Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 229329 - dev-db/mysql <= 5.0.60-r1: GRANT statement DoS
Summary: dev-db/mysql <= 5.0.60-r1: GRANT statement DoS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.mysql.com/bug.php?id=16470
Whiteboard: B3 [glsa]
Keywords:
Depends on: 246652
Blocks:
  Show dependency tree
 
Reported: 2008-06-25 03:01 UTC by Walter
Modified: 2012-01-05 22:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Walter 2008-06-25 03:01:33 UTC
upstream bug is here http://bugs.mysql.com/bug.php?id=16470

supposedly a patch is out here: http://lists.mysql.com/commits/43522

this should be brought in to gentoo's portage tree immediately.

Reproducible: Always

Steps to Reproduce:
mysql> grant blah on blah.blah to blah@blah identified by blah;


Actual Results:  
 entire daemon dies immediately

Expected Results:  
stable!
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-05 14:28:55 UTC
This is actually a Denial of Service issue and should be handled as a security bug, re-assigning.
Short summary: Any user with GRANT permissions can crash the whole server.

mysql team, please bump.
Comment 2 Walter 2008-08-19 04:18:15 UTC
It's not only a DoS issue, it prohibits regular use of grant statements.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:06:17 UTC
All security relevant arches stable due to bug 246652.

I vote YES.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 16:18:13 UTC
Returning to [ebuild]... the patch has not been committed to 5.0 as discussed on
  http://lists.mysql.com/commits/36237

I'm not sure whether upstream states that 5.0 is not affected, or they simply do not care.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-11-29 12:14:27 UTC
It's in the tree as mysql-5.0.70-r1 now. Stabilization is in bug 246652.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-22 12:12:55 UTC
Yes, too. Added bug # to a pending request.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-25 19:05:39 UTC
security: bump for glsa on this
Comment 8 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2010-11-16 14:21:16 UTC
security: ping
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:46:21 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).