Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 229329

Summary: dev-db/mysql <= 5.0.60-r1: GRANT statement DoS
Product: Gentoo Security Reporter: Walter <walter>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mysql-bugs, tm
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://bugs.mysql.com/bug.php?id=16470
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 246652    
Bug Blocks:    

Description Walter 2008-06-25 03:01:33 UTC 
upstream bug is here http://bugs.mysql.com/bug.php?id=16470

supposedly a patch is out here: http://lists.mysql.com/commits/43522

this should be brought in to gentoo's portage tree immediately.

Reproducible: Always

Steps to Reproduce:
mysql> grant blah on blah.blah to blah@blah identified by blah;


Actual Results:  
 entire daemon dies immediately

Expected Results:  
stable!
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-05 14:28:55 UTC 
This is actually a Denial of Service issue and should be handled as a security bug, re-assigning.
Short summary: Any user with GRANT permissions can crash the whole server.

mysql team, please bump.
Comment 2 Walter 2008-08-19 04:18:15 UTC 
It's not only a DoS issue, it prohibits regular use of grant statements.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:06:17 UTC 
All security relevant arches stable due to bug 246652.

I vote YES.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:18:13 UTC 
Returning to [ebuild]... the patch has not been committed to 5.0 as discussed on
  http://lists.mysql.com/commits/36237

I'm not sure whether upstream states that 5.0 is not affected, or they simply do not care.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-29 12:14:27 UTC 
It's in the tree as mysql-5.0.70-r1 now. Stabilization is in bug 246652.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-22 12:12:55 UTC 
Yes, too. Added bug # to a pending request.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-25 19:05:39 UTC 
security: bump for glsa on this
Comment 8 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2010-11-16 14:21:16 UTC 
security: ping
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:21 UTC 
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).