Bug 881064 (CVE-2012-5611)

Summary: CVE-2012-5611 mysql: acl_get() stack-based buffer overflow
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: 1740014386, huzaifas, john.mora, kvolny, roomojee, security-response-team, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.1.67, mysql 5.5.29 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-22 21:00:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 883318, 883319, 883642, 892679, 892680    
Bug Blocks: 881074, 882596, 895568, 895572    

Description Jan Lieskovsky 2012-11-28 14:37:58 UTC 
A stack-based buffer overflow flaw was found in the way MySQL, a multi-user, multi-threaded SQL database server, performed verification if specific user had the right to access particular database. An authenticated database user could use this flaw to cause mysqld daemon crash (denial of service) or, potentially, to execute arbitrary code with the privileges of the user running the mysqld daemon, by providing a specially-crafted database name to the routine checking the access rights.

References:
[1] https://mariadb.atlassian.net/browse/MDEV-3884
[2] http://bugs.mysql.com/bug.php?id=67685 (private)

Relevant MariaDB patch:
[3] http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26
Comment 2 Jan Lieskovsky 2012-11-28 15:03:18 UTC 
This issue affects the versions of the mysql package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the mysql package, as shipped with Fedora release of 16 and 17.
Comment 6 Tomas Hoger 2012-12-03 09:35:08 UTC 
Public now via MariaDB versions 5.5.28a, 5.3.11, 5.2.13, and 5.1.66:

https://mariadb.atlassian.net/browse/MDEV-3884
https://kb.askmonty.org/en/mariadb-5528a-release-notes/
https://kb.askmonty.org/en/mariadb-5311-release-notes/
https://kb.askmonty.org/en/mariadb-5213-release-notes/
https://kb.askmonty.org/en/mariadb-5166-release-notes/

MariaDB upstream fix:

http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3168
Comment 7 Huzaifa S. Sidhpurwala 2012-12-03 09:40:32 UTC 
*** Bug 882599 has been marked as a duplicate of this bug. ***
Comment 8 Huzaifa S. Sidhpurwala 2012-12-03 09:49:22 UTC 
As per http://seclists.org/oss-sec/2012/q4/392 , it was decided to use CVE-2012-5611 for this issue.
Comment 9 Jan Lieskovsky 2012-12-03 11:14:53 UTC 
Just a noted - the CVE-2012-5579 identifier has been rejected by Mitre:
-----------------------------------------------------------------------

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-5611. Reason:
This candidate is a duplicate of CVE-2012-5611. Notes: All CVE users
should reference CVE-2012-5611 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.

=====

The CVE-2012-5611 identifier is the correct one to be used for referencing of this issue.
Comment 10 Jan Lieskovsky 2012-12-03 11:25:22 UTC 
Some other references:
  http://www.exploit-db.com/exploits/23075
  http://seclists.org/fulldisclosure/2012/Dec/4
  http://www.openwall.com/lists/oss-security/2012/12/02/3
  http://www.openwall.com/lists/oss-security/2012/12/02/4
Comment 14 Huzaifa S. Sidhpurwala 2012-12-05 03:56:23 UTC 
Created mysql tracking bugs for this issue

Affects: fedora-all [bug 883642]
Comment 16 errata-xmlrpc 2012-12-07 11:39:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1551 https://rhn.redhat.com/errata/RHSA-2012-1551.html
Comment 17 Fedora Update System 2012-12-15 18:00:21 UTC 
mysql-5.5.28-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-12-21 12:02:44 UTC 
mysql-5.5.28-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Tomas Hoger 2013-01-03 14:11:11 UTC 
Fixed in MySQL versions 5.1.67 and 5.5.29:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3854
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4038

Noted in release notes:

  Very long database names in queries could cause the server to exit.
  (Bug #15912213)

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-67.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-29.html
Comment 26 Fedora Update System 2013-01-12 01:04:39 UTC 
mysql-5.5.28-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Jan Lieskovsky 2013-01-16 13:38:59 UTC 
Oracle January 2013 CPU record for CVE-2012-5611:
  http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
Comment 28 errata-xmlrpc 2013-01-22 18:35:58 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0180 https://rhn.redhat.com/errata/RHSA-2013-0180.html