Bug 592091 (CVE-2010-1850)

Summary: CVE-2010-1850 mysql: COM_FIELD_LIST table name buffer overflow
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: byte, kvolny, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-09 11:52:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 590598, 592862, 592874, 592875, 833942    
Bug Blocks:    
Attachments:
Description Flags
Patch backported to 5.0.77, EL5 none

Description Vincent Danen 2010-05-13 20:01:56 UTC 
The upcoming MySQL 5.1.47 [1] and 5.0.91 [2] releases indicate a fix for the following issue, which has been assigned CVE-2010-1850.  Currently the bug report [3] is not public.

The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug#53237, CVE-2010-1850)

Without access to the upstream bug, it is difficult to determine if this would also affect older 4.x releases.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
[3] http://bugs.mysql.com/bug.php?id=53237
Comment 1 Tomas Hoger 2010-05-14 07:29:48 UTC 
Upstream commits referencing upstream bug, both 5.0 and 5.1 branches:

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2859
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/1810.3987.13
Comment 5 Tomas Hoger 2010-05-20 13:11:35 UTC 
Created attachment 415406 [details]
Patch backported to 5.0.77, EL5

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2859
Comment 6 Tomas Hoger 2010-05-20 15:00:37 UTC 
Statement:

These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, or 4.
Comment 7 Fedora Update System 2010-05-24 23:31:42 UTC 
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
Comment 8 Fedora Update System 2010-05-24 23:32:04 UTC 
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
Comment 9 Fedora Update System 2010-05-24 23:32:24 UTC 
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
Comment 12 errata-xmlrpc 2010-05-26 14:57:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html
Comment 13 Fedora Update System 2010-06-07 22:27:52 UTC 
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-06-07 22:30:24 UTC 
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-06-07 22:31:48 UTC 
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.