Bug 152797 - MySQL CAN-2004-0835,0836,0837,0957, CAN-2005-0004 - Remote Buffer Overflow
MySQL CAN-2004-0835,0836,0837,0957, CAN-2005-0004 - Remote Buffer Overflow
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://bugs.mysql.com/bug.php?id=4017
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-06 02:26 EDT by John Dalbec
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:28:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:48 EST
04.39.15 CVE: Not Available
Platform: Cross Platform
Title: MySQL Remote Buffer Overflow
Description: MySQL is a relational database. Insufficient boundary
checks in the "cli_stmt_execute()" function of the
"libmysql/libmysql.c" file expose a remote buffer overflow issue.
MySQL versions 4.1.3-beta and 4.1.4 are affected.
Ref: http://bugs.mysql.com/bug.php?id=4017



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-11 03:20:42 ----

A few more:

Several problems have been discovered in MySQL, a commonly used SQL
database on Unix servers.  The following problems have been identified
by the Common Vulnerabilities and Exposures Project:

CAN-2004-0835

    Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks
    CREATE/INSERT rights of the old table instead of the new one.

CAN-2004-0836

    Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect
    function.

CAN-2004-0837

    Dean Ellis noticed that multiple threads ALTERing the same (or
    different) MERGE tables to change the UNION can cause the server
    to crash or stall.

http://www.debian.org/security/2004/dsa-562



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-12 07:34:13 ----

bug in redhat bugzilla:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135375



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-13 16:11:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for 7.3, 9 and FC1 to QA:

Changelog:
* Wed Oct 13 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
3.23.58-1.73.3.legacy
- - Added security patch for CAN-2004-0835, CAN-2004-0836, CAN-2004-0837
  and privilege escalation issue on GRANT ALL ON `Foo\_Bar` (no CVE yet)
 
6d25a1a5990941de2c8c7ef93707a68f9ac88709  1/mysql-3.23.58-4.1.legacy.i386.rpm
d9ab8dd3f45470490dc48f6a8b3826ce3788a089  1/mysql-3.23.58-4.1.legacy.src.rpm
adcbe6853261ec475e3ee36367eb54cf307350e5  1/mysql-bench-3.23.58-4.1.legacy.i386.rpm
5a2bfafcf3d10617bb462514df00658fc8bc4fee  1/mysql-devel-3.23.58-4.1.legacy.i386.rpm
6f8c8fe94851b5765e6818fc775a755dd74ff461  1/mysql-server-3.23.58-4.1.legacy.i386.rpm
a6e2aa0842efe0e17a7cf2754a265df31a254d47  7.3/mysql-3.23.58-1.73.3.legacy.i386.rpm
3b2da6bcee76dd972fab0e2f55ffcf5551e6c99c  7.3/mysql-3.23.58-1.73.3.legacy.src.rpm
4eb917edf9ee23dc2827b48a162dfec9895c0782 
7.3/mysql-devel-3.23.58-1.73.3.legacy.i386.rpm
bf8841534d2f48989bc8bd0210f6378acb259a2d 
7.3/mysql-server-3.23.58-1.73.3.legacy.i386.rpm
8fafa5c3c1125747eea37a929428ee85d16543fd  9/mysql-3.23.58-1.90.3.legacy.i386.rpm
418a73432eee0bbe465fc469e91da1e21339072f  9/mysql-3.23.58-1.90.3.legacy.src.rpm
b0d7e95284a866e4779391c474693aeb8f9e9790 
9/mysql-devel-3.23.58-1.90.3.legacy.i386.rpm
f8debfa7e6342a1c6d9e69c99d40e3787e5bbac2 
9/mysql-server-3.23.58-1.90.3.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.3.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBbeA9LMAs/0C4zNoRAuhCAJ46ARxDPiOOgQ7ojw4+gSzd0nhU8wCeK5G3
nB9r4TcYTSjvJXh/4rP/YbM=
=P0FB
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-13 16:13:18 ----

