Affected Versions: ALL Background: User-defined functions in MySQL allow a user in the database to call binary libraries on the operating system. Creating a user-defined function requires insert privileges on the mysql.func table. Details: The init_syms() function uses an unsafe string function to copy a user specified string into a stack based buffer. Due to improper sanitation this buffer is able to be overflowed, overwriting portions of the stack. This allows an attacker to write 14 bytes of arbitrary data and 8 bytes of hard coded data beyond the end of the buffer. MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched.
mysql team, please provide ebuilds - thanks. (Btw, is ther no mysql@gentoo.org alias for you?)
Your background lacks some specific information, that make this a lot harder to exploit. Creating a user-defined function requires two steps. 1. write function in C/C++, compile as shared lib, copy into restricted directory on the server (the mysql server requires it to be in a location that is in your dynamic linker path [LDPATH]). 2. run INSERT query, putting data in mysql.func table (or using the 'CREATE FUNCTION' query). You need root level access to accomplish #1. Also, it's not clear where the patch is. There isn't a date on that advisory, so I don't know if it's already fixed in 4.0.25 or not.
4.0.25 is fixed according to the URL.
"MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched." Is the patch against these versions, or do they contain the patch? I see no mention of anything to do with user-defined functions in the 4.0.25 changelog.
DerCorny: The alias for mysql is "mysql-bugs@g.o", this is due to the existence of a "mysql" user on the machines. robbat2: I can't find the patch/bug in MySQL changelog either. As this requires admin rights to create user-defined functions anyway, I would close it as WONTFIX.
There are two others in the same style : [AppSecInc Advisory MYSQL05-V0001] Improper Filtering of Directory Traversal Characters in MySQL User Defined Functions http://www.appsecinc.com/resources/alerts/mysql/2005-001.html [AppSecInc Advisory MYSQL05-V0003] Multiple Issues with MySQL User Defined Functions (Team SHATTER) http://www.appsecinc.com/resources/alerts/mysql/2005-003.html I guess they also require root rights at some point , but you might want to double-check
MYSQL05-V0001 only applies to MySQL on Windows. MYSQL05-V0003 item #1 again only applies to Windows. MYSQL05-V0003 item #2 is a bit more interesting. You'd only need to get DB privileges to take advantage of this (mysql.func is restricted to MySQL's root user by default), but you could concievable take advantage of it (there are a lot worse things you could do with MySQL's root user anyway).
I would close those "vulnerabilities" as INVALID. If another security member agrees, he can close this bug.
Agreed, no security impact from these issues. The fixes can filter down from upstream.
