Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84819 - dev-db/mysql arbitrary code execution
Summary: dev-db/mysql arbitrary code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest major (vote)
Assignee: Gentoo Security
URL: http://www.k-otik.com/english/advisor...
Whiteboard: A2? [glsa] jaervosz
Keywords:
: 84859 84924 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-10 23:14 UTC by petre rodan (RETIRED)
Modified: 2005-08-15 21:39 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description petre rodan (RETIRED) gentoo-dev 2005-03-10 23:14:14 UTC
2002-2005 K-OTiK Security 
Comment 1 petre rodan (RETIRED) gentoo-dev 2005-03-10 23:14:14 UTC
2002-2005 K-OTiK Security © Research and Monitoring Team 24/24 & 7/7

----------------------------------------------------------------------

                        -- 11 Mar. 2005 #1 --

----------------------------------------------------------------------



-  Mysql 4.x "CREATE FUNCTION" Arbitrary Code Execution Exploit 





   ## Mysql CREATE FUNCTION libc arbitrary code execution

   ##

   ## Vulnerable: Mysql <= 4.0.23, 4.1.10 

   ## 

   ## KOTIK/ADV-2005-0252



 

   Exploit - http://www.k-otik.com/exploits/20050310.mysqllibc.php

   Advisory  - http://www.k-otik.com/english/advisories/2005/0252





-  Mysql 4.x "CREATE FUNCTION" Arbitrary Library Injection Exploit 



   ## Mysql CREATE FUNCTION func table arbitrary library injection

   ##

   ## Vulnerable: Mysql <= 4.0.23, 4.1.10 

   ## 

   ## KOTIK/ADV-2005-0252



 

   Exploit - http://www.k-otik.com/exploits/20050310.mysqlcreate.php



----------------------------------------------------------------------

          RSS / XML : http://www.k-otik.com/exploits.xml

----------------------------------------------------------------------

               Copyright © 2002-2005 K-OTiK Security

----------------------------------------------------------------------
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-10 23:39:49 UTC
Mysql please verify and advise.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-11 00:11:14 UTC
4.0.24 is not noted as vulnerable.
As 4.0.24 is tagged in MySQL's BK tree (and will be released soon my sources say), does anybody know if it has been tested for being vulnerable even?
Comment 4 rob holland (RETIRED) gentoo-dev 2005-03-11 01:36:18 UTC
4.0.24 is noted as the solution. which answers the question I think :)
Comment 5 petre rodan (RETIRED) gentoo-dev 2005-03-11 07:32:17 UTC
one extra reason to go 4.0.24
http://secunia.com/advisories/14547/

it's the same reporter with one extra exploitation vector
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 07:45:56 UTC
4.0.24 is out. Robin please provide an updated ebuild.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-11 07:48:16 UTC
The authors page at
http://www.k-otik.com/english/advisories/2005/0252
has 3 vulnerabilties.

The other page at
http://secunia.com/advisories/14547/
has only 2 vulnerabilties

Which I find strange.

Upstream has released 4.1.10a, but they don't seem to have 4.0.24 out yet when I checked a moment ago. I'd expect it to be released in a matter of hours. It fixes a lot of problems with 4.0.2[23], and it's been a long time in coming.

I'm just heading to bed now.
Comment 8 Wolfram Schlich (RETIRED) gentoo-dev 2005-03-11 09:59:18 UTC
*** Bug 84859 has been marked as a duplicate of this bug. ***
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:45:21 UTC
*** Bug 84924 has been marked as a duplicate of this bug. ***
Comment 10 petre rodan (RETIRED) gentoo-dev 2005-03-11 22:51:54 UTC
4.0.24 has been released
http://dev.mysql.com/downloads/mysql/4.0.html
Comment 11 Wolfram Schlich (RETIRED) gentoo-dev 2005-03-12 07:38:18 UTC
as 4.0.24 and 4.1.10a have been released, is there any schedule for
those versions to hit the portage tree?!
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-12 16:54:38 UTC
I'm busy testing 4.0.24 now, I should get it out to ~arch in a few hours.
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-12 22:07:24 UTC
Ok, 4.0.24-r0 and 4.0.24-r1 are in the tree now as ~arch.
4.0.24-r0 is based strictly off 4.0.23 (with the addition of a src_test function).
4.0.24-r1 implements a number of modifications that upstream has requested and have been under development until now (the discussion is in bug #44592), as well as implementing a USE=minimal mode for MySQL.