This bug obsoletes bug 1832



------- Additional Comments From josh.kayse@gtri.gatech.edu 2004-10-18 02:04:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

d9ab8dd3f45470490dc48f6a8b3826ce3788a089 mysql-3.23.58-4.1.legacy.src.rpm

- - Source files identical to previous
- - Patch file looks good
- - Spec file is good
- - Builds fine
- - Installs fine
- - Runs ok

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBc7FXwnUFCSDmt7ERAt6nAJ4zxr9IQfodOz40rb5F/fJ/GMI6RQCfQGBb
xsUS15gcyqUXy7yjv57WNGA=
=/J0K
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-10-20 10:32:43 ----

https://rhn.redhat.com/errata/RHSA-2004-597.html



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-21 04:31:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on marc's FC1 package:
d9ab8dd3f45470490dc48f6a8b3826ce3788a089  mysql-3.23.58-4.1.legacy.src.rpm
 
builds ok
SPEC looks good
patches look good, fix stated CAN #'s (verified against mysql-3.23.58-2.3)
compares favorably with cra's rpm-build-compare script
installs ok
runs ok
 
+PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBd8f+tU2XAt1OWnsRAnBhAJ91bS36RZevh4+d/NJhohZikkWwXQCZAcr4
lzNE6VEB4fRYDD8xpw19+iQ=
=Y/Ah
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-21 04:31:15 ----

Also obsoletes #2006 (CAN-2004-0457).  Obsoletes #1836 (CAN-2004-0388 and -0381).

The GRANT ALL vulnerability is CAN-2004-0957.

(I.e., this includes fixes for all known issues.) 





------- Additional Comments From pekkas@netcore.fi 2004-12-21 05:53:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73 and RHL9 SRPMS w/ rpm-build-compare:
 - sources are OK
 - spec file changes are OK
 - patches are roughly OK. RHEL3 and RHEL21 have also added a couple of
non-security bugfixes which weren't included here: config.patch,
dropdb.patch, setpermission.patch, and have made a couple of minor other
changes.

  However, mysqlhotcopy.patch is different here; ours has been taken
from http://lists.mysql.com/internals/15185 pointed to in the RHL bugzilla.

But, unfortanately, this patch is broken, because it always executes 'die',
so it breaks mysqlhotcopy in the process.  This was articulated in Debian
changelogs as follows:

latest ver:
  * Applied patch to make mysqlhotcopy working again as it was broken by
    the upstream patch for the security problem fixed in 3.23.49-8.7
    [DSA 540 and CAN-2004-0457]

previous-to-latest ver:
  * Applied upstream patch by Sergei Golubchik <serg@mysql.com> to fix
    insecure temporary file creation [scripts/mysqlhotcopy.sh,
    http://lists.mysql.com/internals/15185, CAN-2004-0457]

Therefore, I don't think we can ship this version of mysqlhotcopy patch.

There are two options:
 1) take Debian's (or someone else's) approach to fixing mysqlhotcopy; or
 2) take the redhat's patch (w/ different name).

If 2), I can give +PUBLISH for RHL73,RHL9 if the patch is substited with the
file of the following sha1sum:

825e95e370c988c19eb278ba32e44bf939e82a3a  mysql-3.23.58-hotcopy.patch

3b2da6bcee76dd972fab0e2f55ffcf5551e6c99c  mysql-3.23.58-1.73.3.legacy.src.rpm
418a73432eee0bbe465fc469e91da1e21339072f  mysql-3.23.58-1.90.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByEbEGHbTkzxSL7QRAkfeAKDH3F6tk0ZKKwUoF3ybSjw0GCigZgCgg/Je
IW+0cWx6k4Sd0FDsjwhABTw=
=qO/c
-----END PGP SIGNATURE-----




------- Additional Comments From sheltren@cs.ucsb.edu 2005-01-13 07:30:00 ----

In response to comment #9, I think that using RH's patch makes sense.  I'll wait
to QA the new packages (unless there's a reason to still QA these packages?).



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-31 09:44:39 ----

there's a newly reported insecure temporary file creation vuln in "mysqlaccess"
of the MySQL-client package.  should it be lumped in with this bug?

