** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Martin Joey Schulze reported that mod-auth-mysql insufficiently escapes and potentially allows SQL injections. The mysql module still uses the deprecated mysql_escape_string(), instead of mysql_real_escape_string(). With the attached patch it now also correctly sets a character charset. http://dev.mysql.com/doc/refman/5.1/en/mysql-escape-string.html
We have a patch, so we could do prestable testing and commit on the embargo date. However, I don't know if upstream reviewed or approved the patch.
Created attachment 178579 [details, diff] mod_auth_mysql-CVE-2008-2384.patch
Steffen Joeris wrote: The following issue can now be made public. Please note that this describes the software used in debian as mod-auth-mysql (binary name is libapache2-mod-auth-mysql). It is different from the SF project.
Red hat used the patch, so I think we can do the same. Apache/mysql herd, please provide an updated ebuild.
(In reply to comment #3) > Steffen Joeris wrote: > The following issue can now be made public. Please note that this describes > the software used in debian as mod-auth-mysql (binary name is > libapache2-mod-auth-mysql). It is different from the SF project. but we're using the one from SF!
As whiteboard does not mention a date, and don't know if this is really public (or "semi-public") I'm make the bug private again.
All info in this bug is public via the URL. It is still open in the Auditing section because we may want to research the sf project for a similar bug.
mod_auth_mysql != mod-auth-mysql 1. debian's mod_auth_mysql is a different package than the sourceforge one we package. hollow noted this 6 months ago, and you ignored us. The patch has exactly one hunk that matches, simply because of whitespace, the other hunks don't apply at all! 2. I do see that this codebase is vulnerable to the same class of problem described. 3. The mod-auth-mysql package basically forked from mod_auth_mysql in 2002, and while some consolidation attempts happened between upstreams over the years, they continued to drift apart. Both of them share the same heritage as being bundled in early versions of Apache contrib. I say RESO INVALID, and as one of the maintainers, either security can close the bug, or I will.
(In reply to comment #8) > mod_auth_mysql != mod-auth-mysql > > I say RESO INVALID, and as one of the maintainers, either security can close > the bug, or I will. Seems clear to me. If anyone disagrees, please reopen. Thanks.