Bug 640861 (CVE-2010-3839) - CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures called twice in a row (MySQL Bug#53544)
Summary: CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures call...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 645642 645643 645647 645651 652553 652554 833943
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-06 23:16 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 15:20:32 UTC


Attachments (Terms of Use)
upstream patch (1.82 KB, patch)
2010-10-15 04:11 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0825 normal SHIPPED_LIVE Moderate: mysql security update 2010-11-03 20:21:33 UTC
Red Hat Product Errata RHSA-2011:0164 normal SHIPPED_LIVE Moderate: mysql security update 2011-01-18 18:42:37 UTC

Description Vincent Danen 2010-10-06 23:16:22 UTC
A flaw in MySQL versions prior to 5.1.51 [1] was reported [2] that could allow an authenticated user to cause the MySQL server to enter an infinite loop by creating a query with nested JOINs when used from stored procedures and prepared statements.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-51.html
[2] http://bugs.mysql.com/bug.php?id=53544

This affects MySQL 5.x, but MySQL 4.x and early do not have support for stored procedures.  This causes CPU consumption around 95-100%, however connections and queries to the database can continue.  Killing the query itself is ineffective, and even a 'service mysqld restart' will fail unless the mysqld process that is handling the query is forcibly killed.

Comment 1 Vincent Danen 2010-10-06 23:21:39 UTC
To kill this thing, CTRL-C'ing out of the query (i.e. using the commandline client) does not work:

# mysql -u root test <bug53544.sql 
field1
NULL
Query aborted by Ctrl+C

In the logs, you will see:

101006 17:15:41 [Warning] /usr/libexec/mysqld: Forcing close of thread 1  user: 'root'
A mysqld process already exists at  Wed Oct 6 17:16:41 MDT 2010

The second line is from attempting a restart:

# service mysqld restart
Timeout error occurred trying to stop MySQL Daemon.
Stopping MySQL:                                            [FAILED]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL:                                            [FAILED]

Which is due to:

# ps aux|grep mysql|grep libexec
mysql    24421 30.1  2.5 141300 19664 pts/0    Sl   16:43  11:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock

and the following output from top:

24421 mysql     18   0  137m  19m 4924 S 93.4  2.5  11:28.81 mysqld 

You need to kill -9 the process in order to get the MySQL server back up to normal.

Comment 2 Vincent Danen 2010-10-12 20:22:26 UTC
This issue has been assigned the name CVE-2010-3839:

http://article.gmane.org/gmane.comp.security.oss.general/3627

Comment 7 Huzaifa S. Sidhpurwala 2010-10-15 04:11:02 UTC
Created attachment 453628 [details]
upstream patch

Comment 8 Huzaifa S. Sidhpurwala 2010-10-19 02:50:29 UTC
This issue did NOT affect the versions of the mysql package, as shipped with
Red Hat Enterprise Linux 3 and 4.

This issue affects the version of mysql package, as shipped with Red Hat
Enterprise Linux 5 and 6.

-- 

This issue affects the version of mysql package, as shipped with Fedora 12 and
13.

Comment 10 Huzaifa S. Sidhpurwala 2010-10-22 06:35:57 UTC
Created mysql tracking bugs for this issue

Affects: fedora-12 [bug 645647]

Comment 11 Huzaifa S. Sidhpurwala 2010-10-22 06:42:49 UTC
Created mysql tracking bugs for this issue

Affects: fedora-13 [bug 645651]

Comment 13 errata-xmlrpc 2010-11-03 20:21:48 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0825 https://rhn.redhat.com/errata/RHSA-2010-0825.html

Comment 15 errata-xmlrpc 2011-01-18 18:42:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0164 https://rhn.redhat.com/errata/RHSA-2011-0164.html


Note You need to log in before you can comment on or make changes to this bug.