CAN-2005-0004



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-11 16:24:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for 7.3, 9 and FC1 to QA:

Changelog:
* Fri Feb 11 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
3.23.58-1.73.4.legacy
- - Added better security patch for CAN-2004-0457
- - Added security patch for CAN-2005-0004
 
7.3:
cbb2c2082adc16d011ad8eb22d8038492b6e8942  mysql-3.23.58-1.73.4.legacy.i386.rpm
ffeab3564e9020615849d34a5376b408461b56fb  mysql-3.23.58-1.73.4.legacy.src.rpm
347cba4ff99d657fab06332d29cc71bde9446e66  mysql-devel-3.23.58-1.73.4.legacy.i386.rpm
775940e374e235c6a5d208e5b92a635b705765f8 
mysql-server-3.23.58-1.73.4.legacy.i386.rpm

9:
e03fffbf2bf0690fc9deb3a383c8c3889ea35576  mysql-3.23.58-1.90.4.legacy.i386.rpm
c3a36733de70baf681e6c72c40ababa0aa4c8eb3  mysql-3.23.58-1.90.4.legacy.src.rpm
f90e2244309c507b9fe3f2f4968ac20ea29a5968  mysql-devel-3.23.58-1.90.4.legacy.i386.rpm
4ee633bbc5a89d924e191d476eafdd4be0627412 
mysql-server-3.23.58-1.90.4.legacy.i386.rpm

fc1:
4de84f86a7c4978e1c1ece931463372bf636bbc2  mysql-3.23.58-4.2.legacy.i386.rpm
038dc88d66924444c577612bf3e2b1c7f5218ac1  mysql-3.23.58-4.2.legacy.src.rpm
6712fa88b375a5359d0cafa06f741da2ede3ae65  mysql-bench-3.23.58-4.2.legacy.i386.rpm
85caa7c75033c82bd98c80fbb41c37196d07c6bf  mysql-devel-3.23.58-4.2.legacy.i386.rpm
52487c10eea20d0c00a9786300105b52691af76c  mysql-server-3.23.58-4.2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.2.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCDWkkLMAs/0C4zNoRAp2wAJ9BAHV5iCWxr/+25VlARek0ccHrigCfeb97
jJKCL2PRan75/1d9nqw5m4E=
=/IgF
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-11 16:25:41 ----

FYI, the CAN-2005-0004 patch in comment #12 was stolen from Mandrake:

ftp://ftp.uvsq.fr/pub/mandrake/official/updates/corporate/2.1/SRPMS/MySQL-3.23.56-1.7.C21mdk.src.rpm




------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-13 07:26:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH9 and FC1 packages:
c3a36733de70baf681e6c72c40ababa0aa4c8eb3  mysql-3.23.58-1.90.4.legacy.src.rpm
038dc88d66924444c577612bf3e2b1c7f5218ac1  mysql-3.23.58-4.2.legacy.src.rpm

SPEC file changes are good
Source tarball is unchanged
All patches match respective RHEL/mandrake patches
Package rebuilds cleanly

RH9 PUBLISH++
FC1 PUBLISH++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCD4uOKe7MLJjUbNMRAnUbAJ0cqqUZPBM4X9xJEQoISXVq7ZJqQQCfUCcw
Fv7WJLmp8yu9Cb4oAbLnA5E=
=QIfq
-----END PGP SIGNATURE-----



------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-14 07:38:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH 7.3 package:
ffeab3564e9020615849d34a5376b408461b56fb  mysql-3.23.58-1.73.4.legacy.src.rpm

SPEC file changes are good
Source tarball is unchanged
All patches match respective redhat/mandrake patches
Package rebuilds cleanly

RH73 PUBLISH++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCEOHJKe7MLJjUbNMRAtfiAJ0do/fD27VvgZ3onUVBpa4c9FLZUwCcDpYb
NnRFzBnYsspXth1x9MVzRrw=
=Rb32
-----END PGP SIGNATURE-----



------- Additional Comments From pekkas@netcore.fi 2005-02-15 00:56:28 ----

(Not bothering to sign this as there are already publishes..)
I also took a quick look at RHL9, the patches were identical to those in FC-2
and Mandrake.  Seems like good to go.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-21 16:45:50 ----

Packages were pushed to updates-testing.



