Bug 614214 (CVE-2010-2008)

Summary: CVE-2010-2008 mysql: remote authenticated DoS via ALTER DATABASE
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, kvolny, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-14 17:33:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 614215, 614216    
Bug Blocks:    

Description Vincent Danen 2010-07-13 21:27:48 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2008 to
the following vulnerability:

Name: CVE-2010-2008
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2008
Assigned: 20100521
Reference: CONFIRM: http://bugs.mysql.com/bug.php?id=53804
Reference: CONFIRM: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html
Reference: BID:41198
Reference: URL: http://www.securityfocus.com/bid/41198
Reference: SECTRACK:1024160
Reference: URL: http://www.securitytracker.com/id?1024160
Reference: SECUNIA:40333
Reference: URL: http://secunia.com/advisories/40333

MySQL before 5.1.48 allows remote authenticated users with alter
database privileges to cause a denial of service (server crash and
database loss) via an ALTER DATABASE command with a #mysql50# string
followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar
sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes
MySQL to move certain directories to the server data directory.


NOTE: The CVE description above is not entirely correct.  The '#mysql50#' string is incidental; it's the special commands at the end that make the difference.

Also note that the UPGRADE DATA DIRECTORY NAME [1] was introduced in MySQL 5.1.23 in order to encode database names to make them safe on all operating systems.  So any database names with special characters in them (i.e. '-', '.', ':', etc would get automatically encoded on upgrades from previous versions of MySQL to a >=5.1.23 install (could affect migrations from Red Hat Enterprise Linux 5 to 6).

This only affects Red Hat Enterprise Linux 6 beta and Fedora (rawhide has 5.1.48 which has the issue corrected).

[1] http://dev.mysql.com/doc/refman/5.1/en/alter-database.html
Comment 2 Vincent Danen 2010-07-13 21:29:12 UTC 
Created mysql tracking bugs for this issue

Affects: fedora-all [bug 614216]
Comment 7 Fedora Update System 2010-07-27 02:41:23 UTC 
mysql-5.1.48-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-08-03 00:36:24 UTC 
mysql-5.1.47-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.