Bug 1088197 (CVE-2014-2440)
| Summary: | CVE-2014-2440 mysql: unspecified vulnerability related to Client (CPU April 2014) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | angelo.alvarez, byte, carnil, databases-maint, hhorak, jdornak, jkurik, jstanek, kvolny, mmaslano, nparmar, pfrields |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-12 09:18:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1088232, 1088234, 1089202, 1089203, 1089209, 1089366, 1092145, 1093372, 1101062, 1101063 | ||
| Bug Blocks: | 1088219 | ||
| Attachments: | |||
|
Description
Huzaifa S. Sidhpurwala
2014-04-16 08:36:45 UTC
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1088234] Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1088232] mariadb-5.5.37-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. community-mysql-5.5.37-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mariadb-5.5.37-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. community-mysql-5.5.37-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 893579 [details]
diff between 5.5.36 and 5.5.37
Created attachment 893590 [details]
diff between 5.5.35 and 5.5.36
This issue corresponds to the following statement in the mysql-5.5.37 release notes at: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-37.html "While printing the server version, the mysql client did not check for buffer overflow in a string variable. (Bug #18186103)" This matches the commit string: "diff 7462 2014-02-12 12:13:19.0 Vamsikrishna Bhagi <vamsikrishna.bhagi> Bug #18186103 BUFFER OVERFLOW IN CLIENT" from: http://code.metager.de/source/diff/mysql-server/client/mysql.cc?r2=/mysql-server/client/mysql.cc@7462&r1=/mysql-server/client/mysql.cc@7341 Looking at both the patches attached to this bug, it seems the actual issue was addressed in 5.5.36, where sprintf was replaced with snprintf (actually my_snprintf which is supposed to be a "Portable and limited vsnprintf() implementation"). Later in 5.5.37 the idea of using my_snprintf was scraped in favour of using the system glibc implementation. In the version of mysql as shipped with Red Hat Enterprise Linux 6 (mysql-5.1), my_snprintf() is already used which is enough to mitigate the buffer overflow vulnerability. Therefore it is not affected by this flaw. (In reply to Huzaifa S. Sidhpurwala from comment #12) > "While printing the server version, the mysql client did not check for > buffer overflow in a string variable. (Bug #18186103)" That change is already know under different CVE - CVE-2014-0001, see bug 1054592. If Oracle assigned CVE-2014-2440 is for the same issue, it is a duplicate assignment that should be rejected. See bug 1054592 comment 23 for proper MySQL upstream commit link. > In the version of mysql as shipped with Red Hat Enterprise Linux 6 > (mysql-5.1), my_snprintf() is already used which is enough to mitigate the > buffer overflow vulnerability. Therefore it is not affected by this flaw. CVE-2014-0001 was fixed in Red Hat Enterprise Linux 6 mysql packages via RHSA-2014:0164. (In reply to Huzaifa S. Sidhpurwala from comment #12) > Looking at both the patches attached to this bug, it seems the actual issue > was addressed in 5.5.36, where sprintf was replaced with snprintf (actually > my_snprintf which is supposed to be a "Portable and limited vsnprintf() > implementation"). Later in 5.5.37 the idea of using my_snprintf was scraped > in favour of using the system glibc implementation. Diffs in comment 10 and comment 11 were between Red Hat shipped MySQL packages. Red Hat MySQL 5.5.36 packages included additional patch for CVE-2014-0001 based on patch applied to MariaDB (see bug 1054592 comment 12), which replaced sprintf with my_snprintf. MySQL upstream applied the fix in version 5.5.37 and used snprintf rather than MySQL specific my_snprintf to avoid buffer overflow (see bug 1054592 comment 23). Created attachment 894542 [details]
mysql upstream tarball diffs between 5.5.36 and 5.5.37
Created attachment 894544 [details]
mariadb upstream tarball diffs between 5.5.36 and 5.5.37
Attached upstream tarball diffs between mysql 5.5.36 and 5.5.37 and mariadb 5.5.36 and 5.5.37. mysql tarball diffs correspond to the issue fixed via CVE-2014-0001 (though in slightly different way). This actually leads me to believe that this CVE is a duplicate of CVE-2014-0001. mariadb-galera-5.5.37-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0522 https://rhn.redhat.com/errata/RHSA-2014-0522.html When will mysql55-mysql-5.5.36-2.el5 be patched for the vulnerabiltiy? Comments above indicate that this CVE is likely to be duplicate of CVE-2014-0001, which was already fixed in mysql55-mysql (RHSA-2014:0186). This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0537 https://rhn.redhat.com/errata/RHSA-2014-0537.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0536 https://rhn.redhat.com/errata/RHSA-2014-0536.html This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0702 https://rhn.redhat.com/errata/RHSA-2014-0702.html This flaw is a duplicate of CVE-2014-0001. It was addressed in Red Hat Enterprise Linux 5 via RHSA-2014:0186 (mysql55-mysql) Oracle has confirmed that this CVE really is a duplicate of CVE-2014-0001, as was speculated in the comments above: http://seclists.org/oss-sec/2014/q3/579 The CPU page is now updated to note this information: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixMSQL The following is used as a note for CVE-2014-2440: CVE-2014-2440 is equivalent to CVE-2014-0001. *** This bug has been marked as a duplicate of bug 1054592 *** Statement: This flaw was found to be a duplicate of CVE-2014-0001. Please see https://access.redhat.com/security/cve/CVE-2014-0001 for information about affected products and security errata. |