Bug 882600 (CVE-2012-5612)

Summary: CVE-2012-5612 mysql: MDL subsystem heap-based buffer overflow
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, jlieskov, redhat, roomojee, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.5.29 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-18 04:53:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 882596, 895568, 895572    

Description Huzaifa S. Sidhpurwala 2012-12-02 06:51:02 UTC 
A heap-based buffer overflow was found in Mysql. An authenticated database user could use this flaw to cause mysqld to crash or possibly execute arbitrary code with the privileges of the user running mysql.

Reference:
http://seclists.org/fulldisclosure/2012/Dec/5

This issue was assigned CVE-2012-5612
Comment 1 Huzaifa S. Sidhpurwala 2012-12-03 04:52:19 UTC 
External Reference:

https://mariadb.atlassian.net/browse/MDEV-3908
Comment 2 Jan Lieskovsky 2012-12-03 11:26:42 UTC 
Some other references:
  http://www.exploit-db.com/exploits/23076
  http://www.openwall.com/lists/oss-security/2012/12/02/3
  http://www.openwall.com/lists/oss-security/2012/12/02/4
Comment 3 Huzaifa S. Sidhpurwala 2012-12-04 10:02:22 UTC 
This issue only affect MySQL 5.5 and higher, since the vulnerable MDL subsystem was first implemented in MySQL 5.5:

https://mariadb.atlassian.net/browse/MDEV-3908?focusedCommentId=28712#comment-28712
Comment 5 Huzaifa S. Sidhpurwala 2012-12-04 10:14:12 UTC 
Based on comment #3, this flaw does not seem to affect the version of mysql shipped with Red Hat Enterprise Linux 5 and 6, since mariadb upstream suggests that this only affects 5.5 and above.
Comment 7 Jan Lieskovsky 2013-01-16 13:38:00 UTC 
Oracle January 2013 CPU record:
  http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
Comment 8 Huzaifa S. Sidhpurwala 2013-01-18 04:53:00 UTC 
Text of the Oracle flaw description:

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server Parser). Supported versions that are affected are 5.5.28 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 

http://www.oracle.com/technetwork/topics/security/cpujan2013verbose-1897756.html#MSQL

Upstream notes this issue only affected MySQL versions 5.5.  Red Hat Enterprise Linux 5 and 6 include MySQL versions 5.0.x and 5.1.x respectively, which are not listed as affected.  Current Fedora versions are already updated to fixed upstream version.  Closing.
Comment 9 Tomas Hoger 2013-01-21 17:43:24 UTC 
Oracle MySQL upstream commits:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4036
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4037

MariaDB test case:
http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/3633
Comment 10 Tomas Hoger 2013-01-22 21:04:08 UTC 
The fix is also noted in 5.5.29 release notes:

  Very long table aliases in queries could cause the server to exit.
  (Bug #15948123)

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-29.html