[debian-mysql] Bug#536548: mysql-dfsg-5.0: Updated 45_warn-CLI-passwords.dpatch for 5.0.83

Mathias Gug mathiaz at ubuntu.com
Sat Jul 11 01:23:08 UTC 2009


Package: mysql-dfsg-5.0
Version: 5.0.83-1
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch


I've attached an updated version of 45_warn-CLI-passwords.dpatch so that
it applies cleanly to 5.0.83.


-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-24-server (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
--- debian/patches/45_warn-CLI-passwords.dpatch	2009-02-15 16:44:02 +0000
+++ debian/patches/45_warn-CLI-passwords.dpatch	2009-07-10 21:27:07 +0000
@@ -5,10 +5,22 @@
 ## DP: warn-CLI-passwords
 
 @DPATCH@
-
---- old/client/mysqladmin.cc.orig	2005-11-15 01:12:30.000000000 +0100
-+++ new/client/mysqladmin.cc	2005-11-22 00:17:41.327082273 +0100
-@@ -154,7 +154,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysql.cc mysql-dfsg-5.0-5.1.30really5.0.83/client/mysql.cc
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysql.cc	2009-05-29 14:15:31.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysql.cc	2009-07-10 17:24:45.000000000 -0400
+@@ -1395,7 +1395,7 @@
+    0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
+ #endif
+   {"password", 'p',
+-   "Password to use when connecting to server. If password is not given it's asked from the tty.",
++   "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: This is insecure as the password is visible for anyone through /proc for a short time.",
+    0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
+ #ifdef __WIN__
+   {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqladmin.cc mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqladmin.cc
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqladmin.cc	2009-05-29 14:15:31.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqladmin.cc	2009-07-10 17:24:45.000000000 -0400
+@@ -153,7 +153,7 @@
    {"host", 'h', "Connect to host.", (gptr*) &host, (gptr*) &host, 0, GET_STR,
     REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
    {"password", 'p',
@@ -17,20 +29,10 @@
     0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
  #ifdef __WIN__
    {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysql.cc.orig	2005-11-15 01:12:45.000000000 +0100
-+++ new/client/mysql.cc	2005-11-22 00:17:41.329082230 +0100
-@@ -621,7 +621,7 @@
-    0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
- #endif
-   {"password", 'p',
--   "Password to use when connecting to server. If password is not given it's asked from the tty.",
-+   "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: This is insecure as the password is visible for anyone through /proc for a short time.",
-    0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
- #ifdef __WIN__
-   {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysqldump.c.orig	2005-11-15 01:12:38.000000000 +0100
-+++ new/client/mysqldump.c	2005-11-22 00:17:41.332082165 +0100
-@@ -323,7 +323,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqldump.c mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqldump.c
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqldump.c	2009-05-29 14:15:32.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqldump.c	2009-07-10 17:24:45.000000000 -0400
+@@ -357,7 +357,7 @@
     "Sorts each table's rows by primary key, or first unique key, if such a key exists.  Useful when dumping a MyISAM table to be loaded into an InnoDB table, but will make the dump itself take considerably longer.",
     (gptr*) &opt_order_by_primary, (gptr*) &opt_order_by_primary, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
    {"password", 'p',
@@ -39,19 +41,103 @@
     0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
  #ifdef __WIN__
    {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysqlshow.c.orig	2005-11-15 01:12:47.000000000 +0100
-+++ new/client/mysqlshow.c	2005-11-22 00:17:41.333082144 +0100
-@@ -185,7 +185,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqlshow.c mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqlshow.c
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqlshow.c	2009-05-29 14:15:32.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqlshow.c	2009-07-10 17:24:45.000000000 -0400
+@@ -186,7 +186,7 @@
    {"keys", 'k', "Show keys for table.", (gptr*) &opt_show_keys,
     (gptr*) &opt_show_keys, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
    {"password", 'p',
 -   "Password to use when connecting to server. If password is not given it's asked from the tty.",
 +   "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: Providing a password on command line is insecure as it is visible through /proc to anyone for a short time.", 
     0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
-   {"port", 'P', "Port number to use for connection.", (gptr*) &opt_mysql_port,
-    (gptr*) &opt_mysql_port, 0, GET_UINT, REQUIRED_ARG, MYSQL_PORT, 0, 0, 0, 0,
---- old/scripts/mysqlaccess.sh.orig	2005-11-15 01:12:32.000000000 +0100
-+++ new/scripts/mysqlaccess.sh	2005-11-22 00:17:41.352081736 +0100
+   {"port", 'P', "Port number to use for connection or 0 for default to, in "
+    "order of preference, my.cnf, $MYSQL_TCP_PORT, "
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_convert_table_format.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_convert_table_format.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_convert_table_format.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_convert_table_format.sh	2009-07-10 17:24:50.000000000 -0400
+@@ -121,6 +121,8 @@
+ 
+ --password='password'
+   Password for the current user.
++  WARNING: Providing a password on command line is insecure as it is visible
++  through /proc to anyone for a short time.
+ 
+ --port=port
+   TCP/IP port to connect to if host is not "localhost".
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_explain_log.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_explain_log.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_explain_log.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_explain_log.sh	2009-07-10 17:24:51.000000000 -0400
+@@ -342,6 +342,9 @@
+     The MySQL username to use when connecting to the server
+ --password=PASSWORD, -p=PASSWORD
+     The password to use when connecting to the server
++    WARNING: Providing a password on command line is
++    insecure as it is visible through /proc to anyone
++    for a short time.
+ --socket=SOCKET, -s=SOCKET
+     The socket file to use when connecting to the server
+ --printerror=1, -e 1
+@@ -380,7 +383,7 @@
+ 
+ =head1 USAGE
+ 
+-mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw] [--socket=/path/to/socket] [--printerror=1] < logfile
++mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw (INSECURE)] [--socket=/path/to/socket] [--printerror=1] < logfile
+ 
+ --help, -h
+     Display this help message
+@@ -392,6 +395,8 @@
+     The MySQL username to use when connecting to the server
+ --password=PASSWORD, -p=PASSWORD
+     The password to use when connecting to the server
++    WARNING: Providing a password on command line is insecure
++    as it is visible through /proc to anyone for a short time.
+ --socket=SOCKET, -s=SOCKET
+     The socket file to use when connecting to the server
+ --printerror=1, -e 1
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_fix_privilege_tables.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_fix_privilege_tables.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_fix_privilege_tables.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_fix_privilege_tables.sh	2009-07-10 17:24:51.000000000 -0400
+@@ -49,6 +49,10 @@
+ 
+ case "$1" in
+     --no-defaults|--defaults-file=*|--defaults-extra-file=*)
++#
++# WARNING: Providing a password on command line is insecure as it is visible
++# through /proc to anyone for a short time.
++#
+       defaults="$1"; shift
+       ;;
+ esac
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_setpermission.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_setpermission.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_setpermission.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_setpermission.sh	2009-07-10 17:24:51.000000000 -0400
+@@ -641,6 +641,9 @@
+ 
+ --user		: is the username to connect with.
+ --password	: the password of the username.
++                  WARNING: Providing a password on command line is
++                  insecure as it is visible through /proc to anyone
++                  for a short time.
+ --host		: the host to connect to.
+ --socket	: the socket to connect to.
+ --port		: the port number of the host to connect to.
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_tableinfo.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_tableinfo.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_tableinfo.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_tableinfo.sh	2009-07-10 17:24:51.000000000 -0400
+@@ -462,6 +462,8 @@
+ =item -p, --password=#     
+ 
+ password to use when connecting to server
++WARNING: Providing a password on command line is insecure as it is visible
++through /proc to anyone for a short time.
+ 
+ =item -h, --host=#     
+ 
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlaccess.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlaccess.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlaccess.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlaccess.sh	2009-07-10 17:24:45.000000000 -0400
 @@ -74,11 +74,17 @@
  
