Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 412889 (CVE-2012-0583)

Summary: <dev-db/mysql-5.1.62-r1: Auth bypass, DoS, ? (CVE-2012-{0583,1688,1690,1696,1697,1703,2122})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: a3li, mysql-bugs, xmw
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48890/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-04-21 09:42:18 UTC 
Description
Multiple vulnerabilities have been reported in Oracle MySQL Server, which can be exploited by malicious users to cause a DoS (Denial of Service).

1) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

2) An unspecified error in the MyISAM component can be exploited to cause a crash.

3) An unspecified error in the Partition component can be exploited to cause a crash.

4) An unspecified error in the Server DML component can be exploited to cause a crash.

5) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

6) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

Please see the vendor's advisory for a list of affected versions.


Solution
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-04-21 18:18:46 UTC 
ago:
the fixed versions have been in the tree for nearly 3 weeks already.
mysql-5.1.62
mysql-5.5.22
mariadb-5.1.62
mariadb-5.2.12
mariadb-5.3.6
mariadb-5.5.23

However I'm aware of a new sec vuln that's present in the above mysql versions, and fixed in the new mariadb, and I'm just blocking on upstream to get it in.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-04-21 20:31:27 UTC 
arches, please stabilize mysql-5.1.62-r1.ebuild

target keywords:
alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

Contains the security fixes listed in this bug, as well as a new vuln auth-bypass found by the MariaDB developers. Upstream locked bug is http://bugs.mysql.com/bug.php?id=64884 I haven't seen any CVE yet.

Security team:
The auth bypass should probably be considered as a high-priority, it's usable remotely, and needs only ~300 tries (possible in 1-2 seconds) with completely unmodified clients.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-04-21 20:50:35 UTC 
MySQL likely is on more than 5% of users' systems by now. Let's make it A* from now on. The issue at hand still is at *3 level, however Arches, please prioritize  this stabilization.
Comment 4 Agostino Sarubbo gentoo-dev 2012-04-30 12:36:54 UTC 
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-01 04:30:52 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2012-05-03 20:47:46 UTC 
arm stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-05-06 22:27:55 UTC 
CVE-2012-1703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1703):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated
  users to affect availability via unknown vectors related to Server
  Optimizer.

CVE-2012-1697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1697):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.21 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Partition.

CVE-2012-1696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1696):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.19 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Server Optimizer.

CVE-2012-1690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1690):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated
  users to affect availability via unknown vectors related to Server
  Optimizer.

CVE-2012-1688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1688):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated
  users to affect availability, related to Server DML.

CVE-2012-0583 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0583):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated
  users to affect availability, related to MyISAM.
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-09 17:12:08 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-05-10 18:34:54 UTC 
  09 May 2012; Pawel Hajdan jr <phajdan.jr@gentoo.org> mysql-5.1.62.ebuild:
  x86 stable wrt bug #412889


You marked stable a wrong version
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-12 15:12:32 UTC 
Stable on alpha.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-13 15:45:52 UTC 
(In reply to comment #9)
>   09 May 2012; Pawel Hajdan jr <phajdan.jr@gentoo.org> mysql-5.1.62.ebuild:
>   x86 stable wrt bug #412889
> 
> 
> You marked stable a wrong version

Thank you, now really stabilized -r1.
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2012-05-14 19:31:15 UTC 
ppc/ppc64 done
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-05-26 17:08:29 UTC 
ia64/s390/sh/sparc stable
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-26 18:47:21 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-06-04 12:20:26 UTC 
*** Bug 419611 has been marked as a duplicate of this bug. ***
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-06-04 12:21:03 UTC 
mysql: please clean up vulnerable versions/extend masks
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-06-11 14:20:42 UTC 
*** Bug 420695 has been marked as a duplicate of this bug. ***
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:58:09 UTC 
CVE-2012-2122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2122):
  sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and
  5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12,
  5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain
  environments with certain implementations of the memcmp function, allows
  remote attackers to bypass authentication by repeatedly authenticating with
  the same incorrect password, which eventually causes a token comparison to
  succeed due to an improperly-checked return value.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 09:11:53 UTC 
This issue was resolved and addressed in
 GLSA 201308-06 at http://security.gentoo.org/glsa/glsa-201308-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).