Bug 717703

Summary: mysql: DoS (abort) by performing certain EXPLAIN EXTENDED SQL queries in prepared-statement mode (MySQL bug#54494)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: byte, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 14:12:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 717721    

Description Jan Lieskovsky 2011-06-29 15:37:41 UTC 
An attempt to call of pure virtual method was found in the way MySQL server processed certain SQL queries requesting EXPLAIN EXTENDED for a SELECT from table statement, when outer join and empty (always True) WHERE condition was used in prepared-statement mode. A remote attacker, valid SQL user could use this flaw to cause denial of service (mysqld daemon abort).

References:
[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html
[2] http://bugs.mysql.com/bug.php?id=54494 (not public)
[3] http://lists.mysql.com/commits/113011

Note:
On Red Hat Enterprise Linux systems exploitation of this issue would lead only to temporary denial of service, since mysqld daemon gets automatically restarted upon encountering an abort.
Comment 2 Jan Lieskovsky 2011-06-29 15:41:50 UTC 
This issue affects the versions of the mysql package, as shipped with
Red Hat Enterprise Linux 4 and 5.

--

This issue did NOT affect the version of the mysql package, as shipped
with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the version of the mysql package, as shipped with
Fedora release of 14 and 15.
Comment 5 Jan Lieskovsky 2012-02-14 14:12:27 UTC 
(In reply to comment #2)
> This issue affects the versions of the mysql package, as shipped with
> Red Hat Enterprise Linux 4 and 5.
> 

The mysql package in Red Hat Enterprise Linux 5 has been upgraded to version 5.0.95 via RHSA-2012:0127 security advisory: https://rhn.redhat.com/errata/RHSA-2012-0127.html, and therefore this issue has been addressed in Red Hat Enterprise Linux 5 too.