Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 321791 (CVE-2010-1621)

Summary: <dev-db/mysql-5.1.50-r1: Multiple vulnerabilities (CVE-2010-{1621,1626,1848,1849,1850,2008,3676,3677,3678,3679,3680,3681,3682,3683})
Product: Gentoo Security Reporter: Johan Bergström <bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bugs, genzilla, gustavo, mysql-bugs, ts77, underling
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 333923, 335995    
Bug Blocks:    

Description Johan Bergström 2010-05-28 08:58:23 UTC
Just tried a version bump on x86 with FEATURES="userpriv test" USE="community" which seems to work nicely.

------------------------------------------------------------
The servers were restarted 241 times
Spent 532.568 of 1137 seconds executing testcases

Completed: All 588 tests were successful.
Comment 1 Hanno Böck gentoo-dev 2010-06-07 12:17:24 UTC
      Security Fix: The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.

      In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.

      Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848)

      Security Fix: The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug#53237, CVE-2010-1850)

      Security Fix: The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug#50974, CVE-2010-1849)
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:21:23 UTC
please assign security bug to the security team
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:31:27 UTC
CVE-2010-1848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848):
  Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1
  before 5.1.47 allows remote authenticated users to bypass intended
  table grants to read field definitions of arbitrary tables, and on
  5.1 to read or delete content of arbitrary tables, via a .. (dot dot)
  in a table name.

CVE-2010-1849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849):
  The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through
  5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a
  denial of service (CPU and bandwidth consumption) by sending a large
  number of packets that exceed the maximum length.

CVE-2010-1850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850):
  Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47
  allows remote authenticated users to execute arbitrary code via a
  COM_FIELD_LIST command with a long table name.

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 20:24:10 UTC
mysql Team, please provide an updated ebuild
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:25 UTC
CVE-2010-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621):
  The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL
  before 5.1.46 does not check privileges before uninstalling a plugin,
  which allows remote attackers to uninstall arbitrary plugins via the
  UNINSTALL PLUGIN command.

CVE-2010-1626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626):
  MySQL before 5.1.46 allows local users to delete the data and index
  files of another user's MyISAM table via a symlink attack in
  conjunction with the DROP TABLE command, a different vulnerability
  than CVE-2008-4098 and CVE-2008-7247.

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-26 12:09:50 UTC
mysql team, are there plans to stabilize the 5.1 series? It seems rather difficult to fix all these vulnerabilities (and probably future ones too) in the 5.0 series unless upstream took care of that.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-06-26 17:32:22 UTC
presently blocking on breakage that was introduced by upstream. Specifically the Archive engine (USE=extraengine but very popular) seems to be badly broken, but I haven't managed to trace WHY yet, primarily due to a shortage of time.
Comment 8 Vasilis Lourdas 2010-07-24 21:34:29 UTC
MySQL 5.1.49 was released on July 23th (http://forums.mysql.com/read.php?3,377551,377551#msg-377551). When can we expect a newer than 5.1.46 version in the tree...?
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 16:08:33 UTC
CVE-2010-2008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008):
  MySQL before 5.1.48 allows remote authenticated users with alter
  database privileges to cause a denial of service (server crash and
  database loss) via an ALTER DATABASE command with a #mysql50# string
  followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar
  sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes
  MySQL to move certain directories to the server data directory.

Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-07-27 19:40:46 UTC
5.1.49 added to overlay, testing it now.
http://git.overlays.gentoo.org/gitweb/?p=proj/mysql.git;a=commit;h=11aa801ac65212e678ed8da7715c56a39bd5077b

Hopefully it passes the tests where 5.1.48 failed.
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-08 23:45:21 UTC
5.1.49 in the tree now.
security: your bug again.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2010-08-30 21:38:01 UTC
*** Bug 335331 has been marked as a duplicate of this bug. ***
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-30 21:44:11 UTC
(In reply to comment #12)
> *** Bug 335331 has been marked as a duplicate of this bug. ***
> 

There were some additional DoS vulnerabilities reported and fixed in 5.1.49.
The duped bug has a list, we'll add the CVE ids to that bug later on.

