1. 26 Sep, 2016 3 commits
  2. 24 Sep, 2016 1 commit
  3. 13 Sep, 2016 1 commit
  4. 12 Sep, 2016 4 commits
  5. 11 Sep, 2016 1 commit
  6. 02 Sep, 2016 1 commit
  7. 26 Aug, 2016 1 commit
  8. 25 Aug, 2016 4 commits
    • Sivert Sorumgard's avatar
      Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE · 48bd8b16
      Sivert Sorumgard authored
      [This is the 5.5/5.6 version of the bugfix].
      
      The problem was that it was possible to write log files ending
      in .ini/.cnf that later could be parsed as an options file.
      This made it possible for users to specify startup options
      without the permissions to do so.
      
      This patch fixes the problem by disallowing general query log
      and slow query log to be written to files ending in .ini and .cnf.
      48bd8b16
    • Jon Olav Hauglid's avatar
      Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE · 4e547386
      Jon Olav Hauglid authored
      During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
      is created. When repair finishes, this file is renamed to the original
      .MYD file. The problem was that during this rename, we copied the
      stats from the old file to the new file with chmod/chown. If a user
      managed to replace the temporary file before chmod/chown was executed,
      it was possible to get an arbitrary file with the privileges of the
      mysql user.
      
      This patch fixes the problem by not copying stats from the old
      file to the new file. This is not needed as the new file was
      created with the correct stats. This fix only changes server
      behavior - external utilities such as myisamchk still does
      chmod/chown.
      
      No test case provided since the problem involves synchronization
      with file system operations.
      4e547386
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 684a165f
      Terje Rosten authored
      Argument to malloc-lib must be included in restricted list of
      directories, symlink guards added, and mysqld and mysqld-version
      options restricted to command line only. Don't redirect errors to
      stderr.
      684a165f
    • Monty's avatar
      DEV-10595 MariaDB daemon leaks memory with specific query · ee97274c
      Monty authored
      The issue was that in some extreme cases when doing GROUP BY,
      buffers for temporary blobs where not properly cleared.
      ee97274c
  9. 19 Aug, 2016 1 commit
  10. 17 Aug, 2016 1 commit
    • Sergey Vojtovich's avatar
      MDEV-10424 - Assertion `ticket == __null' failed in MDL_request::set_type · 723488bb
      Sergey Vojtovich authored
      Reexecution of prepared "ANALYZE TABLE merge_table, table" may miss to
      reinitialize "table" for subsequent execution and trigger assertion failure.
      
      This happens because MERGE engine may adjust table->next_global chain, which
      gets cleared by close_thread_tables()/ha_myisammrg::detach_children() later.
      Since reinitilization iterates next_global chain, it won't see tables following
      merge table.
      
      Fixed by appending saved next_global chain after merge children.
      723488bb
  11. 11 Aug, 2016 1 commit
  12. 10 Aug, 2016 1 commit
  13. 09 Aug, 2016 2 commits
  14. 08 Aug, 2016 5 commits
  15. 07 Aug, 2016 1 commit
  16. 05 Aug, 2016 1 commit
    • Neha Kumari's avatar
      Bug#23540182:MYSQLBINLOG DOES NOT FREE THE EXISTING CONNECTION BEFORE OPENING NEW REMOTE ONE · 22eec689
      Neha Kumari authored
      It happens when you are trying to read two or more log files from a
      remote server using mysqlbinlog utility.
      
      The reason for this is no matching mysql_close() that concludes the
      life time of 'mysql' struct describing connection to the server.
      This happens when mysqlbinlog is invoked with connecting to the server
      and requesting more than one binlog file. In such case
      dump_remote_log_entries() keeps calling safe_connect() per eachfile,
      never caring to invoke mysql_close(). Only the final safe_connect()'s
      allocation effect are cleaned by the base code.
      That is with 2 files there's one 'mysql' connection descriptor struct
      uncleaned/deallocated.
      
      We are backporting the bug 21255763 (pushed in mysql-trunk)
      in the earlier version of MySQL starting from 5.5 to 5.7.
      which was pushed in mysql-trunk.
      
      Fix:
      Invoke mysql_close() just before mysql_init() in safe_connect()
      defined in mysqlbinlog.cc. That makes possibly previously used 'mysql' be
      reclaimed prior a new one is allocated.
      22eec689
  17. 04 Aug, 2016 4 commits
  18. 03 Aug, 2016 7 commits