Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 67062

Summary: dev-db/mysql: Multiple vulnerabilities
Product: Gentoo Security Reporter: Kurt Lieber (RETIRED) <klieber>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: hanno, marc.vila, muchar, mysql-bugs, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Kurt Lieber (RETIRED) gentoo-dev 2004-10-11 02:24:56 UTC
From a recent vendor-sec posting:  (these bugs are public afaik, but I'm marking this private in our bugzilla system until I'm sure.  Treat it as a fight club until further notice)

There have been a number of vulnerabilities discovered in recent
versions of the mysql server.  Patches are available through URLs.

CAN-2004-0835

    Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks
    CREATE/INSERT rights of the old table instead of the new one.

    Changelog:
    Fixed bug in privilege checking of ALTER TABLE RENAME

    http://bugs.mysql.com/bug.php?id=3270
    http://lists.mysql.com/internals/13073
    http://mysql.bkbits.net:8080/mysql-3.23/cset@1.1435?nav=index.html|tags|ChangeSet@1.1413..

CAN-2004-0836

    Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect
    function.

    Changelog:
    Fixed potential memory overrun in mysql_real_connect() (which
    required a compromised DNS server and certain operating systems).

    http://bugs.mysql.com/bug.php?id=4017
    http://lists.mysql.com/internals/14726

CAN-2004-0837

    Dean Ellis noticed that multiple threads ALTERing the same (or
    different) MERGE tables to change the UNION can cause the server
    to crash or stall.

    Changelog:
    Fixed an old bug in concurrent accesses to MERGE tables (even one
    MERGE table and MyISAM tables), that could've resulted in a crash or
    hang of the server.

    http://bugs.mysql.com/2408
    http://lists.mysql.com/internals/16168
    http://mysql.bkbits.net:8080/mysql-3.23/diffs/myisammrg/myrg_open.c@1.15
    http://lists.mysql.com/internals/16173
    http://lists.mysql.com/internals/16174

The following ones don't have a CVE id assigned to, but I'm in contact
with MITRE already.

Crash with MATCH..AGAINST (denial of service)

    http://bugs.mysql.com/bug.php?id=3870

    Only affects mysql 4.0

Privilege Escalation on GRANT ALL ON `Foo\_Bar`

    Changelog:
    Fixed bug in privilege checking where, under some conditions, one
    was able to grant privileges on the database, he has no privileges on.

    http://bugs.mysql.com/bug.php?id=3933
    http://mysql.bkbits.net:8080/mysql-4.0/patch@1.1844.5.1

    Does not only affect older versions than 4.0 as well.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-10-11 02:25:45 UTC
mysql team -- can you review/patch as appropriate?  Please treat this as a confidential bug report.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-11 05:07:22 UTC
Debian published a DSA on the first three ones with CAN assignments.

http://www.debian.org/security/2004/dsa-562
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-10-11 16:39:03 UTC
*** Bug 67175 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-15 05:15:45 UTC
MySQL team : we're getting late on those... Please apply fixes and bump (or comment).
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 01:55:09 UTC
All these issues are in fact public fixed in 4.0.21... already in portage.
A little feedback from the MySQL team on this would have been appreciated.

Arches: please mark 4.0.21 stable
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 01:55:54 UTC
*** Bug 67343 has been marked as a duplicate of this bug. ***
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-10-18 02:21:18 UTC
Koon: sorry, I've been quite busy with schoolwork, and after I did finally get access to the bug (just having mysql-bugs on the CC doesn't let us into locked bugs), I only got to checking one of the items.

When you write up the GLSA, note that several of these apply to both the 3.23 and 4.0 MySQL versions.
Comment 8 Jochen Maes (RETIRED) gentoo-dev 2004-10-18 06:55:48 UTC
stable on ppc
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-18 10:22:52 UTC
sparc tasty.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-18 14:01:34 UTC
Stable on alpha.
Comment 11 Tom Gall (RETIRED) gentoo-dev 2004-10-18 21:07:28 UTC
stable on ppc64
Comment 12 Guy Martin (RETIRED) gentoo-dev 2004-10-19 12:42:24 UTC
Stable on hppa.
Comment 13 Hardave Riar (RETIRED) gentoo-dev 2004-10-19 23:07:36 UTC
Stable on mips.
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-10-22 10:33:45 UTC
stable on x86.
Comment 15 Danny van Dyk (RETIRED) gentoo-dev 2004-10-22 11:10:52 UTC
Sorry guys, this one must have slipped through my attention. Stable now on amd64.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-10-23 01:56:12 UTC
Drafted. Security please review.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-10-24 07:32:20 UTC
GLSA 200410-22
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-11-02 09:12:22 UTC
*** Bug 69851 has been marked as a duplicate of this bug. ***
Comment 19 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-11-02 09:14:47 UTC
*** Bug 69851 has been marked as a duplicate of this bug. ***