Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 101813

Summary: dev-db/mysql: Buffer Overflow in User Defined Functions
Product: Gentoo Security Reporter: Stefan Cornelius (RETIRED) <dercorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: major CC: mysql-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
Whiteboard: B1? [ebuild] DerCorny
Package list:
Runtime testing required: ---

Description Stefan Cornelius (RETIRED) gentoo-dev 2005-08-08 18:11:42 UTC 
Affected Versions:
ALL

Background:
User-defined functions in MySQL allow a user in the database to call binary
libraries on the operating system. Creating a user-defined function requires
insert privileges on the mysql.func table.

Details:
The init_syms() function uses an unsafe string function to copy a user specified
string into a stack based buffer. Due to improper sanitation this buffer is able
to be overflowed, overwriting portions of the stack. This allows an attacker to
write 14 bytes of arbitrary data and 8 bytes of hard coded data beyond the end
of the buffer.

MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-08 18:19:32 UTC 
mysql team, please provide ebuilds - thanks. (Btw, is ther no mysql@gentoo.org
alias for you?)
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-08 22:52:54 UTC 
Your background lacks some specific information, that make this a lot harder to 
exploit.

Creating a user-defined function requires two steps.
1. write function in C/C++, compile as shared lib, copy into restricted 
directory on the server (the mysql server requires it to be in a location that 
is in your dynamic linker path [LDPATH]).
2. run INSERT query, putting data in mysql.func table (or using the 'CREATE 
FUNCTION' query).

You need root level access to accomplish #1.

Also, it's not clear where the patch is. There isn't a date on that advisory, 
so I don't know if it's already fixed in 4.0.25 or not.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-08 23:40:02 UTC 
4.0.25 is fixed according to the URL.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-09 00:14:30 UTC 
"MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched."
Is the patch against these versions, or do they contain the patch?

I see no mention of anything to do with user-defined functions in the 4.0.25 
changelog.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-09 00:38:50 UTC 
DerCorny: The alias for mysql is "mysql-bugs@g.o", this is due to the existence
of a "mysql" user on the machines.

robbat2: I can't find the patch/bug in MySQL changelog either.

As this requires admin rights to create user-defined functions anyway, I would
close it as WONTFIX.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-08-09 00:46:37 UTC 
There are two others in the same style :

[AppSecInc Advisory MYSQL05-V0001] Improper Filtering of Directory Traversal
Characters in MySQL User Defined Functions
http://www.appsecinc.com/resources/alerts/mysql/2005-001.html

[AppSecInc Advisory MYSQL05-V0003] Multiple Issues with MySQL User Defined
Functions (Team SHATTER)
http://www.appsecinc.com/resources/alerts/mysql/2005-003.html

I guess they also require root rights at some point , but you might want to
double-check
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-09 01:12:53 UTC 
MYSQL05-V0001 only applies to MySQL on Windows.

MYSQL05-V0003 item #1 again only applies to Windows.

MYSQL05-V0003 item #2 is a bit more interesting. You'd only need to get DB 
privileges to take advantage of this (mysql.func is restricted to MySQL's root 
user by default), but you could concievable take advantage of it (there are a 
lot worse things you could do with MySQL's root user anyway).
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-08-10 01:51:37 UTC 
I would close those "vulnerabilities" as INVALID. If another security member
agrees, he can close this bug.
Comment 9 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-10 01:53:47 UTC 
Agreed, no security impact from these issues. The fixes can filter down from 
upstream.