Bug 1088197 - (CVE-2014-2440) CVE-2014-2440 mysql: unspecified vulnerability related to Client (CPU April 2014)
CVE-2014-2440 mysql: unspecified vulnerability related to Client (CPU April 2...
Status: CLOSED DUPLICATE of bug 1054592
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140415,repor...
: Security
Depends On: 1088232 1088234 1089202 1089203 1089209 1089366 1092145 1093372 1101062 1101063
Blocks: 1088219
  Show dependency treegraph
 
Reported: 2014-04-16 04:36 EDT by Huzaifa S. Sidhpurwala
Modified: 2015-11-25 05:06 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-12 05:18:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diff between 5.5.36 and 5.5.37 (1.61 KB, patch)
2014-05-08 04:43 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
diff between 5.5.35 and 5.5.36 (1.93 KB, patch)
2014-05-08 05:46 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
mysql upstream tarball diffs between 5.5.36 and 5.5.37 (1.58 KB, patch)
2014-05-12 00:24 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
mariadb upstream tarball diffs between 5.5.36 and 5.5.37 (2.24 KB, patch)
2014-05-12 00:25 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2014-04-16 04:36:45 EDT
Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client). Supported versions that are affected are 5.5.36 and earlier and 5.6.16 and earlier. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some MySQL Client accessible data as well as read access to a subset of MySQL Client accessible data and ability to cause a partial denial of service (partial DOS) of MySQL Client. 

External References:

http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixMSQL
Comment 1 Huzaifa S. Sidhpurwala 2014-04-16 05:50:56 EDT
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1088234]
Comment 2 Huzaifa S. Sidhpurwala 2014-04-16 05:51:04 EDT
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1088232]
Comment 6 Fedora Update System 2014-04-29 01:23:26 EDT
mariadb-5.5.37-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-29 01:25:18 EDT
community-mysql-5.5.37-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-29 01:26:56 EDT
mariadb-5.5.37-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-04-29 01:28:47 EDT
community-mysql-5.5.37-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Huzaifa S. Sidhpurwala 2014-05-08 04:43:09 EDT
Created attachment 893579 [details]
diff between 5.5.36 and 5.5.37
Comment 11 Huzaifa S. Sidhpurwala 2014-05-08 05:46:07 EDT
Created attachment 893590 [details]
diff between 5.5.35 and 5.5.36
Comment 12 Huzaifa S. Sidhpurwala 2014-05-08 05:58:13 EDT
This issue corresponds to the following statement in the mysql-5.5.37 release notes at: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-37.html

"While printing the server version, the mysql client did not check for buffer overflow in a string variable. (Bug #18186103)"

This matches the commit string:
"diff 7462 2014-02-12 12:13:19.0 Vamsikrishna Bhagi <vamsikrishna.bhagi@oracle.com> Bug #18186103	BUFFER OVERFLOW IN CLIENT"

from: 
http://code.metager.de/source/diff/mysql-server/client/mysql.cc?r2=/mysql-server/client/mysql.cc@7462&r1=/mysql-server/client/mysql.cc@7341

Looking at both the patches attached to this bug, it seems the actual issue was addressed in 5.5.36, where sprintf was replaced with snprintf (actually my_snprintf which is supposed to be a "Portable and limited vsnprintf() implementation"). Later in 5.5.37 the idea of using my_snprintf was scraped in favour of using the system glibc implementation.

In the version of mysql as shipped with Red Hat Enterprise Linux 6 (mysql-5.1), my_snprintf() is already used which is enough to mitigate the buffer overflow vulnerability. Therefore it is not affected by this flaw.
Comment 14 Tomas Hoger 2014-05-09 04:19:03 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #12)
> "While printing the server version, the mysql client did not check for
> buffer overflow in a string variable. (Bug #18186103)"

That change is already know under different CVE - CVE-2014-0001, see bug 1054592.  If Oracle assigned CVE-2014-2440 is for the same issue, it is a duplicate assignment that should be rejected.

See bug 1054592 comment 23 for proper MySQL upstream commit link.

