Bug 832477 (mysql-cpu-2012-04)

Summary: mysql: Oracle CPU April 2012
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, hhorak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120417,reported=20120417,source=internet,cvss2=4/AV:N/AC:L/Au:S/C:N/I:N/A:P,rhel-5/mysql=affected,rhel-6/mysql=affected
Fixed In Version: mysql 5.1.62, mysql 5.5.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 10:15:11 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 812431, 814282, 814285, 814287, 814290, 814291, 814293, 871813, 871814    
Bug Blocks: 814308    

Description Tomas Hoger 2012-06-15 09:52:59 EDT
This bug is for Oracle Critical Patch Update Advisory - April 2012 that lists 6 MySQL flaws:

http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

Fixes for these issues are included in versions 5.1.62 and 5.5.22.

Previous CPU for MySQL was released in January 2012:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

Security flaws in Jan 2012 CPU were fixed in versions 5.0.95, 5.1.61, and 5.5.20 (MySQL version 5.0.x reached end of life in between Jan and Apr CPUs).  Therefore, following versions were released in between the two CPUs:

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-62.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-21.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-22.html

The aim here is to try to document what fixes were made in those versions and try to map them to CVEs.  This may not be possible to do with the information released via Oracle CPU (limited to CVSSv2 score and affected sub-component).
Comment 1 Tomas Hoger 2012-06-15 11:34:40 EDT
The only security fix that is mentioned in the released notes is:

 * Security Fix: Bug #63775 was fixed.

mentioned in the 5.1.62 and 5.5.22 release notes.  The commit summary is:

Fix Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD

This got CVE-2012-2102 assigned publicly few days before CPU release:

http://thread.gmane.org/gmane.comp.security.oss.general/7430

The CVE is not mentioned in the Apr 2012 CPU.  It is possible that one of the CVE-2012-1703, CVE-2012-1688 or CVE-2012-1690 is a duplicate assignment, however there's not much info to be sure.  CVE-2012-1703 is CVSS scored as having complete availability impact and described as:

  Successful attack of this vulnerability can result in unauthorized
  Operating System hang or frequently repeatable crash (complete DOS).

http://www.oracle.com/technetwork/topics/security/cpuapr2012verbose-366316.html#Oracle%20MySQL

As it is mysqld crash, it's more likely to be one of the other two CVEs that are scored as having partial+ availability impact:

  Successful attack of this vulnerability can result in unauthorized ability
  to cause a hang or frequently repeatable crash (complete DOS) of MySQL
  Server.

Neither of the two CVEs is listed as affecting InnoDB sub-component, while other storage engine - MyISAM - is listed as sub-component for CVE-2012-0583.

This issue is tracked via bug #812431.
Comment 2 Tomas Hoger 2012-06-15 11:53:39 EDT
CVE-2012-0583 is rather odd, as it is listed to affect versions before 5.1.61 and 5.5.20.  Given those versions, it seems it should have been listed in the Jan 2012 CPU.  A possibility is that the issue also affected 5.0 versions, but did not get fixed in 5.0.95.

One candidate is:
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/1810.4002.1
Bug#12361113: CRASH WHEN "LOAD INDEX INTO CACHE" WITH TOO
SMALL KEY CACHE

This fix addressed mysqld crasher bug and was applied in versions 5.1.61 and 5.5.20.  Additionally, it got applied to 5.0 in 5.0.96.  5.0.96 release notes do not mention any security fix though:
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-96.html

Additional notes regarding the test case that is part of the linked commit:

- 5.1 versions before 5.1.61 can be crashed using it, but it does not seem to crash 5.0.95 as shipped with Red Hat Enterprise Linux 5.

- Test case requires SUPER privilege, so can only be executed using MySQL root user or other user with database admin privileges.  The privilege is required for the "SET GLOBAL" use.  Unclear if there may be other way not requiring admin privileges to trigger this issue.
Comment 3 Tomas Hoger 2012-06-15 12:32:31 EDT
A likely candidate for CVE-2012-1703 is the following commit:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.9.1
Bug #11765810 58813: SERVER THREAD HANGS WHEN JOIN + WHERE + GROUP BY
IS EXECUTED TWICE FROM P

This allows non-admin user with SQL access to make mysqld enter an infinite loop, consuming lot of CPU time.  This would also match A:C part of the CVSS score.

The issue also affects MySQL 5.0 and was not fixed in 5.0.96.
Comment 4 Tomas Hoger 2012-06-15 12:41:47 EDT
Another suspicious commit among the changes done in between 5.1.61 and 5.1.62, that is a possible candidate for CVE-2012-1690 is:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.8.5
Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS

According to the commit message, it could "lead to assertions, crashes and generally bad behavior".  The test case does not seem to trigger any of that behavior on mysql 5.0.95 and 5.1.61 packages in Red Hat Enterprise Linux.
Comment 5 Tomas Hoger 2012-06-15 12:51:19 EDT
One observation is that debug build assertion failures do not seem to be considered security.  For example following commit documents a possibility of triggering DBUG_ASSERT, but is documented in 5.1.62 and 5.5.21 as "Incompatible Change".

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3671