Asked robbat for specific stabilization target. stablereq coming soon
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 10:11:21 UTC
Arches, please test and mark stable:
=dev-db/mysql-5.1.50
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-08-31 12:31:33 UTC
amd64 done
Comment 16 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-01 03:49:31 UTC
x86 stable
Comment 17 Cyprien Nicolas (fulax) 2010-09-01 09:31:46 UTC
dev-db/mysql-5.1.50 has open bugs (#334009 and #334013 at least)
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-09-01 19:08:10 UTC
(In reply to comment #17)
> dev-db/mysql-5.1.50 has open bugs (#334009 and #334013 at least)
Fixed already.

security: Can we update the target to -r1 please?
Comment 19 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-01 21:52:34 UTC
Arches, please test and mark stable:
=dev-db/mysql-5.1.50-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 20 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-03 05:11:03 UTC
x86 stable
Comment 21 Gustavo Zacarias 2010-09-03 12:59:09 UTC
How about adding a nice revdep-rebuild note in the ebuilds?
Upgrading from 5.0.* to 5.1.* broke DBD-mysql, apr-util and php for me.
I'm pretty sure it breaks more than that.
Comment 22 Markos Chandras (RETIRED) gentoo-dev 2010-09-03 20:02:59 UTC
amd64 done
Comment 23 Richard Freeman gentoo-dev 2010-09-04 17:16:35 UTC
might not hurt to send out a news item on mysql upgrades like this - if you use innodb the upgrade cannot be performed automatically.
Comment 24 Jeroen Roovers gentoo-dev 2010-09-05 18:27:00 UTC
Stable for HPPA.
Comment 25 Tobias Klausmann gentoo-dev 2010-09-06 21:32:39 UTC
Stable on alpha.
Comment 26 Brent Baude (RETIRED) gentoo-dev 2010-09-22 15:30:35 UTC
ppc done
Comment 27 Tim Sammut (RETIRED) gentoo-dev 2010-09-30 20:12:35 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > *** Bug 335331 has been marked as a duplicate of this bug. ***
> > 
> 
> There were some additional DoS vulnerabilities reported and fixed in 5.1.49.
> The duped bug has a list, we'll add the CVE ids to that bug later on.
> 

The CVEs for the issues in bug 335331 have been assigned:

> 1, Security Fix: After changing the values of the innodb_file_format or
>                 innodb_file_per_table configuration parameters, DDL statements
>                 could cause a server crash. (Bug#55039)
>   References:   http://bugs.mysql.com/bug.php?id=55039
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628660
>   Reason:       Assertion failure leading to server abort.


CVE-2010-3676


> 2, Security Fix: Joins involving a table with a unique SET column could cause
>                 a server crash. (Bug#54575)
>   References:   http://bugs.mysql.com/bug.php?id=54575
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628040
>   Reason:       NULL pointer dereference leading to (temporary) server DoS.


CVE-2010-3677


> 3, Security Fix: Incorrect handling of NULL arguments could lead to a crash
>                 for IN() or CASE operations when NULL arguments were either
>                 passed explicitly as arguments (for IN()) or implicitly
>                 generated by the WITH ROLLUP  modifier (for IN() and CASE).
>                 (Bug#54477)
>   References:   http://bugs.mysql.com/bug.php?id=54477
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628172
>   Reason:       NULL pointer dereference leading to (temporary) server DoS.


CVE-2010-3678


> 4, Security Fix: A malformed argument to the BINLOG statement could result
>                 in Valgrind warnings or a server crash. (Bug#54393)
>   References:   http://bugs.mysql.com/bug.php?id=54393
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628062
>   Reason:       Use of unassigned memory leading to (temporary) server DoS (crash).


CVE-2010-3679


> 5, Security Fix: Use of TEMPORARY  InnoDB tables with nullable columns could cause
>                 a server crash. (Bug#54044)
>   References:   http://bugs.mysql.com/bug.php?id=54044
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628192
>   Reason:       Assertion failure leading to server abort.


