Bug 529321 (CVE-2009-2942)

Summary: CVE-2009-2942 ocaml-mysql: Missing escape function (DSA-1910-1)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2009/dsa-1910
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-16 10:55:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Local copy of relevant bits from ocaml-mysql-CVE-2009-2942-lenny.patch none

Description Jan Lieskovsky 2009-10-16 08:26:24 UTC
Quoting Debian Security Advisory for mysql-ocaml:
-------------------------------------------------

It was discovered that mysql-ocaml, OCaml bindings for MySql, was
missing a function to call mysql_real_escape_string(). This is needed,
because mysql_real_escape_string() honours the charset of the connection
and prevents insufficient escaping, when certain multibyte character
encodings are used. The added function is called real_escape() and
takes the established database connection as a first argument. The old
escape_string() was kept for backwards compatibility.

References:
-----------
http://www.debian.org/security/2009/dsa-1910

Debian patch for Lenny:
-----------------------
http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-4+lenny1.diff.gz

Comment 1 Jan Lieskovsky 2009-10-16 08:27:39 UTC
This issue affects the version of ocaml-mysql package, as shipped
with Fedora releases of 10 and 11.

Please fix.

Comment 2 Jan Lieskovsky 2009-10-16 08:32:12 UTC
Created attachment 365024 [details]
Local copy of relevant bits from ocaml-mysql-CVE-2009-2942-lenny.patch

Comment 3 Richard W.M. Jones 2009-10-16 10:55:57 UTC
Built for dist-f13, F12, F11, F10.

Same problem as before associating this BZ with the
update:

$ make update
[...]
Creating a new update for  ocaml-mysql-1.0.4-8.fc11.1 
Password for rjones: 
Creating a new update for  ocaml-mysql-1.0.4-8.fc11.1 
Update successfully created. Unable to access one or more bugs: <Fault 411: 'Password Expired'>
================================================================================
     ocaml-mysql-1.0.4-8.fc11.1
================================================================================
    Release: Fedora 11
     Status: pending
       Type: security
      Karma: 0
    Request: testing
      Notes: Patch for CVE 2009-2942 Missing escape function (RHBZ#529321).
  Submitter: rjones
  Submitted: 2009-10-16 10:54:54

  https://admin.fedoraproject.org/updates/ocaml-mysql-1.0.4-8.fc11.1

Comment 4 Tomas Hoger 2009-10-16 11:13:52 UTC
(In reply to comment #3)
> Unable to access one or more bugs: <Fault 411: 'Password Expired'>

https://fedorahosted.org/fedora-infrastructure/ticket/1737

Comment 5 Fedora Update System 2009-11-10 17:45:27 UTC
ocaml-mysql-1.0.4-3.fc10.1 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-11-10 17:55:12 UTC
ocaml-mysql-1.0.4-8.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.