From 5ac61b2af0cf37eeed5050a91819d6d273f037a5 Mon Sep 17 00:00:00 2001 From: Anushree Prakash B Date: Fri, 8 Sep 2017 18:29:07 +0530 Subject: [PATCH 1/2] Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution. (cherry picked from commit 31a372aa1c2b93dc75267d1f05a7f7fca6080dc0) --- client/mysql.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/client/mysql.cc b/client/mysql.cc index d09499c120a..715d74f18b2 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string, if (*in_string || inchar == 'N') // \N is short for NULL { // Don't allow commands in string *out++='\\'; - *out++= (char) inchar; + if ((inchar == '`') && (*in_string == inchar)) + pos--; + else + *out++= (char) inchar; continue; } if ((com=find_command(NullS,(char) inchar))) From 1da916c37e5107b27297fc9e22c3da7772bb097d Mon Sep 17 00:00:00 2001 From: "mysql-builder@oracle.com" <> Date: Wed, 13 Sep 2017 12:14:06 +0530 Subject: [PATCH 2/2]