Bug 188213 - CVE-2006-0903 Mysql multiple vulnerabilities (
Summary: CVE-2006-0903 Mysql multiple vulnerabilities (
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: mysql
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://secunia.com/advisories/19034
Whiteboard: impact=important, LEGACY, rhl73, rhl9...
Depends On:
Blocks: CVE-2006-0903
TreeView+ depends on / blocked
 
Reported: 2006-04-07 01:02 UTC by David Eisenstein
Modified: 2007-08-23 05:10 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-08-23 05:10:03 UTC
Embargoed:

Attachments (Terms of Use)

Description David Eisenstein 2006-04-07 01:02:32 UTC 
+++ This bug was initially created as a clone of Bug #183261 +++

Mysql log file obfuscation

http://secunia.com/advisories/19034

The following text is from tgl:

Yeah, problem confirmed locally: the query log message is truncated,

060227 11:15:47       6 Connect     root@localhost on test
6 Query       /* x */ select 2+2
6 Quit
060227 11:16:24       7 Connect     root@localhost on test
7 Query       /*
7 Quit

The report is perhaps deliberately obscure: you can *not* exploit this
through mysql_query() because it expects a null-terminated string
anyway.  But you can exploit it through mysql_real_query() which takes
a pointer and count.

I'd class the severity as pretty low, since all it allows is hiding
some traces of an attack after the attacker has already broken into
the database.  But since MySQL make a point of how mysql_real_query()
supports embedded nulls in the query string, it's certainly a bug.


-- Additional comment from bressers on 2006-02-27 15:20 EST --
attachment 125344 [details] is a testcase from tgl:

    I've attached a test case.	Start the server with query logging enabled
    (easiest way is to modify the init script to add "--log" to the
    mysqld_safe command line), run program, look at log file.
Comment 1 David Eisenstein 2006-04-07 02:41:24 UTC 
CVE-2006-0903 - "MySQL 5.0.18 and earlier allows local users to bypass
logging mechanisms via SQL queries that contain the NULL character,
which are not properly handled by the mysql_real_query function. NOTE:
this issue was originally reported for the mysql_query function, but
the vendor states that since mysql_query expects a null character, this
is not an issue for mysql_query."

This bug (apparently) affects mysql in RHL 7.3, RHL 9, FC1, FC2 and FC3.

  Distro     Package
  ------     --------------------
  RHL 7.3    mysql-3.23.58-1.73.9.legacy
  RHL 9      mysql-3.23.58-1.90.10.legacy
  FC1        mysql-3.23.58-4.7.legacy
  FC2        mysql-3.23.58-16.FC2.4.legacy
  FC3        mysql-3.23.58-16.FC3.1

References:
   * Mysql Bug # 17667:  <http://bugs.mysql.com/bug.php?id=17667>
   * Bugtraq ID 16850:   <http://www.securityfocus.com/bid/16850>
   * Secunia # 19034:    <http://secunia.com/advisories/19034>

Mandriva has issued patched packages for mysql-4.x.x in their advisory
<http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:064>.  I
am not aware of any patches yet for mysql-3.23.58, though I suspect Red
Hat will create some for their RHEL 2.1 & RHEL 3 distros.
Comment 2 David Eisenstein 2006-06-14 16:49:55 UTC 
Red Hat just issued RHSA-2006-0544, 
<http://rhn.redhat.com/errata/RHSA-2006-0544.html>, for RHEL 4.  Not sure this
announcement is relevant for Legacy, as all distros <= FC3 seem to still be
running mysql-3, and this is for mysql-4.  Hopefully, RHSA's for RHEL 3 and
RHEL 2.1 will shortly follow.

"Updated mysql packages that fix multiple security flaws are now available.

"This update has been rated as having important security impact by the Red Hat
Security Response Team.

"MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld) and
many different client programs and libraries.

"A flaw was found in the way the MySQL mysql_real_escape() function escaped
strings when operating in a multibyte character encoding. An attacker
could provide an application a carefully crafted string containing
invalidly-encoded characters which may be improperly escaped, leading to
the injection of malicious SQL commands. (CVE-2006-2753)

"An information disclosure flaw was found in the way the MySQL server
processed malformed usernames. An attacker could view a small portion
of server memory by supplying an anonymous login username which was not
null terminated. (CVE-2006-1516)

"An information disclosure flaw was found in the way the MySQL server
executed the COM_TABLE_DUMP command. An authenticated malicious user could
send a specially crafted packet to the MySQL server which returned
random unallocated memory. (CVE-2006-1517)

"A log file obfuscation flaw was found in the way the mysql_real_query()
function creates log file entries. An attacker with the the ability to call
the mysql_real_query() function against a mysql server can obfuscate the
entry the server will write to the log file. However, an attacker needed
to have complete control over a server in order to attempt this attack.
(CVE-2006-0903)

"This update also fixes numerous non-security-related flaws, such as
intermittent authentication failures.

"All users of mysql are advised to upgrade to these updated packages
containing MySQL version 4.1.20, which is not vulnerable to these issues."
Comment 3 David Eisenstein 2007-08-23 05:10:03 UTC 
Fedora Legacy is no longer an active project.  Closing.
Note You need to log in before you can comment on or make changes to this bug.