A denial of service flaw was found in the way MySQL processed SQL queries containing IN or CASE statements, when NULL argument was provided as one of the arguments to the query. A remote MySQL user could use this flaw to cause myqld daemon crash (dereference a NULL pointer). References: [1] http://secunia.com/advisories/41048/ [2] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html Upstream bug report: [3] http://bugs.mysql.com/bug.php?id=54477 Upstream changeset: [4] http://lists.mysql.com/commits/111814
Public issue proof of concepts (from [3]): A, drop table if exists `t1`; create table `t1`(`a` int)engine=myisam; insert into `t1` values (1); /*crash1*/select (`a` in (`a`,`a`)) from `t1` group by `a` with rollup; /*crash2*/select (case (`a`) when (`a`) then (`a`) end) as `a` from `t1` group by `a` with rollup; B, CREATE TABLE t1(a INT); INSERT INTO t1 VALUES (1), (2); SELECT 1 IN (NULL, a) FROM t1;
This issue did NOT affect the versions of the mysql package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. -- This issue affects the versions of the mysql package, as shipped with Fedora release of 12 and 13.
CVE Request: http://www.openwall.com/lists/oss-security/2010/08/30/8
Created mysql tracking bugs for this issue Affects: fedora-all [bug 636780]
The CVE identifier of CVE-2010-3678 has been assigned to this issue.
Statement: Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0164 https://rhn.redhat.com/errata/RHSA-2011-0164.html