Bug 167803 - MySQL User-Defined Function Buffer Overflow (CVE-2005-2558)
MySQL User-Defined Function Buffer Overflow (CVE-2005-2558)
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mysql (Show other bugs)
unspecified
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/archive/...
LEGACY, 1, 2, rh73, rh90
:
Depends On:
Blocks: 152531
  Show dependency treegraph
 
Reported: 2005-09-08 08:43 EDT by John Dalbec
Modified: 2007-04-18 13:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-10 19:52:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for /etc/rc.d/init.d/mysqld for all 4 distros (355 bytes, patch)
2006-01-02 07:17 EST, David Eisenstein
no flags Details | Diff
Comment 9 -- FC1 verify -- so GPG verifies... (2.25 KB, text/plain)
2006-01-02 07:47 EST, David Eisenstein
no flags Details

  None (edit)
Description John Dalbec 2005-09-08 08:43:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3

Description of problem:
05.32.18 CVE: CVE-MAP-NOMATCH
Platform: Cross Platform
Title: MySQL User-Defined Function Buffer Overflow
Description: MySQL is vulnerable to a buffer overflow issue due to
insufficient bounds checking of user data in the "init_syms()"
function. MySQL versions 5.0.4 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/407648/30/0/threaded 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Jeff Sheltren 2005-10-08 07:31:01 EDT
Should also patch CAN-1636
https://rhn.redhat.com/errata/RHSA-2005-685.html
Comment 2 Marc Deslauriers 2005-11-26 00:50:47 EST
We're not vulnerable to CAN-2005-1636, the script included in mysql 3.x does not
use temp files.
Comment 3 Pekka Savola 2005-11-26 01:41:30 EST
If this gets shipped, one should also look at #153719 and #168542
Comment 4 Marc Deslauriers 2005-11-27 09:31:12 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated mysql packages to QA:

Changelog:
* Sat Nov 26 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
3.23.58-16.FC2.2.legacy
- - Updated init script (#172426) (#152531)
- - Updated security2 patch to fix DELETE without WHERE issue (#168542)
- - Added patch to fix CVE-2005-2558

7.3:
7ee6553267d9da8e2ef2e527c20f9166cb5c135f  7.3/mysql-3.23.58-1.73.7.legacy.i386.rpm
9c151576f6b76d1201907f5cddab594b1ea48ce4  7.3/mysql-3.23.58-1.73.7.legacy.src.rpm
c8ab97a7bb8d7b5f8796f9e761e1128070630bd6 
7.3/mysql-devel-3.23.58-1.73.7.legacy.i386.rpm
64011a14a7fb852dfa4bb1177e385af2e3303883 
7.3/mysql-server-3.23.58-1.73.7.legacy.i386.rpm

9:
0cb16866a651072b0ddeb16ab85120ab8e536ff8  9/mysql-3.23.58-1.90.8.legacy.i386.rpm
6de98fb85ba0c4c06800c3cf9da4d6d8d404f26a  9/mysql-3.23.58-1.90.8.legacy.src.rpm
9dbb0dee0f0b4c554348184533df0d47792ce20d 
9/mysql-devel-3.23.58-1.90.8.legacy.i386.rpm
1242dd42529ee7d244f66416189cb906b719fb49 
9/mysql-server-3.23.58-1.90.8.legacy.i386.rpm

fc1:
a0174247be3356cde607a506791644bcfeb219d3  1/mysql-3.23.58-4.5.legacy.i386.rpm
ce82678a10535035e8ae616e10f9bb93cf23dbc0  1/mysql-3.23.58-4.5.legacy.src.rpm
b96ac067942fa970b029586e1eaf84394acf6bda  1/mysql-bench-3.23.58-4.5.legacy.i386.rpm
cc60e5da9166929dd89d21be15111dfd5f6b1de0  1/mysql-devel-3.23.58-4.5.legacy.i386.rpm
f76175cc9f7a5060799d8bedd64a98f6f7686493  1/mysql-server-3.23.58-4.5.legacy.i386.rpm

fc2:
656e9d650ff033959bef412f17265a7d8c4ea519  2/mysql-3.23.58-16.FC2.2.legacy.i386.rpm
6e451d4a92dd0cfe43ba386b0325f0debe8646b5  2/mysql-3.23.58-16.FC2.2.legacy.src.rpm
30d216b586a39b5e6d935406cdd0d44b90908f63 
2/mysql-bench-3.23.58-16.FC2.2.legacy.i386.rpm
672211b2153cf253756eb308791563e98360351e 
2/mysql-devel-3.23.58-16.FC2.2.legacy.i386.rpm
fa5622f95a631fc8b6ee7c85d05031717fb3588c 
2/mysql-server-3.23.58-16.FC2.2.legacy.i386.rpm

Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/mysql-3.23.58-16.FC2.2.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/
http://www.infostrategique.com/linuxrpms/legacy/9/
http://www.infostrategique.com/linuxrpms/legacy/1/
http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDicQOLMAs/0C4zNoRAv9cAJ9VB+0m7eW+MOicKfBPz1LtPyKhYgCeMWOm
16b58HfbsVlwagRNcCZn4CY=
=TV42
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-11-28 13:56:29 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified from debian; init script checked against FC4.

