As reported to the oss-security list and pending for CVE assignments, the following security fixes were applied to the lastest mysql revision in the 5.1 series. I'll bump the ebuild in the overlay and talk with robbat2 about adding the new version to the tree. Security Fix: During evaluation of arguments to extreme-value functions (such as LEAST() and GREATEST()), type errors did not propagate properly, causing the server to crash. (Bug#55826) Security Fix: The server could crash after materializing a derived table that required a temporary table for grouping. (Bug#55568) Security Fix: A user-variable assignment expression that is evaluated in a logical expression context can be precalculated in a temporary table for GROUP BY. However, when the expression value is used after creation of the temporary table, it was re-evaluated, not read from the table and a server crash resulted. (Bug#55564) Security Fix: Pre-evaluation of LIKE predicates during view preparation could cause a server crash. (Bug#54568) Security Fix: GROUP_CONCAT() and WITH ROLLUP together could cause a server crash. (Bug#54476) Security Fix: Queries could cause a server crash if the GREATEST() or LEAST() function had a mixed list of numeric and LONGBLOB arguments, and the result of such a function was processed using an intermediate temporary table. (Bug#54461) Security Fix: Queries with nested joins could cause an infinite loop in the server when used from stored procedures and prepared statements. (Bug#53544)
*** Bug 339826 has been marked as a duplicate of this bug. ***
robbat2 added the ebuild to the tree.
5.1.51 obviously does not build with libtool 2.2.6b anymore. 5.1.50 still did. libtool 2.2.10 is needed, which itself needs EAPI 3. Can you maybe add a dependency?
(In reply to comment #3) > 5.1.51 obviously does not build with libtool 2.2.6b anymore. 5.1.50 still did. > libtool 2.2.10 is needed, which itself needs EAPI 3. Can you maybe add a > dependency? dep added.
MySQL bug to CVE mapping for future reference. Bug#55826 - incorrect propagation of type errors in evaluation of arguments to extreme-value functions CVE-2010-3833 "create table .. select crashes with when KILL_BAD_DATA is returned" 5.0.91,5.1.49,5.1.50-bzr,5.5.5 Bug#55568 - The server could crash after materializing a derived table that required a temporary table for grouping. CVE-2010-3834 "user variable assignments crash server when used within query" 5.0.91-debug,5.1.49-debug Bug #55564 - A user-variable assignment expression that is evaluated in a logical expression context can be precalculated in a temporary table for GROUP BY. However, when the expression value is used after creation of the temporary table, it was re-evaluated, not read from the table and a server crash resulted. CVE-2010-3835 "crash with user variables, assignments, joins..." 5.0.92, 5.1.37, 5.1.49, 5.1.50-bzr, 5.5.6-m3 Bug#54568 - Pre-evaluation of LIKE predicates during view preparation could cause a server crash. CVE-2010-3836 "create view cause Assertion failed: 0, file .\item_subselect.cc, line 836" 5.0.91-debug, 5.1.47-debug Bug#54476 - GROUP_CONCAT() and WITH ROLLUP together could cause a server crash. CVE-2010-3837 "crash when group_concat and 'with rollup' in prepared statements" 5.0.91, 5.1.47, 5.1.49-bzr, 5.5.3 see: [23 Jul 14:25] Alexey Kopytov Bug#54461 - Queries could cause a server crash if the GREATEST() or LEAST() function had a mixed list of numeric and LONGBLOB arguments, and the result of such a function was processed using an intermediate temporary table. CVE-2010-3838 "crash with longblob and union or update with subquery" 5.0.91,5.1.47, 5.5.3, 5.5.5-m3 Bug#53544 - Queries with nested joins could cause an infinite loop in the server when used from stored procedures and prepared statements. CVE-2010-3839 "Server hangs during JOIN query in stored procedure called twice in a row" 5.1.47, 5.6.99-m4 Dahlia, bzr_mysql-6.0-codebase-bugfixing Bug#51875 - The PolyFromWKB() function could crash the server when improper WKB data was passed to the function. CVE-2010-3840 "crash when loading data into geometry function polyfromwkb" 5.0.90,5.1.44
security: clear to call for stabilization now.
Arches, please test and mark stable: =dev-db/mysql-5.1.51 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 stable created and tested database with no problem emerge --info Portage 2.1.8.3 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.4, glibc-2.11.2-r3, 2.6.34-gentoo-r12 x86_64) ================================================================= System uname: Linux-2.6.34-gentoo-r12-x86_64-AMD_Phenom-tm-_9650_Quad-Core_Processor-with-gentoo-1.12.13 Timestamp of tree: Tue, 02 Nov 2010 22:00:01 +0000 app-shells/bash: 4.1_p7 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://216.165.129.135/ http://204.152.191.39/ http://199.6.1.174/" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emboss encode exif extras fam firefox flac fortran gif gnutls gpm gtk hal iconv ipv6 jpeg kde lcms ldap libnotify mad mikmod mmx mng modules mp3 mp4 mpeg mudflap multilib mysql ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support qt4 readline sdl semantic-desktop session spell sql sqlite sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis webkit x264 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64 done
Stable for HPPA.
ppc64 done
Stable for PPC.
arm stable
alpha/ia64/s390/sh/sparc stable
GLSA with 237166.
CVE-2010-3840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840): The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1 before 5.1.51 allows remote authenticated users to cause a denial of service (server crash) by calling the PolyFromWKB function with Well-Known Binary (WKB) data containing a crafted number of (1) line strings or (2) line points. CVE-2010-3839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839): MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (infinite loop) via multiple invocations of a (1) prepared statement or (2) stored procedure that creates a query with nested JOIN statements. CVE-2010-3838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838): MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments, which is not properly handled when the function's result is "processed using an intermediate temporary table." CVE-2010-3837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837): MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-free error when a copied object is modified in a way that also affects the original object. CVE-2010-3836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836): MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers. CVE-2010-3835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835): MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (mysqld server crash) by performing a user-variable assignment in a logical expression that is calculated and stored in a temporary table for GROUP BY, then causing the expression value to be used after the table is created, which causes the expression to be re-evaluated instead of accessing its value from the table. CVE-2010-3834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834): Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable assignments." CVE-2010-3833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833): MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).