Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339717 (CVE-2010-3833) - <dev-db/mysql-5.1.51: Multiple vulnerabilities (CVE-2010-{3833,3834,3835,3836,3837,3838,3839,3840})
Summary: <dev-db/mysql-5.1.51: Multiple vulnerabilities (CVE-2010-{3833,3834,3835,3836...
Status: RESOLVED FIXED
Alias: CVE-2010-3833
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://dev.mysql.com/doc/refman/5.1/e...
Whiteboard: A3 [glsa]
Keywords:
: 339826 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-10-04 15:25 UTC by Jorge Manuel B. S. Vicetto
Modified: 2012-01-05 22:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2010-10-04 15:25:01 UTC
As reported to the oss-security list and pending for CVE assignments, the following security fixes were applied to the lastest mysql revision in the 5.1 series.
I'll bump the ebuild in the overlay and talk with robbat2 about adding the new version to the tree.


Security Fix: During evaluation of arguments to extreme-value functions
(such as LEAST() and GREATEST()), type errors did not propagate
properly, causing the server to crash. (Bug#55826)

Security Fix: The server could crash after materializing a derived table
that required a temporary table for grouping. (Bug#55568)

Security Fix: A user-variable assignment expression that is evaluated in
a logical expression context can be precalculated in a temporary table
for GROUP BY. However, when the expression value is used after creation
of the temporary table, it was re-evaluated, not read from the table and
a server crash resulted. (Bug#55564)

Security Fix: Pre-evaluation of LIKE predicates during view preparation
could cause a server crash. (Bug#54568)

Security Fix: GROUP_CONCAT() and WITH ROLLUP together could cause a
server crash. (Bug#54476)

Security Fix: Queries could cause a server crash if the GREATEST() or
LEAST() function had a mixed list of numeric and LONGBLOB arguments, and
the result of such a function was processed using an intermediate
temporary table. (Bug#54461)

Security Fix: Queries with nested joins could cause an infinite loop in
the server when used from stored procedures and prepared statements.
(Bug#53544)
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-05 13:51:26 UTC
*** Bug 339826 has been marked as a duplicate of this bug. ***
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2010-10-06 11:20:05 UTC
robbat2 added the ebuild to the tree.
Comment 3 Gerald 2010-10-07 12:48:14 UTC
5.1.51 obviously does not build with libtool 2.2.6b anymore. 5.1.50 still did.  libtool 2.2.10 is needed, which itself needs EAPI 3. Can you maybe add a dependency?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-10-07 19:09:27 UTC
(In reply to comment #3)
> 5.1.51 obviously does not build with libtool 2.2.6b anymore. 5.1.50 still did. 
> libtool 2.2.10 is needed, which itself needs EAPI 3. Can you maybe add a
> dependency?
dep added.

Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-10-08 18:17:53 UTC
MySQL bug to CVE mapping for future reference. 

Bug#55826 - incorrect propagation of type errors in evaluation of
arguments to extreme-value functions

  CVE-2010-3833
  "create table .. select crashes with when KILL_BAD_DATA is returned"
  5.0.91,5.1.49,5.1.50-bzr,5.5.5

Bug#55568 - The server could crash after materializing a derived table
that required a temporary table for grouping.

  CVE-2010-3834
  "user variable assignments crash server when used within query"
  5.0.91-debug,5.1.49-debug

Bug #55564 - A user-variable assignment expression that is evaluated
in a logical expression context can be precalculated in a temporary
table for GROUP BY. However, when the expression value is used after
creation of the temporary table, it was re-evaluated, not read from
the table and a server crash resulted.

  CVE-2010-3835
  "crash with user variables, assignments, joins..."
  5.0.92, 5.1.37, 5.1.49, 5.1.50-bzr, 5.5.6-m3

Bug#54568 - Pre-evaluation of LIKE predicates during view preparation
could cause a server crash.

  CVE-2010-3836
  "create view cause Assertion failed: 0, file .\item_subselect.cc, line 836"
  5.0.91-debug, 5.1.47-debug

Bug#54476 - GROUP_CONCAT() and WITH ROLLUP together could cause a
server crash.

  CVE-2010-3837
  "crash when group_concat and 'with rollup' in prepared statements"
  5.0.91, 5.1.47, 5.1.49-bzr, 5.5.3

  see: [23 Jul 14:25] Alexey Kopytov

Bug#54461 - Queries could cause a server crash if the GREATEST() or
LEAST() function had a mixed list of numeric and LONGBLOB arguments,
and the result of such a function was processed using an intermediate
temporary table.