HOWEVER, there's one problem in all the initscripts:

            while [ $STOPTIMEOUT -gt 0]; do
                /bin/kill -0 "$MYSQLPID" >/dev/null 2>&1 || break

==> s/gt 0]/gt 0 ]/

I guess this could be fixed at build time..

+ 99% PUBLISH RHL73, RHL9, FC1, FC2

6e451d4a92dd0cfe43ba386b0325f0debe8646b5  mysql-3.23.58-16.FC2.2.legacy.src.rpm
9c151576f6b76d1201907f5cddab594b1ea48ce4  mysql-3.23.58-1.73.7.legacy.src.rpm
6de98fb85ba0c4c06800c3cf9da4d6d8d404f26a  mysql-3.23.58-1.90.8.legacy.src.rpm
ce82678a10535035e8ae616e10f9bb93cf23dbc0  mysql-3.23.58-4.5.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDi1NwGHbTkzxSL7QRAo7pAJ0Y9QZxBDl5qte3YI4OkGHbpoUR5QCgl/2H
9Ce5Myk17XOtKKKf9ONqk2k=
=23pJ
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2005-11-29 20:21:30 EST
Packages were pushed to updates-testing
Comment 7 Pekka Savola 2005-12-01 01:07:53 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73: signatures OK, upgrade went smoothly and mysqld was
automatically restarted, mysql DB seems to work OK (e.g., HORDE/IMP works
fine).
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDjpPcGHbTkzxSL7QRAuVwAJoDR1XZO9qs5oRWjK9Bf5uZEALsEgCfS7Ll
cNPmcNNFwfLf4uRM+JZZXp4=
=/j2N
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2005-12-30 03:08:01 EST
Timeout over.
Comment 9 David Eisenstein 2006-01-02 07:17:20 EST
Created attachment 122686 [details]
Patch for /etc/rc.d/init.d/mysqld for all 4 distros

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA for FC1 version -- mysql packages:

264c90e5f71b15bd1c416587a36a209a020a4cff__mysql-3.23.58-4.6.legacy.i386.rpm
0b39c15da8705ea47fed4dbfcac4eaac22b0b909__mysql-bench-3.23.58-4.6.legacy.i386.rpm

c3d5d996da0ce7e1472ba7a108cc8d710ee46192__mysql-devel-3.23.58-4.6.legacy.i386.rpm

8a1acfa5a416a22a285cc219eed0ef0b904eb784__mysql-server-3.23.58-4.6.legacy.i386.rpm


  * SHA1SUMS match announcement; signatures verify
  * packages install fine (tho' didn't install mysql-bench)
  * Everything seems to work well with very light testing; EXCEPT:
  * It looks like there is another typo in the /etc/rc.d/init.d/mysqld script.

When mysqld is shutdown using this script, and the shutdown succeeds, 
the script attempts to delete '/var/log/subsys/mysqld', instead of 
deleting '/var/lock/subsys/mysqld'.  This makes the service subsystem
think that mysqld is still active somehow; so you get something like this:

    # service mysqld start
    Starting MySQL:					       [  OK  ]
    # service mysqld stop
    Stopping MySQL:					       [  OK  ]
    # service mysqld status
    mysqld dead but subsys locked
    # shutdown now

    Broadcast message from root (tty1) (Mon Jan  2 04:55:18 2006):

    The system is going down to maintenance mode NOW!
    INIT: Switching to runlevel: 1
    INIT: Sending processes the TERM signal
    Stopping system message bus:			       [  OK  ]
    Stopping atd:					       [  OK  ]
    Shutting down xfs:					       [  OK  ]
    Stopping MySQL:					       [FAILED]
    ...

This typo affects the /etc/rc.d/init.d/mysqld file for all 4 distros.
A suggested patch is attached (at least for the FC1 version of this
file).

Other than this minor typo, everything looks fine.  I think this typo
can be fixed in the build system and we can still push these to updates.
So I can give this a VERIFY vote provided that this is fixed.

   FC1 QUALIFIED VERIFY+


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDuRmRxou1V/j9XZwRAmiZAKCU1mfMpSCXLIZpPOyFCcE8XQ2fzACfcKBA
L0u25g240apO9t0yaZAcpSI=
=sv+l
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2006-01-02 07:47:24 EST
Created attachment 122687 [details]
Comment 9 -- FC1 verify -- so GPG verifies...

Comment 9 doesn't properly GPG verify, so attached is the same thing unmolested

by the Bugzilla form/submission system.
Comment 11 Marc Deslauriers 2006-01-10 19:52:55 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.