Bug 832540 (mysql-cpu-2012-07)

Summary: mysql: Oracle CPU July 2012
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: byte, hhorak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
Whiteboard: impact=important,public=20120615,reported=20120615,source=internet,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,rhel-5/mysql=affected,rhel-6/mysql=affected
Fixed In Version: mysql 5.1.63, mysql 5.5.24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 10:19:35 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 814605, 833737, 833742, 841349, 841351, 841353, 841354, 841356, 841360, 871813, 871814    
Bug Blocks: 833743    

Description Tomas Hoger 2012-06-15 13:05:22 EDT
This bug is for Oracle Critical Patch Update Advisory - July 2012 planned to be released on July 17 and that is expected to list several MySQL flaws:

http://www.oracle.com/technetwork/topics/security/alerts-086861.html

So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25:

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html

were released in the last CPU in April 2012:

http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

which covered fixes in version 5.1.62 and 5.5.22.  Apr 2012 CPU is covered by bug #832477.

This bug attempts to list issues that were already made public via released MySQL versions or bazaar commits.
Comment 1 Tomas Hoger 2012-06-15 13:11:13 EDT
A rather important password verification flaw was disclosed recently and got CVE-2012-2122 assigned.  Refer to bug 814605 for details.

Basic info:
5.1.63 and 5.5.24 release notes mention this security fix:
 * Security Fix: Bug #64884 was fixed.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

Upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED
Comment 2 Tomas Hoger 2012-06-15 13:35:20 EDT
Another security fix mentioned in the 5.1.63 released notes is:

 * Security Fix: Bug #59387 was fixed.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html

Matching upstream commit is:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16
Bug#11766300 59387: FAILING ASSERTION: CURSOR->POS_STATE == 1997660512 (BTR_PCUR_IS_POSITIONE
Bug#13639204 64111: CRASH ON SELECT SUBQUERY WITH NON UNIQUE INDEX

This issue allows non-admin database user with full SQL access to crash mysqld.

It is also fixed in 5.5.24, but is not mentioned in the release notes or the changelog file bundled in the source tarball.  This issue also affects MySQL 5.0.
Comment 3 Tomas Hoger 2012-06-15 13:37:12 EDT
5.5.23 release notes mention:

 * Security Fix: Bug #59533 was fixed.

http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html

I'm currently unable to find any commit that references mentioned bug.
Comment 4 Tomas Hoger 2012-07-14 09:11:46 EDT
Oracle July CPU to be released on Jul 17 will fix 6 MySQL issues according to the pre-release announcement:
  http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
Comment 5 Tomas Hoger 2012-08-03 05:47:42 EDT
(In reply to comment #0)
> So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25:
> 
> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html

Oracle July CPU only describes MySQL issues fixed in versions 5.1.63, 5.5.23, and 5.5.24.  Even though 5.5.25 and 5.5.25a were released before the CPU release, it may mean that they don't include any security fixes or that they will only be announced in the next CPU in October.