  CVE-2010-3838
  "crash with longblob and union or update with subquery"
  5.0.91,5.1.47, 5.5.3, 5.5.5-m3

Bug#53544 - Queries with nested joins could cause an infinite loop in
the server when used from stored procedures and prepared statements.

  CVE-2010-3839
  "Server hangs during JOIN query in stored procedure called twice in a row"
  5.1.47, 5.6.99-m4 Dahlia, bzr_mysql-6.0-codebase-bugfixing

Bug#51875 - The PolyFromWKB() function could crash the server when
improper WKB data was passed to the function.

  CVE-2010-3840
  "crash when loading data into geometry function polyfromwkb"
  5.0.90,5.1.44 
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-11-02 20:32:18 UTC
security: clear to call for stabilization now.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-11-02 20:39:30 UTC
Arches, please test and mark stable:
=dev-db/mysql-5.1.51
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-11-03 09:19:36 UTC
x86 stable
Comment 9 blain 'Doc' Anderson 2010-11-03 12:38:08 UTC
amd64 stable
created and tested database with no problem

emerge --info
Portage 2.1.8.3 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.4, glibc-2.11.2-r3, 2.6.34-gentoo-r12 x86_64)
=================================================================
System uname: Linux-2.6.34-gentoo-r12-x86_64-AMD_Phenom-tm-_9650_Quad-Core_Processor-with-gentoo-1.12.13
Timestamp of tree: Tue, 02 Nov 2010 22:00:01 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://216.165.129.135/ http://204.152.191.39/ http://199.6.1.174/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emboss encode exif extras fam firefox flac fortran gif gnutls gpm gtk hal iconv ipv6 jpeg kde lcms ldap libnotify mad mikmod mmx mng modules mp3 mp4 mpeg mudflap multilib mysql ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support qt4 readline sdl semantic-desktop session spell sql sqlite sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis webkit x264 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-11-03 19:33:35 UTC
amd64 done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-04 16:08:54 UTC
Stable for HPPA.
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2010-11-04 23:58:33 UTC
ppc64 done
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-05 03:55:21 UTC
Stable for PPC.
Comment 14 Markus Meier gentoo-dev 2010-11-05 10:42:59 UTC
arm stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-11-13 19:20:19 UTC
alpha/ia64/s390/sh/sparc stable
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:02:06 UTC
GLSA with 237166.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:04:49 UTC
CVE-2010-3840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840):
  The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1
  before 5.1.51 allows remote authenticated users to cause a denial of service
  (server crash) by calling the PolyFromWKB function with Well-Known Binary
  (WKB) data containing a crafted number of (1) line strings or (2) line
  points.

CVE-2010-3839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839):
  MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated
  users to cause a denial of service (infinite loop) via multiple invocations
  of a (1) prepared statement or (2) stored procedure that creates a query
  with nested JOIN statements.

CVE-2010-3838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838):
  MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows
  remote authenticated users to cause a denial of service (server crash) via a
  query that uses the (1) GREATEST or (2) LEAST function with a mixed list of
  numeric and LONGBLOB arguments, which is not properly handled when the
  function's result is "processed using an intermediate temporary table."

CVE-2010-3837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837):
  MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows
  remote authenticated users to cause a denial of service (server crash) via a
  prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier,
  probably triggering a use-after-free error when a copied object is modified
  in a way that also affects the original object.

CVE-2010-3836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836):
  MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows
  remote authenticated users to cause a denial of service (assertion failure
  and server crash) via vectors related to view preparation, pre-evaluation of
  LIKE predicates, and IN Optimizers.

CVE-2010-3835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835):
  MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated
  users to cause a denial of service (mysqld server crash) by performing a
  user-variable assignment in a logical expression that is calculated and
  stored in a temporary table for GROUP BY, then causing the expression value
  to be used after the table is created, which causes the expression to be
  re-evaluated instead of accessing its value from the table.

CVE-2010-3834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834):
  Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and
  5.5 before 5.5.6 allows remote authenticated users to cause a denial of
  service (server crash) via vectors related to "materializing a derived table
  that required a temporary table for grouping" and "user variable
  assignments."

CVE-2010-3833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833):
  MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not
  properly propagate type errors, which allows remote attackers to cause a
  denial of service (server crash) via crafted arguments to extreme-value
  functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a
  "CREATE TABLE ... SELECT."
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:47:16 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).