From scheidell@secnap.net  Tue Oct  7 10:37:53 2008
Return-Path: <scheidell@secnap.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2F66A1065688
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Oct 2008 10:37:53 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: from scanner.secnap.net (corp.secnap.com [204.89.241.135])
	by mx1.freebsd.org (Postfix) with ESMTP id F2D1E8FC25
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Oct 2008 10:37:52 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: by scanner.secnap.net (Postfix, from userid 1001)
	id 8BAC91CF34; Tue,  7 Oct 2008 06:22:48 -0400 (EDT)
Message-Id: <20081007102248.8BAC91CF34@scanner.secnap.net>
Date: Tue,  7 Oct 2008 06:22:48 -0400 (EDT)
From: Michael Scheidell <scheidell@secnap.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ale@freebsd.org
Subject: Security port patch for mysql-client51.28
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         127915
>Category:       ports
>Synopsis:       Security port patch for databases/mysql51-client 51.28
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ale
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 10:40:01 UTC 2008
>Closed-Date:    Fri Oct 10 18:42:14 UTC 2008
>Last-Modified:  Fri Oct 10 18:42:14 UTC 2008
>Originator:     Michael Scheidell
>Release:        FreeBSD 6.3-RELEASE-p1 i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #0: Mon Apr 28 20:18:31 EDT 2008 admin@tpa.link.hackertrap.net:/usr/obj/usr/src/sys/TPA_LINK i386

>Description:
portaudit and bugtraq
http://bugs.mysql.com/bug.php?id=27884
portaudit
portaudit
Affected package: mysql-client-5.1.28
Type of problem: mysql -- command line client input validation 
vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/4775c807-8f30-11dd-821f-001cc0377035.html>

>How-To-Repeat:
 mysql --html --execute "select '<a>'"
(note, original report shows -execute. correct option is --execute)
if bad, will show:
mysql --html --execute "select '<a>'"
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>
>Fix:

patches from http://bugs.mysql.com/file.php?id=9232
changed locations for mysql51-28rc

tested, looks like it fixed it.
if you make full (client/server) and cd to $WORK/mysql* make test runs 
fine now
after patches: note the escaped <>.
note this is the correct test results, not as per patch
<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
please inform portsaudit/security of fix and update portsaudit.
How serious? serious enough to be in portsaudit :-)

added files
Only in ./files: patch-client:mysql.cc
Only in ./files: patch-mysql-test:mysql.result
Only in ./files: patch-mysql-test:mysql.test


diff -bBru /var/tmp/mysql51-server ./
diff -bBru /var/tmp/mysql51-server/Makefile ./Makefile
--- /var/tmp/mysql51-server/Makefile    2008-09-23 01:43:45.000000000 -0400
+++ ./Makefile  2008-10-07 05:50:21.000000000 -0400
@@ -7,7 +7,7 @@
 
 PORTNAME?=     mysql
 PORTVERSION=   5.1.28
-PORTREVISION?= 0
+PORTREVISION?= 1
 CATEGORIES=    databases
 MASTER_SITES=  ${MASTER_SITE_MYSQL}
 MASTER_SITE_SUBDIR=    MySQL-5.1
diff -bBru /var/tmp/mysql51-server/files/patch-client:mysql.cc ./files/patch-client:mysql.cc
--- /var/tmp/mysql51-server/files/patch-client:mysql.cc 2008-10-07 06:20:40.000000000 -0400
+++ ./files/patch-client:mysql.cc       2008-10-07 05:51:58.000000000 -0400
@@ -0,0 +1,27 @@
+--- client/mysql.cc.orig       2008-08-28 11:39:27.000000000 -0400
++++ client/mysql.cc    2008-10-07 05:44:20.000000000 -0400
+@@ -3372,9 +3372,12 @@
+   {
+     while((field = mysql_fetch_field(result)))
+     {
+-      tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? 
+-                                       (field->name[0] ? field->name : 
+-                                        " &nbsp; ") : "NULL"));
++      tee_fputs("<TH>", PAGER);
++      if (field->name && field->name[0])
++      xmlencode_print(field->name, field->name_length);
++      else
++      tee_fputs(field->name ? " &nbsp; " : "NULL", PAGER);
++      tee_fputs("</TH>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
+   }
+@@ -3387,7 +3390,7 @@
+     for (uint i=0; i < mysql_num_fields(result); i++)
+     {
+       (void) tee_fputs("<TD>", PAGER);
+-      safe_put_field(cur[i],lengths[i]);
++      xmlencode_print(cur[i],lengths[i]);
+       (void) tee_fputs("</TD>", PAGER);
+     }
+     (void) tee_fputs("</TR>", PAGER);
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result ./files/patch-mysql-test:mysql.result
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.result 2008-10-07 06:20:49.000000000 -0400
+++ ./files/patch-mysql-test:mysql.result       2008-10-07 06:13:49.000000000 -0400
@@ -0,0 +1,11 @@
+--- mysql-test/r/mysql.result.orig     2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/r/mysql.result  2008-10-07 05:45:48.000000000 -0400
+@@ -182,6 +182,8 @@
+ This is a file starting with UTF8 BOM 0xEFBBBF
+ End of 5.0 tests
+ WARNING: --server-arg option not supported in this configuration.
+<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
++End of 5.1 tests
+ Warning (Code 1286): Unknown table engine 'nonexistent'
+ Warning (Code 1266): Using storage engine MyISAM for table 't2'
+ Warning (Code 1286): Unknown table engine 'nonexistent2'
diff -bBru /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test ./files/patch-mysql-test:mysql.test
--- /var/tmp/mysql51-server/files/patch-mysql-test:mysql.test   2008-10-07 06:21:00.000000000 -0400
+++ ./files/patch-mysql-test:mysql.test 2008-10-07 05:54:12.000000000 -0400
@@ -0,0 +1,17 @@
+--- mysql-test/t/mysql.test.orig       2008-08-28 12:08:36.000000000 -0400
++++ mysql-test/t/mysql.test    2008-10-07 05:48:59.000000000 -0400
+@@ -301,6 +301,14 @@
+ --enable_query_log
+ 
+ #
++# Bug #27884: mysql --html does not quote HTML special characters in output
++# 
++--exec $MYSQL --html test -e "select '< & >' as \`<\`"
++
++--echo
++--echo End of 5.1 tests
++
++#
+ # Bug #25146: Some warnings/errors not shown when using --show-warnings
+ #
+ 



