The upcoming MySQL 5.1.47 [1] and 5.0.91 [2] releases indicate a fix for the following issue, which has been assigned CVE-2010-1849. Currently the bug report [3] is not public. The release notes are very light on details, but I suspect this is a denial of service issue. The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug#50974, CVE-2010-1849) Without access to the upstream bug, it is difficult to determine if this would also affect older 4.x releases. [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html [2] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html [3] http://bugs.mysql.com/bug.php?id=50974
Following commits in 5.0 and 5.1 refer to the upstream bug: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2860 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/1810.3987.14
Few notes on this issue: - the indefinite read mentioned in the upstream release notes seem to refer to my_net_skip_rest() (that is not called in certain cases with the patch applied). Additional packets are read there only if packet has maximum possible length - MAX_PACKET_LENGTH (0xffffff). This requires an attacker to keep sending continuous stream of such long packets. Additionally, connect_timeout still seems to cause unauthenticated connection to be dropped as expected. - the change upstream commits add to sql_parse.cc is for check_user() that can be found in sql_connect.cc in older mysql versions.
This issue does not affect mysql version 3.23.x in RHEL3, as my_net_skip_rest() can not be called there. my_real_read() contains: for (i=0 ; i < 2 ; i++) { ... if (i == 0) { ... if (i == 1) my_net_skip_rest(net, len, &alarmed, &alarm_buff); } } (some code / nesting removed)
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
More upstream information now that the CVE is public: http://lists.mysql.com/commits/106060 The upstream bug is also public now.
(In reply to comment #15) > More upstream information now that the CVE is public: > > http://lists.mysql.com/commits/106060 Note that this patch seems to be a change that was originally proposed as a fix for this issue, but this idea was later abandoned and fix linked in comment #1 is what got used in the released updates. This issue is also often incorrectly described in various vulnerability databases or advisories. Impact of this flaw quite limited. Attacker can connect to mysqld and send certain specially-crafted packets that cause server to read more data from attacker until connect_timeout (default is 10s) is hit. After that timeout, connection is closed by the server. This can have some impact on CPU / network bandwidth usage, but similar can be achieved by repeatedly opening new connections and sending smaller packets that require more CPU time to be processed (e.g. well-formed authentication requests with incorrect credentials). In case of these oversized packets, mysqld only reads data of the network in chunks to a buffer of limited size (net_buffer_length or 16384 by default, possibly up to max_allowed_packet or 1048576, those parameters are configurable) and does no further processing on the data read. Next data chunk overwrites previously read one. This does not cause server to allocate excessive amount of memory as some advisories suggest. Due to the limited impact of this issue, there's no plan to address this in mysql updates for Red Hat Enterprise Linux 3 and 4. Future mysql rebases may introduce this fix in Red Hat Enterprise Linux 5. Future product versions based on fixed upstream version will have this fix included too.
RHSA-2012:0127 updated mysql packages in Red Hat Enterprise Linux 5 to version 5.0.95, which includes this fix: https://rhn.redhat.com/errata/RHSA-2012-0127.html Statement: This issue was fixed in mysql packages shipped with Red Hat Enterprise Linux 5 via RHSA-2012:0127. The mysql packages in Red Hat Enterprise Linux 6 include this fix since the initial release of the product.