    -u, --user=#         username for logging in to the db
@@ -70,20 +156,10 @@
    -H, --rhost=#        remote MySQL-server to connect to
        --old_server     connect to old MySQL-server (before v3.21) which 
                         does not yet know how to handle full where clauses.
---- old/scripts/mysql_convert_table_format.sh.orig	2005-11-15 01:12:45.000000000 +0100
-+++ new/scripts/mysql_convert_table_format.sh	2005-11-22 00:17:41.353081714 +0100
-@@ -107,6 +107,8 @@
- 
- --password='password'
-   Password for the current user.
-+  WARNING: Providing a password on command line is insecure as it is visible
-+  through /proc to anyone for a short time.
- 
- --port=port
-   TCP/IP port to connect to if host is not "localhost".
---- old/scripts/mysqld_multi.sh.orig	2005-11-15 01:12:46.000000000 +0100
-+++ new/scripts/mysqld_multi.sh	2005-11-22 00:17:41.355081671 +0100
-@@ -730,6 +730,9 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqld_multi.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqld_multi.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqld_multi.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqld_multi.sh	2009-07-10 17:24:50.000000000 -0400
+@@ -675,6 +675,9 @@
  mysqladmin = /path/to/mysqladmin/mysqladmin
  socket     = /tmp/mysql.sock3
  port       = 3308
@@ -93,21 +169,9 @@
  pid-file   = @localstatedir at 3/hostname.pid3
  datadir    = @localstatedir at 3
  language   = @datadir@/mysql/swedish
---- old/scripts/mysql_fix_privilege_tables.sh.orig	2005-11-15 01:12:47.000000000 +0100
-+++ new/scripts/mysql_fix_privilege_tables.sh	2005-11-22 00:17:41.357081628 +0100
-@@ -33,6 +33,10 @@
- 
- case "$1" in
-     --no-defaults|--defaults-file=*|--defaults-extra-file=*)
-+#
-+# WARNING: Providing a password on command line is insecure as it is visible
-+# through /proc to anyone for a short time.
-+#
-       defaults="$1"; shift
-       ;;
- esac
---- old/scripts/mysqlhotcopy.sh.orig	2005-11-15 01:12:47.000000000 +0100
-+++ new/scripts/mysqlhotcopy.sh	2005-11-22 00:17:41.358081607 +0100
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlhotcopy.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlhotcopy.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlhotcopy.sh	2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlhotcopy.sh	2009-07-10 17:26:06.000000000 -0400
 @@ -32,6 +32,7 @@
  
    mysqlhotcopy --method='scp -Bq -i /usr/home/foo/.ssh/identity' --user=root --password=secretpassword \
@@ -123,12 +187,12 @@
 +                       WARNING: Providing a password on command line is
 +                       insecure as it is visible through /proc to anyone
 +                       for a short time.
-   -h, --host=#         Hostname for local server when connecting over TCP/IP
+   -h, --host=#         hostname for local server when connecting over TCP/IP
    -P, --port=#         port to use when connecting to local server with TCP/IP
    -S, --socket=#       socket to use when connecting to local server
-@@ -1025,6 +1029,9 @@
+@@ -961,6 +965,9 @@
  one of the config files, normally /etc/my.cnf or your personal ~/.my.cnf.
- (See the chapter 'my.cnf Option Files' in the manual)
+ (See the chapter 'my.cnf Option Files' in the manual.)
  
 +WARNING: Providing a password on command line is insecure as it is visible
 +through /proc to anyone for a short time.
@@ -136,56 +200,3 @@
  =item -h, -h, --host=#
  
  Hostname for local server when connecting over TCP/IP.  By specifying this
---- old/scripts/mysql_setpermission.sh.orig	2005-11-15 01:12:30.000000000 +0100
-+++ new/scripts/mysql_setpermission.sh	2005-11-22 00:17:41.359081585 +0100
-@@ -647,6 +647,9 @@
- 
- --user		: is the username to connect with.
- --password	: the password of the username.
-+                  WARNING: Providing a password on command line is
-+                  insecure as it is visible through /proc to anyone
-+                  for a short time.
- --host		: the host to connect to.
- --socket	: the socket to connect to.
- --port		: the port number of the host to connect to.
---- old/scripts/mysql_tableinfo.sh.orig	2005-11-15 01:12:32.000000000 +0100
-+++ new/scripts/mysql_tableinfo.sh	2005-11-22 00:17:41.360081564 +0100
-@@ -462,6 +462,8 @@
- =item -p, --password=#     
- 
- password to use when connecting to server
-+WARNING: Providing a password on command line is insecure as it is visible
-+through /proc to anyone for a short time.
- 
- =item -h, --host=#     
- 
---- old/scripts/mysql_explain_log.sh	2007-02-20 18:49:37.000000000 +0100
-+++ new/scripts/mysql_explain_log.sh	2007-03-22 22:32:26.000000000 +0100
-@@ -341,6 +341,9 @@
-     The MySQL username to use when connecting to the server
- --password=PASSWORD, -p=PASSWORD
-     The password to use when connecting to the server
-+    WARNING: Providing a password on command line is
-+    insecure as it is visible through /proc to anyone
-+    for a short time.
- --socket=SOCKET, -s=SOCKET
-     The socket file to use when connecting to the server
- --printerror=1, -e 1
-@@ -379,7 +382,7 @@
- 
- =head1 USAGE
- 
--mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw] [--socket=/path/to/socket] [--printerror=1] < logfile
-+mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw (INSECURE)] [--socket=/path/to/socket] [--printerror=1] < logfile
- 
- --help, -h
-     Display this help message
-@@ -391,6 +394,8 @@
-     The MySQL username to use when connecting to the server
- --password=PASSWORD, -p=PASSWORD
-     The password to use when connecting to the server
-+    WARNING: Providing a password on command line is insecure
-+    as it is visible through /proc to anyone for a short time.
- --socket=SOCKET, -s=SOCKET
-     The socket file to use when connecting to the server
- --printerror=1, -e 1



More information about the pkg-mysql-maint mailing list