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Oct 7 11:46:24 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127915 

From: Michael Scheidell <scheidell@secnap.net>
To: bug-followup@FreeBSD.org, Alex Dupre <ale@FreeBSD.org>
Cc:  
Subject: Re: ports/127915: Security port patch for databases/mysql51-client
 51.28
Date: Wed, 08 Oct 2008 07:46:23 -0400

 sorry, patch corrupted.   this:
 
 @@ -0,0 +1,11 @@
 +--- mysql-test/r/mysql.result.orig     2008-08-28 12:08:36.000000000 -0400
 ++++ mysql-test/r/mysql.result  2008-10-07 05:45:48.000000000 -0400
 +@@ -182,6 +182,8 @@
 + This is a file starting with UTF8 BOM 0xEFBBBF
 + End of 5.0 tests
 + WARNING: --server-arg option not supported in this configuration.
 +<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
 ++End of 5.1 tests
 + Warning (Code 1286): Unknown table engine 'nonexistent'
 + Warning (Code 1266): Using storage engine MyISAM for table 't2'
 + Warning (Code 1286): Unknown table engine 'nonexistent2'
 
 should be this: (note the missing extra + before <TABLE BORDER. found during regres test.
 
 @@ -0,0 +1,11 @@
 +--- mysql-test/r/mysql.result.orig     2008-08-28 12:08:36.000000000 -0400
 ++++ mysql-test/r/mysql.result  2008-10-07 05:45:48.000000000 -0400
 +@@ -182,6 +182,8 @@
 + This is a file starting with UTF8 BOM 0xEFBBBF
 + End of 5.0 tests
 + WARNING: --server-arg option not supported in this configuration.
 ++<TABLE BORDER=1><TR><TH>&lt;a&gt;</TH></TR><TR><TD>&lt;a&gt;</TD></TR></TABLE>
 ++End of 5.1 tests
 + Warning (Code 1286): Unknown table engine 'nonexistent'
 + Warning (Code 1266): Using storage engine MyISAM for table 't2'
 + Warning (Code 1286): Unknown table engine 'nonexistent2'
 
 
 -- 
 Michael Scheidell, CTO
 Phone: 561-999-5000, x 1259
  > *| *SECNAP Network Security Corporation
 
     * Certified SNORT Integrator
     * Everything Channel Hot Product of 2008
     * Shaping Information Security Award 2008
     * CRN Magazine Top 40 Emerging Security Vendors
 
 _________________________________________________________________________
 This email has been scanned and certified safe by SpammerTrap(r). 
 For Information please see http://www.spammertrap.com
 _________________________________________________________________________
State-Changed-From-To: open->closed 
State-Changed-By: ale 
State-Changed-When: Fri Oct 10 18:41:57 UTC 2008 
State-Changed-Why:  
Fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127915 
>Unformatted:
 Class:		sw-bug
