04.39.15 CVE: Not Available Platform: Cross Platform Title: MySQL Remote Buffer Overflow Description: MySQL is a relational database. Insufficient boundary checks in the "cli_stmt_execute()" function of the "libmysql/libmysql.c" file expose a remote buffer overflow issue. MySQL versions 4.1.3-beta and 4.1.4 are affected. Ref: http://bugs.mysql.com/bug.php?id=4017 ------- Additional Comments From marcdeslauriers 2004-10-11 03:20:42 ---- A few more: Several problems have been discovered in MySQL, a commonly used SQL database on Unix servers. The following problems have been identified by the Common Vulnerabilities and Exposures Project: CAN-2004-0835 Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. CAN-2004-0836 Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. CAN-2004-0837 Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. http://www.debian.org/security/2004/dsa-562 ------- Additional Comments From rob.myers.edu 2004-10-12 07:34:13 ---- bug in redhat bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135375 ------- Additional Comments From marcdeslauriers 2004-10-13 16:11:43 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for 7.3, 9 and FC1 to QA: Changelog: * Wed Oct 13 2004 Marc Deslauriers <marcdeslauriers> 3.23.58-1.73.3.legacy - - Added security patch for CAN-2004-0835, CAN-2004-0836, CAN-2004-0837 and privilege escalation issue on GRANT ALL ON `Foo\_Bar` (no CVE yet) 6d25a1a5990941de2c8c7ef93707a68f9ac88709 1/mysql-3.23.58-4.1.legacy.i386.rpm d9ab8dd3f45470490dc48f6a8b3826ce3788a089 1/mysql-3.23.58-4.1.legacy.src.rpm adcbe6853261ec475e3ee36367eb54cf307350e5 1/mysql-bench-3.23.58-4.1.legacy.i386.rpm 5a2bfafcf3d10617bb462514df00658fc8bc4fee 1/mysql-devel-3.23.58-4.1.legacy.i386.rpm 6f8c8fe94851b5765e6818fc775a755dd74ff461 1/mysql-server-3.23.58-4.1.legacy.i386.rpm a6e2aa0842efe0e17a7cf2754a265df31a254d47 7.3/mysql-3.23.58-1.73.3.legacy.i386.rpm 3b2da6bcee76dd972fab0e2f55ffcf5551e6c99c 7.3/mysql-3.23.58-1.73.3.legacy.src.rpm 4eb917edf9ee23dc2827b48a162dfec9895c0782 7.3/mysql-devel-3.23.58-1.73.3.legacy.i386.rpm bf8841534d2f48989bc8bd0210f6378acb259a2d 7.3/mysql-server-3.23.58-1.73.3.legacy.i386.rpm 8fafa5c3c1125747eea37a929428ee85d16543fd 9/mysql-3.23.58-1.90.3.legacy.i386.rpm 418a73432eee0bbe465fc469e91da1e21339072f 9/mysql-3.23.58-1.90.3.legacy.src.rpm b0d7e95284a866e4779391c474693aeb8f9e9790 9/mysql-devel-3.23.58-1.90.3.legacy.i386.rpm f8debfa7e6342a1c6d9e69c99d40e3787e5bbac2 9/mysql-server-3.23.58-1.90.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBbeA9LMAs/0C4zNoRAuhCAJ46ARxDPiOOgQ7ojw4+gSzd0nhU8wCeK5G3 nB9r4TcYTSjvJXh/4rP/YbM= =P0FB -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-13 16:13:18 ---- This bug obsoletes bug 1832 ------- Additional Comments From josh.kayse.edu 2004-10-18 02:04:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: d9ab8dd3f45470490dc48f6a8b3826ce3788a089 mysql-3.23.58-4.1.legacy.src.rpm - - Source files identical to previous - - Patch file looks good - - Spec file is good - - Builds fine - - Installs fine - - Runs ok +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBc7FXwnUFCSDmt7ERAt6nAJ4zxr9IQfodOz40rb5F/fJ/GMI6RQCfQGBb xsUS15gcyqUXy7yjv57WNGA= =/J0K -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-10-20 10:32:43 ---- https://rhn.redhat.com/errata/RHSA-2004-597.html ------- Additional Comments From rob.myers.edu 2004-10-21 04:31:29 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i did QA on marc's FC1 package: d9ab8dd3f45470490dc48f6a8b3826ce3788a089 mysql-3.23.58-4.1.legacy.src.rpm builds ok SPEC looks good patches look good, fix stated CAN #'s (verified against mysql-3.23.58-2.3) compares favorably with cra's rpm-build-compare script installs ok runs ok +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBd8f+tU2XAt1OWnsRAnBhAJ91bS36RZevh4+d/NJhohZikkWwXQCZAcr4 lzNE6VEB4fRYDD8xpw19+iQ= =Y/Ah -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-21 04:31:15 ---- Also obsoletes #2006 (CAN-2004-0457). Obsoletes #1836 (CAN-2004-0388 and -0381). The GRANT ALL vulnerability is CAN-2004-0957. (I.e., this includes fixes for all known issues.) ------- Additional Comments From pekkas 2004-12-21 05:53:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 