Bug 592086 (CVE-2010-1849)
Summary: | CVE-2010-1849 mysql: over-sized packet denial of service vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, byte, hhorak, tgl |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-30 14:59:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 590598, 592862 | ||
Bug Blocks: |
Description
Vincent Danen
2010-05-13 19:55:46 UTC
Following commits in 5.0 and 5.1 refer to the upstream bug: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2860 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/1810.3987.14 Few notes on this issue: - the indefinite read mentioned in the upstream release notes seem to refer to my_net_skip_rest() (that is not called in certain cases with the patch applied). Additional packets are read there only if packet has maximum possible length - MAX_PACKET_LENGTH (0xffffff). This requires an attacker to keep sending continuous stream of such long packets. Additionally, connect_timeout still seems to cause unauthenticated connection to be dropped as expected. - the change upstream commits add to sql_parse.cc is for check_user() that can be found in sql_connect.cc in older mysql versions. This issue does not affect mysql version 3.23.x in RHEL3, as my_net_skip_rest() can not be called there. my_real_read() contains: for (i=0 ; i < 2 ; i++) { ... if (i == 0) { ... if (i == 1) my_net_skip_rest(net, len, &alarmed, &alarm_buff); } } (some code / nesting removed) mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12 mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13 mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11 mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. More upstream information now that the CVE is public: http://lists.mysql.com/commits/106060 The upstream bug is also public now. (In reply to comment #15) > More upstream information now that the CVE is public: > > http://lists.mysql.com/commits/106060 Note that this patch seems to be a change that was originally proposed as a fix for this issue, but this idea was later abandoned and fix linked in comment #1 is what got used in the released updates. This issue is also often incorrectly described in various vulnerability databases or advisories. Impact of this flaw quite limited. Attacker can connect to mysqld and send certain specially-crafted packets that cause server to read more data from attacker until connect_timeout (default is 10s) is hit. After that timeout, connection is closed by the server. This can have some impact on CPU / network bandwidth usage, but similar can be achieved by repeatedly opening new connections and sending smaller packets that require more CPU time to be processed (e.g. well-formed authentication requests with incorrect credentials). In case of these oversized packets, mysqld only reads data of the network in chunks to a buffer of limited size (net_buffer_length or 16384 by default, possibly up to max_allowed_packet or 1048576, those parameters are configurable) and does no further processing on the data read. Next data chunk overwrites previously read one. This does not cause server to allocate excessive amount of memory as some advisories suggest. Due to the limited impact of this issue, there's no plan to address this in mysql updates for Red Hat Enterprise Linux 3 and 4. Future mysql rebases may introduce this fix in Red Hat Enterprise Linux 5. Future product versions based on fixed upstream version will have this fix included too. RHSA-2012:0127 updated mysql packages in Red Hat Enterprise Linux 5 to version 5.0.95, which includes this fix: https://rhn.redhat.com/errata/RHSA-2012-0127.html Statement: This issue was fixed in mysql packages shipped with Red Hat Enterprise Linux 5 via RHSA-2012:0127. The mysql packages in Red Hat Enterprise Linux 6 include this fix since the initial release of the product. |