> In the version of mysql as shipped with Red Hat Enterprise Linux 6
> (mysql-5.1), my_snprintf() is already used which is enough to mitigate the
> buffer overflow vulnerability. Therefore it is not affected by this flaw.

CVE-2014-0001 was fixed in Red Hat Enterprise Linux 6 mysql packages via RHSA-2014:0164.
Comment 15 Tomas Hoger 2014-05-09 15:41:29 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #12)
> Looking at both the patches attached to this bug, it seems the actual issue
> was addressed in 5.5.36, where sprintf was replaced with snprintf (actually
> my_snprintf which is supposed to be a "Portable and limited vsnprintf()
> implementation"). Later in 5.5.37 the idea of using my_snprintf was scraped
> in favour of using the system glibc implementation.

Diffs in comment 10 and comment 11 were between Red Hat shipped MySQL packages.  Red Hat MySQL 5.5.36 packages included additional patch for CVE-2014-0001 based on patch applied to MariaDB (see bug 1054592 comment 12), which replaced sprintf with my_snprintf.  MySQL upstream applied the fix in version 5.5.37 and used snprintf rather than MySQL specific my_snprintf to avoid buffer overflow (see bug 1054592 comment 23).
Comment 16 Huzaifa S. Sidhpurwala 2014-05-12 00:24:48 EDT
Created attachment 894542 [details]
mysql upstream tarball diffs between 5.5.36 and 5.5.37
Comment 17 Huzaifa S. Sidhpurwala 2014-05-12 00:25:57 EDT
Created attachment 894544 [details]
mariadb upstream tarball diffs between 5.5.36 and 5.5.37
Comment 18 Huzaifa S. Sidhpurwala 2014-05-12 00:28:16 EDT
Attached upstream tarball diffs between mysql 5.5.36 and 5.5.37 and mariadb 5.5.36 and 5.5.37.

mysql tarball diffs correspond to the issue fixed via CVE-2014-0001 (though in slightly different way). 

This actually leads me to believe that this CVE is a duplicate of CVE-2014-0001.
Comment 19 Fedora Update System 2014-05-16 06:09:46 EDT
mariadb-galera-5.5.37-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2014-05-20 07:11:59 EDT
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0522 https://rhn.redhat.com/errata/RHSA-2014-0522.html
Comment 22 Angelo Alvarez 2014-05-20 22:28:32 EDT
When will mysql55-mysql-5.5.36-2.el5 be patched for the vulnerabiltiy?
Comment 23 Tomas Hoger 2014-05-22 09:15:36 EDT
Comments above indicate that this CVE is likely to be duplicate of CVE-2014-0001, which was already fixed in mysql55-mysql (RHSA-2014:0186).
Comment 24 errata-xmlrpc 2014-05-22 13:12:40 EDT
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0537 https://rhn.redhat.com/errata/RHSA-2014-0537.html
Comment 25 errata-xmlrpc 2014-05-22 13:23:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0536 https://rhn.redhat.com/errata/RHSA-2014-0536.html
Comment 27 errata-xmlrpc 2014-06-10 08:45:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0702 https://rhn.redhat.com/errata/RHSA-2014-0702.html
Comment 28 Huzaifa S. Sidhpurwala 2014-07-01 01:59:58 EDT
This flaw is a duplicate of CVE-2014-0001. It was addressed in Red Hat Enterprise Linux 5 via RHSA-2014:0186 (mysql55-mysql)
Comment 30 Tomas Hoger 2014-09-12 05:18:22 EDT
Oracle has confirmed that this CVE really is a duplicate of CVE-2014-0001, as was speculated in the comments above:

http://seclists.org/oss-sec/2014/q3/579

The CPU page is now updated to note this information:

http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixMSQL

The following is used as a note for CVE-2014-2440:

  CVE-2014-2440 is equivalent to CVE-2014-0001.
Comment 31 Tomas Hoger 2014-09-12 05:18:47 EDT

*** This bug has been marked as a duplicate of bug 1054592 ***
Comment 32 Tomas Hoger 2014-09-12 05:23:46 EDT
Statement:

This issue is a duplicate of CVE-2014-0001.  See information for CVE-2014-0001 for additional details on errata that corrected this issue in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.