I only expect arches to stabilize 4.0.24-r0 at this point (and let -r1 go thru the normal month of testing).

To test the ebuilds:
USE="berkdb ssl perl readline ssl tcpd" FEATURES="test" emerge =dev-db/mysql-4.0.24

MySQL-4.1 has not ever been out of p.mask yet, and still doesn't work on my testing machine. I've got a user helping me out with it, and I'll try and see that we get 4.1.10a into the tree within the next 2 weeks (I don't have time to do it sooner, as I've got exams next week).
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-13 06:44:40 UTC
Thx Robin.

Arches please test and mark stable.
Comment 15 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-13 07:48:50 UTC
Stable on ppc.
Comment 16 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-13 07:52:02 UTC
compiled fine, tests finished successfull but i got an access violation on amd64:

------------------------------------------

Ending Tests
Shutting-down MySQL daemon

Master shutdown finished
Slave shutdown finished
All 209 tests were successful.

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-dev-db_-_mysql-4.0.24-9374.log"

open_wr:   /this-dir-does-not-exist/t9.MYI
--------------------------------------------------------------------------------


Comment 17 Markus Rothe (RETIRED) gentoo-dev 2005-03-13 08:15:06 UTC
same access violation on ppc64. if I leave out FEATURES="test" the ebuild installs smooth and mysqld runs.

Not marked stable on ppc64 yet.
Comment 18 Jakub Moc (RETIRED) gentoo-dev 2005-03-13 08:56:34 UTC
Please do at least minimal testing BEFORE marking stable. See Bug 85095 - the init script is just totally broken. 
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2005-03-13 10:41:12 UTC
Jakub Moc: we are about to mark mysql-4.0.24 stable not mysql-4.0.24-r1. That init script works, does it? (for me it does!)
Comment 20 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-13 11:14:49 UTC
So does it for me. I did some small tests and they were successful.
Comment 21 Jason Wever (RETIRED) gentoo-dev 2005-03-13 11:51:23 UTC
Stable on SPARC.
Comment 22 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-13 12:26:36 UTC
Re the tests and sandbox violation of '/this-dir-does-not-exist/t9.MYI'
I've looked at the test sources, and added an addpredict entry into the ebuilds for it.
Comment 23 Jakub Moc (RETIRED) gentoo-dev 2005-03-13 12:37:29 UTC
Markus: Oh, sorry. :/ I just tried to emerge latest unstable 4.0.x and did not notice that it was not the right version to become stable now. 
Comment 24 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-13 13:22:34 UTC
works now, stable on amd64
Comment 25 Markus Rothe (RETIRED) gentoo-dev 2005-03-13 13:30:39 UTC
stable on ppc64

Jakub: ^_^
Comment 26 Hardave Riar (RETIRED) gentoo-dev 2005-03-14 09:56:14 UTC
Stable on mips.
Comment 27 Guy Martin (RETIRED) gentoo-dev 2005-03-14 10:29:35 UTC
Stable on hppa.
Comment 28 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-14 10:52:54 UTC
Stable on alpha.
Comment 29 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-14 13:49:08 UTC
x86 done, after a lot more testing to be sure :-).
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-16 08:23:47 UTC
GLSA 200503-19

arm, ia64, s390 please remember to mark stable to benifit from the GLSA.
Comment 31 James Porter 2005-03-27 15:07:17 UTC
when will 4.1 be in portage so that we can use the new gui's...the good old mysqlcc is marked as depreciated by upstream...gentoo really needs to catch up!
Comment 32 Chris Gianelloni (RETIRED) gentoo-dev 2005-03-27 15:24:56 UTC
Wow... that had absolutely nothing to do with this bug...

I think James gets today's award for off-topic post to a bug report...