rpms/ocaml-mysql/F-10 ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch, NONE, 1.1 ocaml-mysql.spec, 1.2, 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Author: rjones

Update of /cvs/pkgs/rpms/ocaml-mysql/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19036

Modified Files:
	ocaml-mysql.spec 
Added Files:
	ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch 
Log Message:
Patch for CVE 2009-2942 Missing escape function (RHBZ#529321).

ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch:
 mysql.ml      |   18 ++++++++++++------
 mysql.mli     |    5 +++++
 mysql_stubs.c |   27 +++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 6 deletions(-)

--- NEW FILE ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch ---
diff -ur ocaml-mysql-1.0.4.orig/mysql.ml ocaml-mysql-1.0.4/mysql.ml
--- ocaml-mysql-1.0.4.orig/mysql.ml	2006-02-23 22:13:22.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql.ml	2009-10-16 11:42:08.074508283 +0100
@@ -333,6 +333,7 @@
 external real_status     : dbd -> int                         = "db_status"
 external errmsg     : dbd -> string option                  = "db_errmsg"
 external escape     : string -> string                      = "db_escape"
+external real_escape: dbd -> string -> string               = "db_real_escape"
 external fetch      : result -> string option array option  = "db_fetch" 
 external to_row     : result -> int64 -> unit                 = "db_to_row"
 external size       : result -> int64                         = "db_size"
@@ -516,7 +517,9 @@
    the corresponding type *)
   
 let ml2str str  = "'" ^ escape str ^ "'"
+let ml2rstr conn str = "'" ^ real_escape conn str ^ "'"
 let ml2blob     = ml2str
+let ml2rblob    = ml2rstr
 let ml2int x    = string_of_int x
 let ml2decimal x    = x
 let ml322int x  = Int32.to_string x
@@ -524,12 +527,15 @@
 let mlnative2int x = Nativeint.to_string x
 let ml2float x  = string_of_float x
 let ml2enum x   = escape x
-let ml2set x    = let rec loop arg = match arg with
-                    | []        -> ""
-                    | [x]       -> escape x
-                    | x::y::ys  -> escape x ^ "," ^ loop (y::ys)
-                  in
-                    loop x  
+let ml2renum x  = real_escape x
+let ml2set_filter f x =
+  let rec loop f = function
+  | []        -> ""
+  | [x]       -> f x
+  | x::y::ys  -> f x ^ "," ^ loop f (y::ys)
+  in loop f x
+let ml2set x       = ml2set_filter escape x
+let ml2rset conn x = ml2set_filter (real_escape conn) x
 
 let ml2datetimel ~year ~month ~day ~hour ~min ~sec =
     Printf.sprintf "'%04d-%02d-%02d %02d:%02d:%02d'"
diff -ur ocaml-mysql-1.0.4.orig/mysql.mli ocaml-mysql-1.0.4/mysql.mli
--- ocaml-mysql-1.0.4.orig/mysql.mli	2006-02-23 22:13:22.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql.mli	2009-10-16 11:42:08.075507981 +0100
@@ -230,6 +230,7 @@
 (** [escape str] returns the same string as [str] in MySQL syntax with
   special characters quoted to not confuse the MySQL parser *)
 val escape : string -> string 
+val real_escape : dbd -> string -> string
 
 (** [xxx2ml str] decodes a MySQL value of type xxx into a corresponding
   OCaml value *)
@@ -277,14 +278,18 @@
 (** [ml2xxx v] encodes [v] into MySQL syntax. *)
 
 val ml2str          : string -> string
+val ml2rstr         : dbd -> string -> string
 val ml2blob         : string -> string
+val ml2rblob        : dbd -> string -> string
 val ml2int          : int -> string
 val ml2decimal      : string -> string
 val ml322int        : int32 -> string
 val ml642int        : int64 -> string
 val ml2float        : float -> string
 val ml2enum         : string -> string
+val ml2renum        : dbd -> string -> string
 val ml2set          : string list -> string
+val ml2rset         : dbd -> string list -> string
 val ml2datetime     : int * int * int * int * int * int -> string
 val ml2datetimel    : year:int -> month:int -> day:int -> hour:int -> min:int -> sec:int -> string
 val ml2date         : int * int * int -> string
diff -ur ocaml-mysql-1.0.4.orig/mysql_stubs.c ocaml-mysql-1.0.4/mysql_stubs.c
--- ocaml-mysql-1.0.4.orig/mysql_stubs.c	2006-02-23 23:12:36.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql_stubs.c	2009-10-16 11:42:08.076508492 +0100
@@ -472,6 +472,33 @@
   CAMLreturn(res);
 }
 
+EXTERNAL value
+db_real_escape(value dbd, value str)
+{
+  CAMLparam2(dbd, str);
+  char *s;
+  char *buf;
+  int len, esclen;
+  MYSQL *mysql;
+  CAMLlocal1(res);
+
+  check_dbd(dbd, "escape");
+  mysql = DBDmysql(dbd);
+
+  s = String_val(str);
+  len = string_length(str);
+  buf = (char*) stat_alloc(2*len+1);
+  caml_enter_blocking_section();
+  esclen = mysql_real_escape_string(mysql,buf,s,len);
+  caml_leave_blocking_section();
+
+  res = alloc_string(esclen);
+  memcpy(String_val(res), buf, esclen);
+  stat_free(buf);
+
+  CAMLreturn(res);
+}
+
 /*
  * db_size -- returns the size of the current result (number of rows).
  */


Index: ocaml-mysql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-mysql/F-10/ocaml-mysql.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- ocaml-mysql.spec	23 Apr 2008 11:10:52 -0000	1.2
+++ ocaml-mysql.spec	16 Oct 2009 10:46:42 -0000	1.3
@@ -3,7 +3,7 @@
 
 Name:           ocaml-mysql
 Version:        1.0.4
-Release:        3%{?dist}
+Release:        3%{?dist}.1
 Summary:        OCaml library for accessing MySQL databases
 
 Group:          Development/Libraries
@@ -12,6 +12,8 @@ URL:            http://raevnos.pennmush.
 Source0:        http://raevnos.pennmush.org/code/ocaml-mysql/ocaml-mysql-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+Patch0:         ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch
+
 BuildRequires:  ocaml >= 3.10.0
 BuildRequires:  ocaml-findlib-devel
 BuildRequires:  ocaml-ocamldoc
@@ -43,6 +45,7 @@ developing applications that use %{name}
 
 %prep
 %setup -q
+%patch0 -p1
 ./configure --libdir=%{_libdir}
 
 
@@ -94,6 +97,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 1.0.4-3.fc10.1
+- Patch for CVE 2009-2942 Missing escape function (RHBZ#529321).
+
 * Wed Apr 23 2008 Richard W.M. Jones <rjones@xxxxxxxxxx> - 1.0.4-3
 - Rebuild for OCaml 3.10.2
 

_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux