- 2927. By Tor Didriksen <email address hidden> on 2011-10-14
TMP_BUF, DECIMAL_ VALUE STACK CORRUPTION IN ALL VERSIONS >=5.0
Buffer over-run on all platforms, crash on windows, wrong result on other platforms,
when rounding numbers which start with 999999999 and have
precision = 9 or 18 or 27 or 36 ...
- 2925. By Tatjana Azundris Nuernberg <email address hidden> on 2011-10-06
additional clean-up for 11765687
- 2924. By Tatjana Azundris Nuernberg <email address hidden> on 2011-09-29
Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows / underlying table's name
1 - If a user had SHOW VIEW and SELECT privileges on a view and
this view was referencing another view, EXPLAIN SELECT on the outer
view (that the user had privileges on) could reveal the structure
of the underlying "inner" view as well as the number of rows in
the underlying tables, even if the user had privileges on none of
these referenced objects.
This happened because we used DEFINER's UID ("SUID") not just for
the view given in EXPLAIN, but also when checking privileges on
the underlying views (where we should use the UID of the EXPLAIN's
We no longer run the EXPLAIN SUID (with DEFINER's privileges).
This prevents a possible exploit and makes permissions more
2 - EXPLAIN SELECT would reveal a view's structure even if the user
did not have SHOW VIEW privileges for that view, as long as they
had SELECT privilege on the underlying tables.
Instead of requiring both SHOW VIEW privilege on a view and SELECT
privilege on all underlying tables, we were checking for presence
of either of them.
We now explicitly require SHOW VIEW and SELECT privileges on
the view we run EXPLAIN SELECT on, as well as all its
underlying views. We also require SELECT on all relevant
- 2922. By Tor Didriksen <email address hidden> on 2011-07-18
Bug#12406055 post-push fix: ignore float output
- 2921. By Tor Didriksen <email address hidden> on 2011-07-15
Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL
The buffer was simply too small.
In 5.5 and trunk, the size is 311 + 31,
in 5.1 and below, the size is 331
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on: