MDEV-20110 don't try to load client plugins with invalid names
reported by lixtelnis
2019-07-21 19:47:44 +02:00
Vicențiu Ciorbaru
5543b75550 Update FSF Address
* Update wrong zip-code
2019-05-11 21:29:06 +03:00
Sergei Golubchik
da0e00e710 Bug#28986737: RENAMING AND REPLACING MYSQL.USER TABLE CAN LEAD TO A SERVER CRASH 2019-04-25 21:43:31 +02:00
Sergei Golubchik
822071ca5b MDEV-18241 Downgrade from 10.4 to 10.3 crashes
privilege tables can never be views or temporary tables,
don't even try to open them, if they are.
2019-04-24 11:15:38 +02:00
Sergei Golubchik
66099b8f2d cleanup 2019-04-24 11:15:38 +02:00
Sergei Golubchik
14ddcb1ff2 Bug#27407480: AUTOMATIC_SP_PRIVILEGES REQUIRES NEED THE INSERT PRIVILEGES FOR MYSQL.USER TABLE
A test case and a followup fix
2018-09-04 08:31:46 +02:00
Oleksandr Byelkin
fceda2dab6 Merge remote-tracking branch 'mysql/5.5' into 5.5
We do not accept:
1. We did not have this problem (fixed earlier and better)
 d982e717ab Bug#27510150: MYSQLDUMP FAILS FOR SPECIFIC --WHERE CLAUSES
2. We do not have such options (an DBUG_ASSERT put just in case)
 bbc2e37fe4 Bug#27759871: BACKRONYM ISSUE IS STILL IN MYSQL 5.7
3. Serg fixed it in other way in this release:
 e48d775c6f Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY
2018-07-29 13:10:29 +02:00
Arun Kuruvila
6d570d7296 Bug#27230925: HANDLE_FATAL_SIGNAL (SIG=11) IN
SHOW_ROUTINE_GRANTS


Description :- Server crashes in show_routine_grants().

Analysis :- When "grant_reload_procs_priv" encounters
an error, the grant structures (structures with column,
function and procedure privileges) are freed. Server
crashes when trying to access these structures later.

Fix :- Grant structures are retained even when
"grant_reload_procs_priv()" encounters an error while
reloading column, function and procedure privileges.
2018-05-10 10:14:30 +05:30
Sergei Golubchik
fab383aac0 Use after free in authentication 2018-05-01 00:30:17 +02:00
Arun Kuruvila
a08508abf8 Bug#27407480: AUTOMATIC_SP_PRIVILEGES REQUIRES NEED THE
INSERT PRIVILEGES FOR MYSQL.USER TABLE

Description:- Incorrect granting of EXECUTE and ALTER
ROUTINE privileges when the 'automatic_sp_privileges'
variable is set.

Fix:- EXECUTE and ALTER ROUTINE privileges are correctly
granted to the creator of the procedure when the
'automatic_sp_privileges' is SET.
2018-04-24 10:02:04 +05:30
Sergei Golubchik
1a019d0801 Merge branch 'mysql/5.5' into 5.5 2018-04-19 22:31:26 +02:00
Karthik Kamath
9e1035c64f BUG#26881798: SERVER EXITS WHEN PRIMARY KEY IN MYSQL.PROC
IS DROPPED

ANALYSIS:
=========
It is advised not to tamper with the system tables.
When primary key is dropped from a system table, certain
operations on the table which tries to access the table key
information may lead to server exit.

FIX:
====
An appropriate error is now reported in such a case.
2017-12-05 19:49:59 +05:30
Sergei Golubchik
199f88cb9c MDEV-5999 MySQL Bug#12766319 - 61865: RENAME USER DOES NOT WORK CORRECTLY - REQUIRES FLUSH PRIVILEGES
use update_hostname() to update the hostname.
test case comes from

  commit 0abdeed1d6d
  Author: gopal.shankar@oracle.com <>
  Date:   Thu Mar 29 00:20:54 2012 +0530

    Bug#12766319 - 61865: RENAME USER DOES NOT WORK CORRECTLY -
                          REQUIRES FLUSH PRIVILEGES
2017-02-27 12:35:10 +01:00
Arun Kuruvila
3a37745ca0 2016-11-28 11:55:36 +05:30
Arun Kuruvila
aeab9d6b41 Bug#23303391: HANDLE_FATAL_SIGNAL (SIG=11) IN ALLOC_QUERY
USING CHARACTER-SET-SERVER=UTF16

This is a backport of Bug#15985752 to mysql-5.5
2016-08-29 11:41:50 +05:30
Sergei Golubchik
b069d19284 Merge branch 'mysql/5.5' into 5.5 2016-04-20 15:25:55 +02:00
Sergei Golubchik
cc04a9fc0f MDEV-9835 Valid password is not working after server restart
On SET PASSWORD if the plugin is mysql_native_password
or mysql_old_password, do reset plugin and auth_str
fields.
2016-04-19 11:27:00 +02:00
Arun Kuruvila
447eaa5bc0 2016-02-23 11:54:59 +05:30
Sergei Golubchik
abf9d35213 Merge branch 'mysql/5.5' into 5.5 2015-12-09 10:00:49 +01:00
Arun Kuruvila
3846b08552 Bug #21602056 : CONCURRENT FLUSH PRIVILEGES + REVOKE/GRANT
CRASHES IN WILD_CASE_COMPARE!

Description:- Executing FLUSH PRIVILEGES and REVOKE/
GRANT concurrently crashes the server.

Analysis:- Concurrent FLUSH PRIVILEGES and REVOKE/GRANT
might trigger a small time frame in which REVOKE/GRANT
fetches the "acl_proxy_user" information as a part of
"acl_check_proxy_grant_access()". Meanwhile FLUSH PRIVILEGES
deletes the old acl structures as a part of "acl_reload()".
After which REVOKE/GRANT tries to access the hostname in
"wild_case_compare()" which leads to a crash because of the
invalid memory access.

Fix:- Mutex lock on "acl_cache" is acquired before fetching
"acl_proxy_user" information in
"acl_check_proxy_grant_access()".
2015-10-14 11:08:49 +05:30
Sergei Golubchik
82e9f6d948 Merge remote-tracking branch 'mysql/5.5' into 5.5 2015-10-08 22:54:24 +02:00
Sreeharsha Ramanavarapu
6fb2cdbc74 Bug #20777016: DELETE CHECKS PRIVILEGES ON THE WRONG
DATABASE WHEN USING TABLE ALIASES

Issue:
-----
When using table aliases for deleting, MySQL checks
privileges against the current database and not the
privileges on the actual table or database the table
resides.


SOLUTION:
---------
While checking privileges for multi-deletes,
correspondent_table should be used since it points to the
correct table and database.
2015-07-13 07:51:23 +05:30
Arun Kuruvila
c9a38e8698 Merge branch 'mysql-5.1' into mysql-5.5 2015-04-28 14:58:01 +05:30
Arun Kuruvila
fdae90dd11 Bug #20181776 :- ACCESS CONTROL DOESN'T MATCH MOST SPECIFIC
HOST WHEN IT CONTAINS WILDCARD

Description :- Incorrect access privileges are provided to a
user due to wrong sorting of users when wildcard characters
is present in the hostname.

Analysis :- Function "get_sorts()" is used to sort the
strings of user name, hostname, database name. It is used
to arrange the users in the access privilege matching order.
When a user connects, it checks in the sorted user access
privilege list and finds a corresponding matching entry for
the user. Algorithm used in "get_sort()" sorts the strings
inappropriately. As a result, when a user connects to the
server, it is mapped to incorrect user access privileges.
Algorithm used in "get_sort()" counts the number of
characters before the first occurence of any one of the
wildcard characters (single-wildcard character '_' or
multi-wildcard character '%') and sorts in that order.
As a result of inconnect sorting it treats hostname "%" and
"%.mysql.com" as equally-specific values and therefore
the order is indeterminate.

Fix:- The "get_sort()" algorithm has been modified to treat
"%" seperately. Now "get_sort()" returns a number which, if
sorted in descending order, puts strings in the following
order:-
* strings with no wildcards
* strings containg wildcards and non-wildcard characters
* single muilt-wildcard character('%')
* empty string.
2015-04-28 14:56:55 +05:30
V S Murthy Sidagam
7797ef4dec Merge branch 'mysql-5.1' into mysql-5.5 2015-04-27 14:46:40 +05:30
V S Murthy Sidagam
c655515d1b Bug #20683237 BACKPORT 19817663 TO 5.1 and 5.5
Restrict when user table hashes can be viewed. Require SUPER privileges.
2015-04-27 14:33:25 +05:30
Sergey Vojtovich
d1e46a50bc MDEV-6749 - Deadlock between GRANT/REVOKE, SELECT FROM I_S.COLUMNS,
SET slow_query_log and failed connection attempt

A very subtle though valid deadlock. Deadlock chain:
wrlock(LOCK_grant)    -> lock(acl_cache->lock) GRANT/REVOKE CREATE/DROP USER
lock(LOCK_open)       -> rdlock(LOCK_grant)    SELECT * FROM I_S.COLUMNS
wrlock(LOCK_logger)   -> lock(LOCK_open)       SET @@global.slow_query_log='ON'
lock(acl_cache->lock) -> rdlock(LOCK_logger)   Failed connection

Fixed by removing relationship between acl_cache->lock and LOCK_logger
during failed connection attempt.
2014-09-18 19:45:06 +04:00
Venkata Sidagam
3bba29a397 Bug #17357528 BACKPORT BUG#16513435 TO 5.5 AND 5.6
Description: Backporting BUG#16513435 to 5.5 and 5.6
This is a fix for REMOTE PREAUTH USER ENUMERATION FLAW bug
2014-06-30 19:24:25 +05:30
Sergei Golubchik
5d8c15228e 5.3-merge 2014-03-16 19:21:37 +01:00
Sergei Golubchik
a0ea960c3e 5.2 merge 2014-03-13 18:36:52 +01:00
Sergei Golubchik
5616bd5597 unix_socket bypasses make_if_fail by not doing any network reads 2014-03-13 16:35:14 +01:00
Sergei Golubchik
84651126c0 MySQL-5.5.36 merge
(without few incorrect bugfixes and with 1250 files where only a copyright year was changed)
2014-02-17 11:00:51 +01:00
Murthy Narkedimilli
c92223e198 Updated/added copyright headers 2014-01-06 10:52:35 +05:30
Murthy Narkedimilli
496abd0814 Updated/added copyright headers 2014-01-06 10:52:35 +05:30
Venkata Sidagam
e84d48742e Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Merging from mysql-5.1 to mysql-5.5
2013-10-16 14:16:32 +05:30
Venkata Sidagam
f8e2765582 Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Merging from mysql-5.1 to mysql-5.5
2013-10-16 14:16:32 +05:30
Venkata Sidagam
9fc5122471 Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Description: Fix for bug CVE-2012-5611 (bug 67685) is 
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
check_grant_db() can be overflown by up to two bytes. That's 
probably not enough to do anything more serious than crashing 
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it 
just adding the variable lengths. But when we are using them 
with strmov() we are adding +1 to each. This will lead to a 
three byte buffer overflow (i.e two +1's at strmov() and one 
byte for the null added by strmov() function). Similarly it 
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get() 
and "+1" to "copy_length" in check_grant_db().
2013-10-16 14:14:44 +05:30
Venkata Sidagam
de0e8a02d1 Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Description: Fix for bug CVE-2012-5611 (bug 67685) is 
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
check_grant_db() can be overflown by up to two bytes. That's 
probably not enough to do anything more serious than crashing 
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it 
just adding the variable lengths. But when we are using them 
with strmov() we are adding +1 to each. This will lead to a 
three byte buffer overflow (i.e two +1's at strmov() and one 
byte for the null added by strmov() function). Similarly it 
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get() 
and "+1" to "copy_length" in check_grant_db().
2013-10-16 14:14:44 +05:30
Sergei Golubchik
d126993404 MDEV-4951 drop user leaves privileges
It's safe to delete from HASH when traversing it *backwards*, but not *forwards*.
2013-08-28 07:49:53 +02:00
Sergei Golubchik
005c7e5421 mysql-5.5.32 merge 2013-07-16 19:09:54 +02:00
Ashish Agarwal
e879caf845 WL#7076: Backporting wl6715 to support both formats in 5.5, 5.6, 5.7
Backporting wl6715 to mysql-5.5
2013-07-02 11:58:39 +05:30
Ashish Agarwal
f5b5e6b951 WL#7076: Backporting wl6715 to support both formats in 5.5, 5.6, 5.7
Backporting wl6715 to mysql-5.5
2013-07-02 11:58:39 +05:30
Sergei Golubchik
d7a6c801ac 5.3 merge.
change maria.distinct to use a function that doesn't require ssl-enabled  builds
2013-05-20 12:36:30 +02:00
Sergei Golubchik
639a766096 5.2 merge 2013-05-20 11:13:07 +02:00
Sergei Golubchik
66cc619609 MDEV-4514 After increasing user name length mysql.db is reported broken and event scheduler does not start 2013-05-13 16:11:39 +02:00
Sergei Golubchik
4a0f2563d3 MDEV-4462 mysqld gets SIGFPE when mysql.user table is empty
avoid divison by zero
2013-05-08 14:32:32 +02:00
Sergei Golubchik
84ce6832e6 MDEV-4332 Increase username length from 16 characters 2013-04-18 22:17:29 +02:00
Sergei Golubchik
07315d3603 strmake_buf(X,Y) helper, equivalent to strmake(X,Y,sizeof(X)-1)
with a bit of lame protection against abuse.
2013-04-17 19:42:34 +02:00
Sergei Golubchik
102a7a2a76 MDEV-4307 Support at least 48 utf8 characters in username in server and PAM
Extend plugin auth api to support up to 512 bytes in the user names.
Use the API versioning to support old auth plugins too!
2013-03-26 19:17:26 +01:00
Murthy Narkedimilli
8afe262ae5 Fix for Bug 16395495 - OLD FSF ADDRESS IN GPL HEADER 2013-03-19 15:53:48 +01:00