CVE-2010-3680


> 6, Security Fix: The server could crash if there were alternate reads from
>                 two indexes on a table using the HANDLER interface. (Bug#54007)
>   References:   http://bugs.mysql.com/bug.php?id=54007
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628680
>   Reason:       Assertion failure leading to server abort.


CVE-2010-3681


> 7, Security Fix: Using EXPLAIN with queries of the form SELECT ... UNION
>                 ... ORDER BY (SELECT ... WHERE ...) could cause a server
>                 crash. (Bug#52711)
>   References:   http://bugs.mysql.com/bug.php?id=52711
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628328
>   Reason:       NULL pointer dereference leading to (temporary) server DoS.


CVE-2010-3682


> 8, Security Fix: LOAD DATA INFILE did not check for SQL errors and sent an
>                 OK packet even when errors were already reported. Also, an
>                 assert related to client-server protocol checking in debug
>                 servers sometimes was raised when it should not have been.
>                 (Bug#52512)
>   References:   http://bugs.mysql.com/bug.php?id=52512
>                 https://bugzilla.redhat.com/show_bug.cgi?id=628698
>   Reason:       Assertion failure leading to server abort.


CVE-2010-3683 

Comment 28 Mark Loeser (RETIRED) gentoo-dev 2010-10-24 19:37:13 UTC
ppc64 done
Comment 29 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-10-28 21:27:47 UTC
waiting for a toolchain response on bug 335995 to see if we need to expand the drop of omit-frame-pointer on x86, then we're clear for stabilization.
Comment 30 Markus Meier gentoo-dev 2010-10-29 14:01:35 UTC
arm stable
Comment 31 Raúl Porcel (RETIRED) gentoo-dev 2010-11-13 12:09:50 UTC
ia64/s390/sh/sparc stable
Comment 32 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:09:48 UTC
GLSA with other MySQL bugs like 237166.
Comment 33 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 16:35:51 UTC
CVE-2010-3683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683):
  Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when
  a LOAD DATA INFILE request generates SQL errors, which allows remote
  authenticated users to cause a denial of service (mysqld daemon crash) via a
  crafted request.

CVE-2010-3682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682):
  Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote
  authenticated users to cause a denial of service (mysqld daemon crash) by
  using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE
  ...)" statements, which triggers a NULL pointer dereference in the
  Item_singlerow_subselect::store function.

CVE-2010-3681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681):
  Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote
  authenticated users to cause a denial of service (mysqld daemon crash) by
  using the HANDLER interface and performing "alternate reads from two indexes
  on a table," which triggers an assertion failure.

CVE-2010-3680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680):
  Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a
  denial of service (mysqld daemon crash) by creating temporary tables with
  nullable columns while using InnoDB, which triggers an assertion failure.

CVE-2010-3679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679):
  Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a
  denial of service (mysqld daemon crash) via certain arguments to the BINLOG
  command, which triggers an access of uninitialized memory, as demonstrated
  by valgrind.

CVE-2010-3678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678):
  Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a
  denial of service (crash) via (1) IN or (2) CASE operations with NULL
  arguments that are explicitly specified or indirectly provided by the WITH
  ROLLUP modifier.

CVE-2010-3677 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677):
  Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote
  authenticated users to cause a denial of service (mysqld daemon crash) via a
  join query that uses a table with a unique SET column.

CVE-2010-3676 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676):
  storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before
  5.1.49 allows remote authenticated users to cause a denial of service
  (assertion failure) by modifying the (1) innodb_file_format or (2)
  innodb_file_per_table configuration parameters for the InnoDB storage
  engine, then executing a DDL statement.
Comment 34 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:47:10 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).
Comment 35 GLSAMaker/CVETool Bot gentoo-dev 2012-08-17 12:10:21 UTC
CVE-2009-5026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5026):
  The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before
  5.1.50, when running in certain slave configurations in which the slave is
  running a newer version than the master, allows remote attackers to execute
  arbitrary SQL commands via custom comments.