Bug 24381 - Buffer Overflow in MySQL <3.23.31
Summary: Buffer Overflow in MySQL <3.23.31
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mysql   
(Show other bugs)
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrick Macdonald
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-01-19 18:29 UTC by Ricardo Ariel Gorosito
Modified: 2007-04-18 16:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-19 18:43:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:003 normal SHIPPED_LIVE : Updated mysql packages available for Red Hat Linux 7 2001-01-18 05:00:00 UTC

Description Ricardo Ariel Gorosito 2001-01-19 18:29:39 UTC
Nicolas Gregoire post in BugTraq:

Hi,

all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)

Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)

Requirements :
You need a valid login/password to exploit this

Solution :
Upgrade to 3.23.31

Proof-of-concept code :
None

Credits :
I'm not the discoverer of this bug
The first public report was made by tharbad@kaotik.org via the MySQL
mailing-list
See the following mails for details

Regards,
Nicob

Here the original post to the MySQL mailing-list :
==================================================

On Jan 12, Jo?o Gouveia wrote:
> Hi,
>
> I believe i've found a problem in MySql. Here are some test's i've made
in
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).Confirmed up to latest 3.23

> On one terminal:
> <quote>
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
></quote>
>
> On the other terminal:
> <quote>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> </quote>
>
> On the first terminal i got:
> <quote>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation
fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR
--skip-lockin
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on  Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> </quote>
>
> gdb shows the following:
> <quote>
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax            0x1      1
> ecx            0x68     104
> edx            0x8166947        135686471
> ebx            0x41414141       1094795585
> esp            0xbf5ff408       0xbf5ff408
> ebp            0x41414141       0x41414141
> esi            0x41414141       1094795585
> edi            0x0      0
> eip            0x41414141       0x41414141
> eflags         0x10246  66118
> cs             0x23     35
> ss             0x2b     43
> ds             0x2b     43
> es             0x2b     43
> fs             0x0      0
> gs             0x0      0
> (gdb)
> </quote>
>
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> tharbad@kaotik.org

Here the reponse to a email I send today to the MySQL list :
============================================================

Sergei Golubchik (MySQL team) wrote :
>
> Hi!
>
> On Jan 18, Nicolas GREGOIRE wrote:
> > Hi,
> >
> > Still not any info about the buffer-overflow discovered last week ?
> > Shouldn't be fixed at the beginning of the week ?
> >
> > Please, dear MySQL team, give us info !!
> >
> > Regards,
> > Nicob
>
> Fixed in latest release (3.23.31).
>
> Regards,
> Sergei

Here an part of the 3.23.30 to 3.23.31 diff :
=============================================

+Changes in release 3.23.31
+--------------------------
+
+   * Fixed security bug in something (please upgrade if you are using a
+     earlier MySQL 3.23 version).

Comment 1 Trond Eivind Glomsrxd 2001-01-19 18:43:09 UTC
We are aware of the problem, and a package was handed over to QA for testing
yesterday.

Comment 2 Trond Eivind Glomsrxd 2001-01-23 15:57:09 UTC
New problems came along, but 3.23.32-1.7 is ready to go and will be released soon.


Note You need to log in before you can comment on or make changes to this bug.