------- Additional Comments From pekkas@netcore.fi 2005-02-22 03:00:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                 
QA of RHL73:
 - PGP signature OK
 - installs nicely
 - IMP and phpMyAdmin using MySQL as backend work OK
                                                                               
                                 
+VERIFY RHL73
                                                                               
                                 
04ef0f04b389f7f9fc5bb46f35f81e8503a463ba  mysql-3.23.58-1.73.5.legacy.i386.rpm
879f133178898835609ec305988b473e7221f825  mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
9258ee1dd63f878c376a4e8a4f28e6dc8be11600 
mysql-server-3.23.58-1.73.5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                 
iD8DBQFCGybiGHbTkzxSL7QRAvN/AKCCTR7bHk64iItFsu7Hq8XGxIq1ggCgkU68
+6NBn7zyyQvaV6nEJCCMJ9Y=
=vCSX
-----END PGP SIGNATURE-----




------- Additional Comments From pizza@shaftnet.org 2005-03-06 04:12:33 ----

QA for RH9:

mysql-3.23.58-1.90.5.legacy
mysql-server-3.23.58-1.90.5.legacy
mysql-devel-3.23.58-1.90.5.legacy

Packages install and GPG check okay.  Once restarted (rpm -U should restart the
databases!)  all existiing DBs continued to work (the Mantis bug-tracking system
in particular)

+VERIFY RH9




------- Additional Comments From rob.myers@gtri.gatech.edu 2005-03-18 11:37:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i did QA on the fc1 mysql rpms:

509f1caeef89bb626334be27e13c4269cc00ca75  mysql-3.23.58-4.3.legacy.i386.rpm
7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec  mysql-bench-3.23.58-4.3.legacy.i386.rpm
08c25d36193f30dceb4d3f81fbdd69f713fd94b7  mysql-devel-3.23.58-4.3.legacy.i386.rpm
8fa58175f2d1baf7d45e8c19939928d3faa113ba  mysql-server-3.23.58-4.3.legacy.i386.rpm

sha1sums ok
gpg signature ok
installs ok
runs ok, BUT startup script says FAILED even tho it starts fine.  this may
only be something wonky about my setup...

+VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCO0mdtU2XAt1OWnsRAg+6AKDRUz42bNDFw70uZFI0aAon5fflBgCdGWyc
hFfpN1ddGo/mb7wLofhYy8U=
=BzwN
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-18 13:39:23 ----

In response to comment #20: 

If you set a mysql admin password, than it's normal for the init script to say
"failed".



------- Additional Comments From mark.scott@csuk-solutions.net 2005-03-22 06:55:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA on FC1 mysql package:

509f1caeef89bb626334be27e13c4269cc00ca75
  mysql-3.23.58-4.3.legacy.i386.rpm
7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec
  mysql-bench-3.23.58-4.3.legacy.i386.rpm
08c25d36193f30dceb4d3f81fbdd69f713fd94b7
  mysql-devel-3.23.58-4.3.legacy.i386.rpm
8fa58175f2d1baf7d45e8c19939928d3faa113ba
  mysql-server-3.23.58-4.3.legacy.i386.rpm

sha1sum ok
gpg sig ok
install ok

To check server was still functional I ran mysql-bench tests against server:
cd /usr/share/sql-bench/
./run-all-tests --server=mysql --cmp=mysql,pg,solid --log --fast
Worked.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQE3hl2I0fYrP+68RAn4uAJ9OVJULcGW6sJlf0KNSXsARWlhpsQCcCFqJ
itLk6WeSF8RgQQpZUYcsmp4=
=GlCq
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2129 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2129
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:28:07 EDT
Updated packages were released for this issue.

Note You need to log in before you can comment on or make changes to this bug.