Author: rjones
Update of /cvs/pkgs/rpms/ocaml-mysql/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19036
Modified Files:
ocaml-mysql.spec
Added Files:
ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch
Log Message:
Patch for CVE 2009-2942 Missing escape function (RHBZ#529321).
ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch:
mysql.ml | 18 ++++++++++++------
mysql.mli | 5 +++++
mysql_stubs.c | 27 +++++++++++++++++++++++++++
3 files changed, 44 insertions(+), 6 deletions(-)
--- NEW FILE ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch ---
diff -ur ocaml-mysql-1.0.4.orig/mysql.ml ocaml-mysql-1.0.4/mysql.ml
--- ocaml-mysql-1.0.4.orig/mysql.ml 2006-02-23 22:13:22.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql.ml 2009-10-16 11:42:08.074508283 +0100
@@ -333,6 +333,7 @@
external real_status : dbd -> int = "db_status"
external errmsg : dbd -> string option = "db_errmsg"
external escape : string -> string = "db_escape"
+external real_escape: dbd -> string -> string = "db_real_escape"
external fetch : result -> string option array option = "db_fetch"
external to_row : result -> int64 -> unit = "db_to_row"
external size : result -> int64 = "db_size"
@@ -516,7 +517,9 @@
the corresponding type *)
let ml2str str = "'" ^ escape str ^ "'"
+let ml2rstr conn str = "'" ^ real_escape conn str ^ "'"
let ml2blob = ml2str
+let ml2rblob = ml2rstr
let ml2int x = string_of_int x
let ml2decimal x = x
let ml322int x = Int32.to_string x
@@ -524,12 +527,15 @@
let mlnative2int x = Nativeint.to_string x
let ml2float x = string_of_float x
let ml2enum x = escape x
-let ml2set x = let rec loop arg = match arg with
- | [] -> ""
- | [x] -> escape x
- | x::y::ys -> escape x ^ "," ^ loop (y::ys)
- in
- loop x
+let ml2renum x = real_escape x
+let ml2set_filter f x =
+ let rec loop f = function
+ | [] -> ""
+ | [x] -> f x
+ | x::y::ys -> f x ^ "," ^ loop f (y::ys)
+ in loop f x
+let ml2set x = ml2set_filter escape x
+let ml2rset conn x = ml2set_filter (real_escape conn) x
let ml2datetimel ~year ~month ~day ~hour ~min ~sec =
Printf.sprintf "'%04d-%02d-%02d %02d:%02d:%02d'"
diff -ur ocaml-mysql-1.0.4.orig/mysql.mli ocaml-mysql-1.0.4/mysql.mli
--- ocaml-mysql-1.0.4.orig/mysql.mli 2006-02-23 22:13:22.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql.mli 2009-10-16 11:42:08.075507981 +0100
@@ -230,6 +230,7 @@
(** [escape str] returns the same string as [str] in MySQL syntax with
special characters quoted to not confuse the MySQL parser *)
val escape : string -> string
+val real_escape : dbd -> string -> string
(** [xxx2ml str] decodes a MySQL value of type xxx into a corresponding
OCaml value *)
@@ -277,14 +278,18 @@
(** [ml2xxx v] encodes [v] into MySQL syntax. *)
val ml2str : string -> string
+val ml2rstr : dbd -> string -> string
val ml2blob : string -> string
+val ml2rblob : dbd -> string -> string
val ml2int : int -> string
val ml2decimal : string -> string
val ml322int : int32 -> string
val ml642int : int64 -> string
val ml2float : float -> string
val ml2enum : string -> string
+val ml2renum : dbd -> string -> string
val ml2set : string list -> string
+val ml2rset : dbd -> string list -> string
val ml2datetime : int * int * int * int * int * int -> string
val ml2datetimel : year:int -> month:int -> day:int -> hour:int -> min:int -> sec:int -> string
val ml2date : int * int * int -> string
diff -ur ocaml-mysql-1.0.4.orig/mysql_stubs.c ocaml-mysql-1.0.4/mysql_stubs.c
--- ocaml-mysql-1.0.4.orig/mysql_stubs.c 2006-02-23 23:12:36.000000000 +0000
+++ ocaml-mysql-1.0.4/mysql_stubs.c 2009-10-16 11:42:08.076508492 +0100
@@ -472,6 +472,33 @@
CAMLreturn(res);
}
+EXTERNAL value
+db_real_escape(value dbd, value str)
+{
+ CAMLparam2(dbd, str);
+ char *s;
+ char *buf;
+ int len, esclen;
+ MYSQL *mysql;
+ CAMLlocal1(res);
+
+ check_dbd(dbd, "escape");
+ mysql = DBDmysql(dbd);
+
+ s = String_val(str);
+ len = string_length(str);
+ buf = (char*) stat_alloc(2*len+1);
+ caml_enter_blocking_section();
+ esclen = mysql_real_escape_string(mysql,buf,s,len);
+ caml_leave_blocking_section();
+
+ res = alloc_string(esclen);
+ memcpy(String_val(res), buf, esclen);
+ stat_free(buf);
+
+ CAMLreturn(res);
+}
+
/*
* db_size -- returns the size of the current result (number of rows).
*/
Index: ocaml-mysql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-mysql/F-10/ocaml-mysql.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- ocaml-mysql.spec 23 Apr 2008 11:10:52 -0000 1.2
+++ ocaml-mysql.spec 16 Oct 2009 10:46:42 -0000 1.3
@@ -3,7 +3,7 @@
Name: ocaml-mysql
Version: 1.0.4
-Release: 3%{?dist}
+Release: 3%{?dist}.1
Summary: OCaml library for accessing MySQL databases
Group: Development/Libraries
@@ -12,6 +12,8 @@ URL: http://raevnos.pennmush.
Source0: http://raevnos.pennmush.org/code/ocaml-mysql/ocaml-mysql-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0: ocaml-mysql-1.0.4-CVE-2009-2942-missing-escape.patch
+
BuildRequires: ocaml >= 3.10.0
BuildRequires: ocaml-findlib-devel
BuildRequires: ocaml-ocamldoc
@@ -43,6 +45,7 @@ developing applications that use %{name}
%prep
%setup -q
+%patch0 -p1
./configure --libdir=%{_libdir}
@@ -94,6 +97,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 1.0.4-3.fc10.1
+- Patch for CVE 2009-2942 Missing escape function (RHBZ#529321).
+
* Wed Apr 23 2008 Richard W.M. Jones <rjones@xxxxxxxxxx> - 1.0.4-3
- Rebuild for OCaml 3.10.2
_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list
