diff options
author | Venkata Sidagam <venkata.sidagam@oracle.com> | 2013-10-16 14:14:44 +0530 |
---|---|---|
committer | Venkata Sidagam <venkata.sidagam@oracle.com> | 2013-10-16 14:14:44 +0530 |
commit | de0e8a02d18b4593e11b282b7c8641603b7cbfe9 (patch) | |
tree | af13313bb13a0ad881bb6d87d380f2471f867958 /sql/time.cc | |
parent | 3399194cefc7fcffcba4c304bbb3badec1afc21e (diff) | |
download | mariadb-git-de0e8a02d18b4593e11b282b7c8641603b7cbfe9.tar.gz |
Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Description: Fix for bug CVE-2012-5611 (bug 67685) is
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and
check_grant_db() can be overflown by up to two bytes. That's
probably not enough to do anything more serious than crashing
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it
just adding the variable lengths. But when we are using them
with strmov() we are adding +1 to each. This will lead to a
three byte buffer overflow (i.e two +1's at strmov() and one
byte for the null added by strmov() function). Similarly it
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get()
and "+1" to "copy_length" in check_grant_db().
Diffstat (limited to 'sql/time.cc')
0 files changed, 0 insertions, 0 deletions