Bug 188213

Summary: CVE-2006-0903 Mysql multiple vulnerabilities (
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: mysqlAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: byte
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/19034
Whiteboard: impact=important, LEGACY, rhl73, rhl90, 1, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-23 05:10:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 194613    

Description David Eisenstein 2006-04-07 01:02:32 UTC
+++ This bug was initially created as a clone of Bug #183261 +++

Mysql log file obfuscation

http://secunia.com/advisories/19034

The following text is from tgl:

Yeah, problem confirmed locally: the query log message is truncated,

060227 11:15:47       6 Connect     root@localhost on test
6 Query       /* x */ select 2+2
6 Quit
060227 11:16:24       7 Connect     root@localhost on test
7 Query       /*
7 Quit

The report is perhaps deliberately obscure: you can *not* exploit this
through mysql_query() because it expects a null-terminated string
anyway.  But you can exploit it through mysql_real_query() which takes
a pointer and count.

I'd class the severity as pretty low, since all it allows is hiding
some traces of an attack after the attacker has already broken into
the database.  But since MySQL make a point of how mysql_real_query()
supports embedded nulls in the query string, it's certainly a bug.


-- Additional comment from bressers on 2006-02-27 15:20 EST --
attachment 125344 [details] is a testcase from tgl:

    I've attached a test case.	Start the server with query logging enabled
    (easiest way is to modify the init script to add "--log" to the
    mysqld_safe command line), run program, look at log file.

Comment 1 David Eisenstein 2006-04-07 02:41:24 UTC
CVE-2006-0903 - "MySQL 5.0.18 and earlier allows local users to bypass
logging mechanisms via SQL queries that contain the NULL character,
which are not properly handled by the mysql_real_query function. NOTE:
this issue was originally reported for the mysql_query function, but
the vendor states that since mysql_query expects a null character, this
is not an issue for mysql_query."

This bug (apparently) affects mysql in RHL 7.3, RHL 9, FC1, FC2 and FC3.

  Distro     Package
  ------     --------------------
  RHL 7.3    mysql-3.23.58-1.73.9.legacy
  RHL 9      mysql-3.23.58-1.90.10.legacy
  FC1        mysql-3.23.58-4.7.legacy
  FC2        mysql-3.23.58-16.FC2.4.legacy
  FC3        mysql-3.23.58-16.FC3.1

References:
   * Mysql Bug # 17667:  <http://bugs.mysql.com/bug.php?id=17667>
   * Bugtraq ID 16850:   <http://www.securityfocus.com/bid/16850>
   * Secunia # 19034:    <http://secunia.com/advisories/19034>

Mandriva has issued patched packages for mysql-4.x.x in their advisory
<http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:064>.  I
am not aware of any patches yet for mysql-3.23.58, though I suspect Red
Hat will create some for their RHEL 2.1 & RHEL 3 distros.

Comment 2 David Eisenstein 2006-06-14 16:49:55 UTC
Red Hat just issued RHSA-2006-0544, 
<http://rhn.redhat.com/errata/RHSA-2006-0544.html>, for RHEL 4.  Not sure this
announcement is relevant for Legacy, as all distros <= FC3 seem to still be
running mysql-3, and this is for mysql-4.  Hopefully, RHSA's for RHEL 3 and
RHEL 2.1 will shortly follow.

"Updated mysql packages that fix multiple security flaws are now available.

"This update has been rated as having important security impact by the Red Hat
Security Response Team.

"MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld) and
many different client programs and libraries.

"A flaw was found in the way the MySQL mysql_real_escape() function escaped
strings when operating in a multibyte character encoding. An attacker
could provide an application a carefully crafted string containing
invalidly-encoded characters which may be improperly escaped, leading to
the injection of malicious SQL commands. (CVE-2006-2753)

"An information disclosure flaw was found in the way the MySQL server
processed malformed usernames. An attacker could view a small portion
of server memory by supplying an anonymous login username which was not
null terminated. (CVE-2006-1516)

"An information disclosure flaw was found in the way the MySQL server
executed the COM_TABLE_DUMP command. An authenticated malicious user could
send a specially crafted packet to the MySQL server which returned
random unallocated memory. (CVE-2006-1517)

"A log file obfuscation flaw was found in the way the mysql_real_query()
function creates log file entries. An attacker with the the ability to call
the mysql_real_query() function against a mysql server can obfuscate the
entry the server will write to the log file. However, an attacker needed
to have complete control over a server in order to attempt this attack.
(CVE-2006-0903)

"This update also fixes numerous non-security-related flaws, such as
intermittent authentication failures.

"All users of mysql are advised to upgrade to these updated packages
containing MySQL version 4.1.20, which is not vulnerable to these issues."


Comment 3 David Eisenstein 2007-08-23 05:10:03 UTC
Fedora Legacy is no longer an active project.  Closing.