Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions

Mon, 16 Dec 2013 08:33:45 -0800 

Hi

Attached are the slightly adjusted patches applied to the
wheezy-security upload (needed also to disable three further tests,
see debian/changelog).

Probably this can also be fixed without having to disable the three
additional tests tough.

Hope this helps for the further update.

Regards,
Salvatore

Description: drop the passwordless user and test database
Origin: vendor
Bug: http://bugs.mysql.com/bug.php?id=6901
Bug-Debian: http://bugs.debian.org/301741
From: c...@debian.org
Last-Update: 2013-12-13

--- a/scripts/mysql_system_tables_data.sql
+++ b/scripts/mysql_system_tables_data.sql
@@ -31,8 +31,6 @@
 -- Fill "db" table with default grants for anyone to
 -- access database 'test' and 'test_%' if "db" table didn't exist
 CREATE TEMPORARY TABLE tmp_db LIKE db;
-INSERT INTO tmp_db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
-INSERT INTO tmp_db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
 INSERT INTO db SELECT * FROM tmp_db WHERE @had_db_table=0;
 DROP TABLE tmp_db;
 
@@ -44,8 +42,6 @@
 REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','' FROM dual WHERE LOWER( @current_hostname) != 'localhost';
 REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','');
 REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','');
-INSERT INTO tmp_user (host,user) VALUES ('localhost','');
-INSERT INTO tmp_user (host,user) SELECT @current_hostname,'' FROM dual WHERE LOWER(@current_hostname ) != 'localhost';
 INSERT INTO user SELECT * FROM tmp_user WHERE @had_user_table=0;
 DROP TABLE tmp_user;
 

From: c...@debian.org
Bug: http://bugs.mysql.com/bug.php?id=6901

Index: mysql-5.5-5.5.33+dfsg/scripts/mysql_install_db.sh
===================================================================
--- mysql-5.5-5.5.33+dfsg.orig/scripts/mysql_install_db.sh	2013-09-26 18:57:32.730764845 -0700
+++ mysql-5.5-5.5.33+dfsg/scripts/mysql_install_db.sh	2013-09-26 18:57:32.726765077 -0700
@@ -356,7 +356,7 @@
 fi
 
 # Create database directories
-for dir in $ldata $ldata/mysql $ldata/test
+for dir in $ldata $ldata/mysql
 do
   if test ! -d $dir
   then

From: Christian Hammers <c...@debian.org>
Description: restores the rights for anybody to connect to the test
 database so that the test suite can function properly.

--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -3355,6 +3355,10 @@
     mtr_appendfile_to_file("$sql_dir/mysql_system_tables_data.sql",
 			   $bootstrap_sql_file);
 
+    mtr_tofile($bootstrap_sql_file, "-- Debian removed the default privileges on the 'test' database\n");
+    mtr_tofile($bootstrap_sql_file, "INSERT INTO mysql.db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');\n");
+
+
     # Add test data for timezone - this is just a subset, on a real
     # system these tables will be populated either by mysql_tzinfo_to_sql
     # or by downloading the timezone table package from our website

Reply via email to