Released on 23 Jun 2010
MySQL 5.1.46sp1 Changelog

This is a Service Pack release of the MySQL Enterprise Server 5.1.


If you intend to use the plugin version of InnoDB, we recommend that you use MySQL 5.1.48 or later instead of 5.1.46sp1. This is because 5.1.46sp1 contains the first production-ready version and the later version has fixes for some of the bugs found during more widespread production use.

Bugs Fixed

  • Security Fix: The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.

    In MySQL 5.0 and above, this permitted an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.

    Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug #53371, CVE-2010-1848)

  • Security Fix: The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug #53237, CVE-2010-1850)

  • Security Fix: The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug #50974, CVE-2010-1849)

  • InnoDB: InnoDB page splitting could enter an infinite loop for compressed tables. (Bug #52964)

  • InnoDB: InnoDB attempted to choose off-page storage without ensuring that there was an off-page storage flag in the record header. To correct this, in DYNAMIC and COMPRESSED formats, InnoDB stores locally any non-BLOB columns having a maximum length not exceeding 256 bytes. This is because there is no room for the external storage flag when the maximum length is 255 bytes or less. This restriction trivially holds in REDUNDANT and COMPACT formats, because there InnoDB always stores locally columns having a length up to local_len = 788 bytes. (Bug #52745)

  • MySQL incorrectly processed ALTER DATABASE `#mysql50#special` UPGRADE DATA DIRECTORY NAME where special was ., .., or a sequence starting with ./ or ../. It used the server data directory (which contains other regular databases) as the database directory. (Bug #53804, CVE-2010-2008)

  • A syntactically invalid trigger could cause the server to crash when trying to list triggers. (Bug #50755)

  • Selecting from INFORMATION_SCHEMA.ROUTINES or INFORMATION_SCHEMA.PARAMETERS resulted in a memory leak. (Bug #48729)

  • EXPLAIN could cause a server crash for some queries with subqueries. (Bug #48419)