Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 240407 (CVE-2008-4456) - dev-db/mysql: XSS in command line client of MySQL 5.0.{26-45} (CVE-2008-4456)
Summary: dev-db/mysql: XSS in command line client of MySQL 5.0.{26-45} (CVE-2008-4456)
Status: RESOLVED FIXED
Alias: CVE-2008-4456
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.mysql.com/bug.php?id=27884
Whiteboard: B3 [glsa]
Keywords:
Depends on: 246652
Blocks:
  Show dependency tree
 
Reported: 2008-10-07 18:01 UTC by Stefan Behte (RETIRED)
Modified: 2012-01-05 22:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 18:01:02 UTC
CVE-2008-4456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456):
  Cross-site scripting (XSS) vulnerability in the command-line client
  in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
  allows attackers to inject arbitrary web script or HTML by placing it
  in a database cell, which might be accessed by this client when
  composing an HTML document.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 18:16:12 UTC
This bug is ancient!
I think we should remove the versions from the tree. What does the MySQL herd think?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-07 18:27:13 UTC
judging from the heinlich advisory, versions newer than 5.0.45 are also affected:
http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 21:22:17 UTC
Seems that the initial bug request was for 5.0.37, 5.0.26, 5.0.45, but wasn't reviewed/pushed until now.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-10-07 21:32:34 UTC
I'll try to include the patch with 5.0.68.
Security: FYI, I consider this really low danger, there were enough other breakages of the HTML and XML command-line output that they are practically unused.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 23:26:17 UTC
I also thought so, but forgot to change prio, d'oh. :/
Where did the Status Whiteboard go? I was absolutely sure I filled out THAT. Oh well...
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:02:28 UTC
Robin, you added a blocker on bug 246652 -- is this bug fixed in 5.0.70 ?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-27 20:36:15 UTC
Sorry, this one isn't fixed in 5.0.70 it seems.
I'll update the patchset for 5.0.72 shortly, just interacting with upstream on one new bug on 5.0.72
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-29 12:14:15 UTC
It's in the tree as mysql-5.0.70-r1 now. Stabilization is in bug 246652.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-22 12:13:59 UTC
Read to vote, I vote YES (we have request for mysql already and this could be added)
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-12 21:56:52 UTC
ack, added.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:34 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).