Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 277717 (CVE-2009-2446)

Summary: <dev-db/mysql-5.0.83 dispatch_command() multiple format string vulnerabilities (CVE-2009-2446)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mysql-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 290485, 303747    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-07-13 21:44:33 UTC
CVE-2009-2446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446):
  Multiple format string vulnerabilities in the dispatch_command
  function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through
  5.0.83 allow remote authenticated users to cause a denial of service
  (daemon crash) and possibly have unspecified other impact via format
  string specifiers in a database name in a (1) COM_CREATE_DB or (2)
  COM_DROP_DB request.  NOTE: some of these details are obtained from
  third party information.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-13 21:46:07 UTC
mysql: we already have 5.0.83 in tree, would it be ok to stable?
The exploit did not work for us, so there seems no need no hurry.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-04 23:34:30 UTC
mysql: *ping*
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-10-05 00:59:23 UTC
+1, but beware that it no longer compiles with <gcc-4. This a show-stopper for hardened.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 00:27:25 UTC
mysql: what is your planned timeline on this?
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-07 00:30:18 UTC
I answered you already that you could stable it once hardened has a stable GCC4.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 02:08:18 UTC
I somehow misinterpreted your answer, sorry.
Adding bug nr as dependency.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-11-07 13:52:41 UTC
stabling is done currently happening in bug 290485.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-09 20:34:54 UTC
stabling moved to sec bug 303747
Comment 9 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 11:51:25 UTC
(In reply to comment #8)
> stabling moved to sec bug 303747

All security-supported arches have done the stabilization from bug #303747. Should we make the decision about GLSA?
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-10 19:07:32 UTC
B2 needs a GLSA, there is nothing to decide.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:39 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).