Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294187 (CVE-2008-7247)

Summary: <dev-db/mysql-{5.0.88,5.1.41} multiple vulnerabilites (CVE-2008-7247,CVE-2009-{4019,4028})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mysql-bugs, ole+gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 303747    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 12:41:47 UTC
http://bugs.mysql.com/bug.php?id=32167
http://bugs.mysql.com/bug.php?id=39277

The changelog for 5.0.88 (http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html) does not mention the fix, but in the bugreports, it says:

"[4 Nov 10:16] Bugs System

Pushed into 5.0.88 (revid:joro@sun.com-20091104091355-hpz6dwgkrfmokj3k) (version source
revid:joro@sun.com-20091027131106-1w5i5wrb27oqewk2) (merge vers: 5.0.88) (pib:13)"
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 22:01:15 UTC
Also, quoted from http://secunia.com/advisories/37372/:

1) An error exists within the "vio_verify_callback()" function in MySQL clients that are linked against OpenSSL libraries. This can potentially be exploited to conduct MitM (Man-in-the-Middle) attacks e.g. via a MySQL server using a certificate with a depth of zero.

2) An error is caused due to missing error handling for "SELECT" statements containing sub-queries in the "WHERE" clause, which can be exploited to cause a server to crash.

3) The "GeomFromWKB()" function fails to preserve an argument's null-value flag when handling geometry values as the first argument. This can be exploited to cause a server to crash.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-01-08 17:45:53 UTC
CVE-2009-4019 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019):
  mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not
  (1) properly handle errors during execution of certain SELECT
  statements with subqueries, and does not (2) preserve certain
  null_value flags during execution of statements that use the
  GeomFromWKB function, which allows remote authenticated users to
  cause a denial of service (daemon crash) via a crafted statement.

CVE-2009-4028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028):
  The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x
  before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts
  a value of zero for the depth of X.509 certificates, which allows
  man-in-the-middle attackers to spoof arbitrary SSL-based MySQL
  servers via a crafted certificate, as demonstrated by a certificate
  presented by a server linked against the yaSSL library.

Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 11:57:52 UTC
CVE-2008-7247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247):
  sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41,
  and 6.0 before 6.0.9-alpha, when the data home directory contains a
  symlink to a different filesystem, allows remote authenticated users
  to bypass intended access restrictions by calling CREATE TABLE with a
  (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a
  subdirectory that requires following this symlink.

Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-02-01 01:32:42 UTC
Fixed 5.1 and 5.0 ebuilds in the tree now.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-01 15:12:03 UTC
(In reply to comment #4)
> Fixed 5.1 and 5.0 ebuilds in the tree now.

I assume 5.0.90-r1 is the target for stabilization?
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-02-01 19:49:02 UTC
.90 or .90-r1, hoping to see if any users report issues with it first.
The testsuite passes, but that hasn't be the only thing before.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-24 21:45:47 UTC
stabilization is happening on bug 303747
Comment 8 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 11:57:10 UTC
All security-supported arches have done the stabilization from bug #303747, should we make the decision about GLSA?
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-10 19:09:13 UTC
GLSA together with the other mysql stuff.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:44 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).