and RHL9 SRPMS w/ rpm-build-compare: - sources are OK - spec file changes are OK - patches are roughly OK. RHEL3 and RHEL21 have also added a couple of non-security bugfixes which weren't included here: config.patch, dropdb.patch, setpermission.patch, and have made a couple of minor other changes. However, mysqlhotcopy.patch is different here; ours has been taken from http://lists.mysql.com/internals/15185 pointed to in the RHL bugzilla. But, unfortanately, this patch is broken, because it always executes 'die', so it breaks mysqlhotcopy in the process. This was articulated in Debian changelogs as follows: latest ver: * Applied patch to make mysqlhotcopy working again as it was broken by the upstream patch for the security problem fixed in 3.23.49-8.7 [DSA 540 and CAN-2004-0457] previous-to-latest ver: * Applied upstream patch by Sergei Golubchik <serg> to fix insecure temporary file creation [scripts/mysqlhotcopy.sh, http://lists.mysql.com/internals/15185, CAN-2004-0457] Therefore, I don't think we can ship this version of mysqlhotcopy patch. There are two options: 1) take Debian's (or someone else's) approach to fixing mysqlhotcopy; or 2) take the redhat's patch (w/ different name). If 2), I can give +PUBLISH for RHL73,RHL9 if the patch is substited with the file of the following sha1sum: 825e95e370c988c19eb278ba32e44bf939e82a3a mysql-3.23.58-hotcopy.patch 3b2da6bcee76dd972fab0e2f55ffcf5551e6c99c mysql-3.23.58-1.73.3.legacy.src.rpm 418a73432eee0bbe465fc469e91da1e21339072f mysql-3.23.58-1.90.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByEbEGHbTkzxSL7QRAkfeAKDH3F6tk0ZKKwUoF3ybSjw0GCigZgCgg/Je IW+0cWx6k4Sd0FDsjwhABTw= =qO/c -----END PGP SIGNATURE----- ------- Additional Comments From sheltren.edu 2005-01-13 07:30:00 ---- In response to comment #9, I think that using RH's patch makes sense. I'll wait to QA the new packages (unless there's a reason to still QA these packages?). ------- Additional Comments From bugzilla.fedora.us 2005-01-31 09:44:39 ---- there's a newly reported insecure temporary file creation vuln in "mysqlaccess" of the MySQL-client package. should it be lumped in with this bug? CAN-2005-0004 ------- Additional Comments From marcdeslauriers 2005-02-11 16:24:45 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for 7.3, 9 and FC1 to QA: Changelog: * Fri Feb 11 2005 Marc Deslauriers <marcdeslauriers> 3.23.58-1.73.4.legacy - - Added better security patch for CAN-2004-0457 - - Added security patch for CAN-2005-0004 7.3: cbb2c2082adc16d011ad8eb22d8038492b6e8942 mysql-3.23.58-1.73.4.legacy.i386.rpm ffeab3564e9020615849d34a5376b408461b56fb mysql-3.23.58-1.73.4.legacy.src.rpm 347cba4ff99d657fab06332d29cc71bde9446e66 mysql-devel-3.23.58-1.73.4.legacy.i386.rpm 775940e374e235c6a5d208e5b92a635b705765f8 mysql-server-3.23.58-1.73.4.legacy.i386.rpm 9: e03fffbf2bf0690fc9deb3a383c8c3889ea35576 mysql-3.23.58-1.90.4.legacy.i386.rpm c3a36733de70baf681e6c72c40ababa0aa4c8eb3 mysql-3.23.58-1.90.4.legacy.src.rpm f90e2244309c507b9fe3f2f4968ac20ea29a5968 mysql-devel-3.23.58-1.90.4.legacy.i386.rpm 4ee633bbc5a89d924e191d476eafdd4be0627412 mysql-server-3.23.58-1.90.4.legacy.i386.rpm fc1: 4de84f86a7c4978e1c1ece931463372bf636bbc2 mysql-3.23.58-4.2.legacy.i386.rpm 038dc88d66924444c577612bf3e2b1c7f5218ac1 mysql-3.23.58-4.2.legacy.src.rpm 6712fa88b375a5359d0cafa06f741da2ede3ae65 mysql-bench-3.23.58-4.2.legacy.i386.rpm 85caa7c75033c82bd98c80fbb41c37196d07c6bf mysql-devel-3.23.58-4.2.legacy.i386.rpm 52487c10eea20d0c00a9786300105b52691af76c mysql-server-3.23.58-4.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCDWkkLMAs/0C4zNoRAp2wAJ9BAHV5iCWxr/+25VlARek0ccHrigCfeb97 jJKCL2PRan75/1d9nqw5m4E= =/IgF -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-11 16:25:41 ---- FYI, the CAN-2005-0004 patch in comment #12 was stolen from Mandrake: ftp://ftp.uvsq.fr/pub/mandrake/official/updates/corporate/2.1/SRPMS/MySQL-3.23.56-1.7.C21mdk.src.rpm ------- Additional Comments From sheltren.edu 2005-02-13 07:26:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RH9 and FC1 packages: c3a36733de70baf681e6c72c40ababa0aa4c8eb3 mysql-3.23.58-1.90.4.legacy.src.rpm 038dc88d66924444c577612bf3e2b1c7f5218ac1 mysql-3.23.58-4.2.legacy.src.rpm