Bug 1054592 (CVE-2014-0001)

Summary: CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, databases-maint, drieden, hhorak, huzaifas, jdornak, jkurik, jorton, jstanek, kurt, kvolny, mayank25080562, mmaslano, nobody+bgollahe, pfrields, sardella, security-response-team, tdawson, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-24 05:03:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1054041, 1055875, 1055876, 1055880, 1055882, 1055883, 1055884, 1056457, 1059545, 1059546    
Bug Blocks: 1054621, 1088219    
Attachments:
Description Flags
proposed fix none

Description Garth Mollett 2014-01-17 05:39:44 UTC 
The MySQL client in both MySQL and MariaDB contains a buffer overflow when reading the server version information.

This maybe exploited by connecting to a malicious/compromised db server or by a MITM and potentially allows execution of arbitrary code as the user running the client.
Comment 9 Honza Horak 2014-01-22 19:05:24 UTC 
Created attachment 854008 [details]
proposed fix

This fix is really simple, just check buffer size properly.
Comment 11 Tomas Hoger 2014-01-29 08:28:02 UTC 
Note that this issue affects mysql, the command-line tool / SQL shell, not the libmysqlclient library.
Comment 12 Huzaifa S. Sidhpurwala 2014-01-30 06:30:30 UTC 
This issue is now public via:

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
Comment 13 Huzaifa S. Sidhpurwala 2014-01-30 06:31:40 UTC 
This issue affects the version of mysql55-mysql as shipped with Red Hat Enterprise Linux 5.

This issue affects the version of mysql as shipped with Red Hat Enterprise Linux 6.
Comment 15 Huzaifa S. Sidhpurwala 2014-01-30 06:35:48 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1059546]
Comment 16 Huzaifa S. Sidhpurwala 2014-01-30 06:35:52 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1059545]
Comment 17 Murray McAllister 2014-02-04 22:43:16 UTC 
Acknowledgements:

This issue was discovered by Garth Mollett of the Red Hat Security Response Team.
Comment 18 Karel Volný 2014-02-10 15:54:15 UTC 
*** Bug 1063398 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2014-02-12 18:24:29 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0164 https://rhn.redhat.com/errata/RHSA-2014-0164.html
Comment 20 errata-xmlrpc 2014-02-13 18:38:08 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0173 https://rhn.redhat.com/errata/RHSA-2014-0173.html
Comment 21 errata-xmlrpc 2014-02-18 17:57:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0186 https://rhn.redhat.com/errata/RHSA-2014-0186.html
Comment 22 errata-xmlrpc 2014-02-19 18:47:10 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0189 https://rhn.redhat.com/errata/RHSA-2014-0189.html
Comment 23 Tomas Hoger 2014-05-09 08:15:08 UTC 
MySQL upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4601
Comment 24 Tomas Hoger 2014-05-13 17:23:03 UTC 
This issue did not affect MySQL 5.0.  While those versions have the relevant sprintf() call, there's difference in the length of the version string returned by the server_version_string() function.

In versions before 5.1.34, buffer used to store server version string returned by server_version_string() was static with the length of 128.  The buffer glob_buffer to which sprintf prints the connection info was allocated to size of 512, hence sprintf could not overflow it and long version string presented by server would be printed truncted.

The server_version_string() function was changed in version 5.1.34 to avoid the problem with truncation of long version strings.  The function was modified to dynamically allocate buffer for the version string, possibly to be longer than glob_buffer size of 512.  Hence this security flaw was introduced.

Upstream bug, upstream commit, and release notes related to the server_version_string() change in 5.1.34 that introduced this issue:

http://bugs.mysql.com/bug.php?id=43153
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/2728.10.6
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-34.html
Comment 25 Tomas Hoger 2014-09-12 09:18:47 UTC 
*** Bug 1088197 has been marked as a duplicate of this bug. ***