Stefan Esser discovered multiple buffer overflow flaws in PHP's mysqlnd (MySQL native driver) extension in functions php_mysqlnd_rset_header_read(), php_mysqlnd_read_error_from_line() and php_mysqlnd_auth_write(). A malicious mysql server could trigger heap or stack based buffer overflow in PHP interpreter via a specially-crafted mysql network protocol packets, possibly leading to arbitrary code execution with interpreter's privileges.
Related upstream commits:
mysqlnd extension was added in PHP 5.3. Therefore, this issue does not affect
PHP versions in Red Hat Enterprise Linux 3, 4, and 5. mysqlnd extension is not
enabled in Fedora and Red Hat Enterprise Linux 6 Beta php packages, older mysql
client library is still used.
Not vulnerable. This issue did not affect the versions of php as shipped with
Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
CVE-2010-3062 (covers MOPS-2010-056 - bug #619007 - too):
mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows
remote attackers to (1) read sensitive memory via a modified length value,
which is not properly handled by the php_mysqlnd_ok_read function; or (2)
trigger a heap-based buffer overflow via a modified length value, which is not
properly handled by the php_mysqlnd_rset_header_read function.
The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.
Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.