Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 240407 (CVE-2008-4456)

Summary: dev-db/mysql: XSS in command line client of MySQL 5.0.{26-45} (CVE-2008-4456)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: mysql-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 246652    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 18:01:02 UTC
CVE-2008-4456 (
  Cross-site scripting (XSS) vulnerability in the command-line client
  in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
  allows attackers to inject arbitrary web script or HTML by placing it
  in a database cell, which might be accessed by this client when
  composing an HTML document.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 18:16:12 UTC
This bug is ancient!
I think we should remove the versions from the tree. What does the MySQL herd think?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-07 18:27:13 UTC
judging from the heinlich advisory, versions newer than 5.0.45 are also affected:
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 21:22:17 UTC
Seems that the initial bug request was for 5.0.37, 5.0.26, 5.0.45, but wasn't reviewed/pushed until now.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-10-07 21:32:34 UTC
I'll try to include the patch with 5.0.68.
Security: FYI, I consider this really low danger, there were enough other breakages of the HTML and XML command-line output that they are practically unused.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 23:26:17 UTC
I also thought so, but forgot to change prio, d'oh. :/
Where did the Status Whiteboard go? I was absolutely sure I filled out THAT. Oh well...
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:02:28 UTC
Robin, you added a blocker on bug 246652 -- is this bug fixed in 5.0.70 ?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-27 20:36:15 UTC
Sorry, this one isn't fixed in 5.0.70 it seems.
I'll update the patchset for 5.0.72 shortly, just interacting with upstream on one new bug on 5.0.72
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-29 12:14:15 UTC
It's in the tree as mysql-5.0.70-r1 now. Stabilization is in bug 246652.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-22 12:13:59 UTC
Read to vote, I vote YES (we have request for mysql already and this could be added)
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-12 21:56:52 UTC
ack, added.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:34 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at
by GLSA coordinator Tim Sammut (underling).