Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198988 - dev-db/mysql < 5.0.44-r2 dev-db/mysql-community InnoDB "CONTAINS" DoS (CVE-2007-5925)
Summary: dev-db/mysql < 5.0.44-r2 dev-db/mysql-community InnoDB "CONTAINS" DoS (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://bugs.mysql.com/bug.php?id=32125
Whiteboard: A3 [glsa] ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-12 23:23 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-14 09:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
modified mysql ebuild (mysql-5.0.44-r1.ebuild,2.05 KB, text/plain)
2007-11-15 16:27 UTC, Lukas Kuzmiak
no flags Details
described patch (convert_search_mode_to_innobase.diff,3.35 KB, patch)
2007-11-15 16:28 UTC, Lukas Kuzmiak
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 23:23:39 UTC
CVE-2007-5925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5925):
  The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB
  engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to
  cause a denial of service (database crash) via a certain CONTAINS operation
  on an indexed column, which triggers an assertion error.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 23:28:33 UTC
mysql herd, would mysql-community also be affected by this?

Is InnoDB a considered default setup?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-12 23:52:18 UTC
Yup, both dev-db/mysql and dev-db/mysql-community are vulnerable, and InnoDB is shipped enabled by default per the request of upstream.

The upstream bug notes the following as vulnerable:
4.1.20, 5.0.44, 5.1.23-BK (their development tip)
That's basically the latest in every tree (I'm sure 4.1.2[23] are vulnerable as well, despite not being explicitly mentioned).

Furthermore the upstream bug has no fixes at all yet.

Hopefully they roll it into 5.0.50 and release soon (I've been waiting for 5.0.50 a long time now).
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-13 01:34:10 UTC
Thanks for the info, setting A3 then.
Comment 4 Lukas Kuzmiak 2007-11-15 15:05:13 UTC
patch was released for 5.0.45, also works with 5.0.44-r1 ebuild.
http://bugs.mysql.com/bug.php?id=32125
Comment 5 Lukas Kuzmiak 2007-11-15 16:27:32 UTC
Created attachment 136052 [details]
modified mysql ebuild
Comment 6 Lukas Kuzmiak 2007-11-15 16:28:02 UTC
Created attachment 136053 [details, diff]
described patch
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 00:47:43 UTC
Comment on attachment 136052 [details]
modified mysql ebuild

lukash: Please do not use src_unpack in mysql ebuilds like this, you exclude the other patchs that are applied to the tree.

I'll have the new ebuilds out in 6-12 hours, I'm just doing testing on my machines (ppc64/amd64/x86) before releasing. They are getting another patch regarding $TMPDIR usage at the same time.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 02:49:14 UTC
mysql-5.0.44-r2 is in the tree now, fixing upstream #32125 per this issue, as well as upstream #30287 (usage of wrong $TMPDIR for filesorts).

Test instructions:
FEATURES="test userpriv" \
USE="berkdb perl ssl cluster extraengine" \
emerge mysql

Target stable keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 09:21:10 UTC
mips is also a target since they have a 4.X stable, which is also affected.

What about the community ebuild?
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 09:27:09 UTC
(ahh, the "add" button is killing me!)
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2007-11-16 13:27:54 UTC
Stable for sparc.  Runs my databases as expected (and mysqldump still works. :) ).
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 13:55:05 UTC
mysql-community is coming after I next sleep (it's ~arch only).

mips is way behind on their mysql keywording, the specifically dropped the 5.0 series long ago as they didn't want it, and there is bug 189223 open for them to re ~arch 5.0.44-rc1.
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 13:56:51 UTC
oh, one bit of advise for those testing MySQL per my instructions, that test takes ~45 minutes on a 2Ghz 2-way machine, and an hour on a 2Ghz 1-way box, so set it running and go out for coffee ;-)
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 13:57:10 UTC
crap wrong button.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 14:12:42 UTC
(In reply to comment #12)
> mysql-community is coming after I next sleep (it's ~arch only).

Sleep well then :-)


> mips is way behind on their mysql keywording, the specifically dropped the 5.0
> series long ago as they didn't want it, and there is bug 189223 open for them
> to re ~arch 5.0.44-rc1.

I see. I'll leave them in CC though, even if it doesn't result into anything.
Comment 16 Jeroen Roovers gentoo-dev 2007-11-16 15:02:49 UTC
Stable for HPPA.
Comment 17 Jurek Bartuszek (RETIRED) gentoo-dev 2007-11-16 19:29:21 UTC
x86 stable
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-16 21:48:04 UTC
stable for amd64, tested by me, approved by KingTaco.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-11-17 11:32:10 UTC
alpha/ia64 stable
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 11:30:40 UTC
ppc stable
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2007-11-18 13:53:26 UTC
ppc64 stable
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 14:19:56 UTC
glsa request filed for mysql. This still remains [ebuild] for the community server.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 21:53:18 UTC
GLSA 200711-25. letting open until we have a safe mysql-community ebuild in the tree.
Comment 24 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-19 04:12:40 UTC
mysql-community blocker: the 5.1 patch on the upstream bug causes mysql-community to fail during compile, because the DB_UNSUPPORTED token is not defined. I left a comment on the upstream bug, because it's not as simple as defining it if nothing else in the codebase returns it.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2007-12-08 13:49:20 UTC
any update for community here?
Comment 26 Jakub Moc (RETIRED) gentoo-dev 2007-12-11 11:58:03 UTC
10:44:02 <+CIA-23> vapier * gentoo-x86/dev-db/mysql/ (mysql-5.0.44-r2.ebuild mysql-5.0.44-r1.ebuild):
10:44:02 <+CIA-23> arm/s390/sh stable 

mips is plain hopeless and stuck w/ <=4.1.x (Bug 189223 ATM).
Comment 27 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-01-15 15:26:37 UTC
No update at all. Upstream even locked their bug so I can't access it anymore.
Comment 28 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-01-15 15:28:14 UTC
Err, no update for community-5.1 i mean.

For 5.0, 5.0.54 is now in the tree, but pmasked.

Sorry about the delay, this was a hard release to deal with.
The extras tarball contains 359k of new patches, of which a massive 217k was me
having to do the min/min -> MYSQL_MIN/MAX change by hand because of a large
number of rejects.

Lots of testing is appreciated, esp testing beyond the bundled testsuite.
Comment 29 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-01-25 08:59:01 UTC
per my comment left in bug 201669, this can go for arch testing now.
Comment 30 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:51:35 UTC
This bug does not affect 2008.0 snapshot, removing release@ from CC.
Comment 31 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-14 05:19:47 UTC
security: for mysql-community, 5.0.67 is in the tree now. 5.1.30 will fill that major version gap after upstream releases it (earlier 5.1.x builds have other issues). However I think you can close the bug now anyway. -community was only ~arch, so it doesn't need any GLSA updates.
Comment 32 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-11-14 09:44:00 UTC
thanks, closing