Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 344987 - <dev-db/mysql-5.1.53: Several vulnerabilities
Summary: <dev-db/mysql-5.1.53: Several vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://dev.mysql.com/doc/refman/5.1/e...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 344031 347796
Blocks:
  Show dependency tree
 
Reported: 2010-11-10 22:14 UTC by Hanno Böck
Modified: 2012-01-05 22:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2010-11-10 22:14:11 UTC
Three Security fixes in upstream changelog, no CVEs yet:

Security Fix: The server crashed for assignment of values of types other than Geometry to items of type GeometryCollection (MultiPoint, MultiCurve, MultiSurface). Now the server checks the field type and fails with bad geometry value if it detects incorrect parameters. (Bug#55531)

Security Fix: EXPLAIN EXTENDED caused a server crash with some prepared statements. (Bug#54494)

Security Fix: In prepared-statement mode, EXPLAIN for a SELECT from a derived table caused a server crash. (Bug#54488)

5.1.52 is already in the tree, but not stabilized yet.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-11-11 00:32:30 UTC
Fun.
I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize that.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2010-11-16 13:51:21 UTC
I've added a depend on the bug tracking the TEXTRELs on x86.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 22:46:44 UTC
(In reply to comment #1)
> Fun.
> I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize
> that.
> 

I see in bug 344031 that 5.1.52-r1 and 5.1.53 are working for hardened users. Can we stabilize one of these to get these security fixes? And if so, which one?

Thank you.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-01-03 04:58:28 UTC
No, not yet unfortunately. The TEXTREL fix broke the build on certain multilib setups.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-04-21 12:48:56 UTC
underling:
I intend to ask for this stable in 1 week.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-05-05 13:46:01 UTC
@robbat2, shall we move forward with stabilization of 5.1.52-r1?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-05-05 18:35:38 UTC
(In reply to comment #6)
> @robbat2, shall we move forward with stabilization of 5.1.52-r1?
The stablereq target is 5.1.56, nothing earlier.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-05-06 15:43:22 UTC
(In reply to comment #7)
> The stablereq target is 5.1.56, nothing earlier.

Ok, great, thanks. For our future reference, 5.1.56 also includes this security fix (first fixed in 5.1.53):

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html
      InnoDB Storage Engine: Security Fix: A failed CREATE TABLE statement for
      an InnoDB table could allocate memory that was never freed. (Bug #56947)


Arches, please test and mark stable:
=dev-db/mysql-5.1.56
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2011-05-06 22:04:42 UTC
x86 stable. thanks
Comment 10 Agostino Sarubbo gentoo-dev 2011-05-06 22:26:38 UTC
posted bug 366289 and bug 366291
Comment 11 Agostino Sarubbo gentoo-dev 2011-05-07 09:01:11 UTC
(In reply to comment #10)
> posted bug 366289 and bug 366291

anyway works for me.
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-05-07 19:20:55 UTC
To clarify:
1. As usual, the test instructions are included in the ebuild
# Official test instructions:
# USE='berkdb -cluster embedded extraengine perl ssl community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mysql-X.X.XX.ebuild \
# digest clean package

2. The warning about unused configure flags is a long-standing false positive from upstream's nested unrelated configure scripts.

3. The dodoc is fixed per bug #366289.
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2011-05-08 22:07:18 UTC
amd64 done
Comment 14 Ian Delaney (RETIRED) gentoo-dev 2011-05-08 23:29:54 UTC
and64.

used recommended use flags etc. Longest test suite so far.
emerged ok.  seems done
Comment 15 Markus Meier gentoo-dev 2011-05-09 05:07:11 UTC
arm stable
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-09 11:14:14 UTC
Stable for HPPA.
Comment 17 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 16:10:33 UTC
ia64/ppc/ppc64 stable
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2011-05-14 19:29:18 UTC
alpha/s390/sh/sparc stable
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 20:02:30 UTC
Thanks, folks. GLSA Vote: Yes (with other MySQL bugs)
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:14:44 UTC
Vote: YES. Added to pending GLSA request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-01-05 22:47:26 UTC
This issue was resolved and addressed in
 GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml
by GLSA coordinator Tim Sammut (underling).