SPEC file changes are good Source tarball is unchanged All patches match respective RHEL/mandrake patches Package rebuilds cleanly RH9 PUBLISH++ FC1 PUBLISH++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCD4uOKe7MLJjUbNMRAnUbAJ0cqqUZPBM4X9xJEQoISXVq7ZJqQQCfUCcw Fv7WJLmp8yu9Cb4oAbLnA5E= =QIfq -----END PGP SIGNATURE----- ------- Additional Comments From sheltren.edu 2005-02-14 07:38:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RH 7.3 package: ffeab3564e9020615849d34a5376b408461b56fb mysql-3.23.58-1.73.4.legacy.src.rpm SPEC file changes are good Source tarball is unchanged All patches match respective redhat/mandrake patches Package rebuilds cleanly RH73 PUBLISH++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCEOHJKe7MLJjUbNMRAtfiAJ0do/fD27VvgZ3onUVBpa4c9FLZUwCcDpYb NnRFzBnYsspXth1x9MVzRrw= =Rb32 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-15 00:56:28 ---- (Not bothering to sign this as there are already publishes..) I also took a quick look at RHL9, the patches were identical to those in FC-2 and Mandrake. Seems like good to go. ------- Additional Comments From marcdeslauriers 2005-02-21 16:45:50 ---- Packages were pushed to updates-testing. ------- Additional Comments From pekkas 2005-02-22 03:00:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA of RHL73: - PGP signature OK - installs nicely - IMP and phpMyAdmin using MySQL as backend work OK +VERIFY RHL73 04ef0f04b389f7f9fc5bb46f35f81e8503a463ba mysql-3.23.58-1.73.5.legacy.i386.rpm 879f133178898835609ec305988b473e7221f825 mysql-devel-3.23.58-1.73.5.legacy.i386.rpm 9258ee1dd63f878c376a4e8a4f28e6dc8be11600 mysql-server-3.23.58-1.73.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCGybiGHbTkzxSL7QRAvN/AKCCTR7bHk64iItFsu7Hq8XGxIq1ggCgkU68 +6NBn7zyyQvaV6nEJCCMJ9Y= =vCSX -----END PGP SIGNATURE----- ------- Additional Comments From pizza 2005-03-06 04:12:33 ---- QA for RH9: mysql-3.23.58-1.90.5.legacy mysql-server-3.23.58-1.90.5.legacy mysql-devel-3.23.58-1.90.5.legacy Packages install and GPG check okay. Once restarted (rpm -U should restart the databases!) all existiing DBs continued to work (the Mantis bug-tracking system in particular) +VERIFY RH9 ------- Additional Comments From rob.myers.edu 2005-03-18 11:37:06 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i did QA on the fc1 mysql rpms: 509f1caeef89bb626334be27e13c4269cc00ca75 mysql-3.23.58-4.3.legacy.i386.rpm 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec mysql-bench-3.23.58-4.3.legacy.i386.rpm 08c25d36193f30dceb4d3f81fbdd69f713fd94b7 mysql-devel-3.23.58-4.3.legacy.i386.rpm 8fa58175f2d1baf7d45e8c19939928d3faa113ba mysql-server-3.23.58-4.3.legacy.i386.rpm sha1sums ok gpg signature ok installs ok runs ok, BUT startup script says FAILED even tho it starts fine. this may only be something wonky about my setup... +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCO0mdtU2XAt1OWnsRAg+6AKDRUz42bNDFw70uZFI0aAon5fflBgCdGWyc hFfpN1ddGo/mb7wLofhYy8U= =BzwN -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-18 13:39:23 ---- In response to comment #20: If you set a mysql admin password, than it's normal for the init script to say "failed". ------- Additional Comments From mark.scott 2005-03-22 06:55:18 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on FC1 mysql package: 509f1caeef89bb626334be27e13c4269cc00ca75 mysql-3.23.58-4.3.legacy.i386.rpm 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec mysql-bench-3.23.58-4.3.legacy.i386.rpm 08c25d36193f30dceb4d3f81fbdd69f713fd94b7 mysql-devel-3.23.58-4.3.legacy.i386.rpm 8fa58175f2d1baf7d45e8c19939928d3faa113ba mysql-server-3.23.58-4.3.legacy.i386.rpm sha1sum ok gpg sig ok install ok To check server was still functional I ran mysql-bench tests against server: cd /usr/share/sql-bench/ ./run-all-tests --server=mysql --cmp=mysql,pg,solid --log --fast Worked. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCQE3hl2I0fYrP+68RAn4uAJ9OVJULcGW6sJlf0KNSXsARWlhpsQCcCFqJ itLk6WeSF8RgQQpZUYcsmp4= =GlCq -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2129 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2129 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Updated packages were released for this issue.