Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445602 (CVE-2012-5611) - <dev-db/mysql-5.1.67: Multiple vulnerabilities (CVE-2012-{0572,0574,0578,1702,1705,5060,5096,5611,5612,5613,5614,5615,5627},CVE-2013-{0367,0368,0371,0375,0383,0384,0385,0386,0389})
Summary: <dev-db/mysql-5.1.67: Multiple vulnerabilities (CVE-2012-{0572,0574,0578,1702...
Status: RESOLVED FIXED
Alias: CVE-2012-5611
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
: 452938 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-12-02 12:09 UTC by Agostino Sarubbo
Modified: 2013-10-06 23:06 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-02 12:09:56 UTC
From: full-disclosure:


* CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/4
https://bugzilla.redhat.com/show_bug.cgi?id=882599

* CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/5
https://bugzilla.redhat.com/show_bug.cgi?id=882600

* CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
Exploit
http://seclists.org/fulldisclosure/2012/Dec/6
https://bugzilla.redhat.com/show_bug.cgi?id=882606

* CVE-2012-5614 MySQL Denial of Service Zeroday PoC
http://seclists.org/fulldisclosure/2012/Dec/7
https://bugzilla.redhat.com/show_bug.cgi?id=882607

* CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
http://seclists.org/fulldisclosure/2012/Dec/9
https://bugzilla.redhat.com/show_bug.cgi?id=882608
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-12-04 22:15:04 UTC
CVE-2012-5615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5615):
  MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11,
  5.2.13, 5.1.66, and possibly other versions, generates different error
  messages with different time delays depending on whether a user name exists,
  which allows remote attackers to enumerate valid usernames.

CVE-2012-5614 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5614):
  MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly
  other versions, allows remote authenticated users to cause a denial of
  service (mysqld crash) via a SELECT command with an UpdateXML command
  containing XML with a large number of unique, nested elements.

CVE-2012-5613 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5613):
  ** DISPUTED **  MySQL 5.5.19 and possibly other versions, and MariaDB
  5.5.28a and possibly other versions, when configured to assign the FILE
  privilege to users who should not have administrative privileges, allows
  remote authenticated users to gain privileges by leveraging the FILE
  privilege to create files as the MySQL administrator.  NOTE: the vendor
  disputes this issue, stating that this is only a vulnerability when the
  administrator does not follow recommendations in the product's installation
  documentation.  NOTE: it could be argued that this should not be included in
  CVE because it is a configuration issue.

CVE-2012-5612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5612):
  Heap-based buffer overflow in MySQL 5.5.19 and possibly other versions, and
  MariaDB 5.5.28a and possibly other versions, allows remote authenticated
  users to cause a denial of service (memory corruption and crash) and
  possibly execute arbitrary code, as demonstrated using certain variations of
  the (1) USE, (2) SHOW TABLES, (3) DESCRIBE, (4) SHOW FIELDS FROM, (5) SHOW
  COLUMNS FROM, (6) SHOW INDEX FROM, (7) CREATE TABLE, (8) DROP TABLE, (9)
  ALTER TABLE, (10) DELETE FROM, (11) UPDATE, and (12) SET PASSWORD commands.

CVE-2012-5611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5611):
  Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other
  versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x
  before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to
  execute arbitrary code via a long argument to the GRANT FILE command.
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-06 11:25:05 UTC
Adding CVE-2012-5627: Mysql insecure salt-usage

reference: http://www.openwall.com/lists/oss-security/2012/12/06/4
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-01-19 16:29:50 UTC
*** Bug 452938 has been marked as a duplicate of this bug. ***
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-01-20 02:56:12 UTC
CVE-2012-5627 is pending upstream for MariaDB (5.5.29 not released).

All other versions are now in the tree, and ready for stablereq.

ebuilds & target keywords:
mysql-5.1.67: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
mysql-5.5.29 (no stable keywords)
mariadb: no stable keywords

Test instructions:
USE='berkdb -cluster embedded extraengine perl ssl community' \
FEATURES='test userpriv -usersandbox' \
ebuild mysql-5.1.67.ebuild \
digest clean package
Comment 5 Agostino Sarubbo gentoo-dev 2013-01-20 17:17:54 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-20 18:04:58 UTC
amd64/x86 stable
Comment 7 Gerald 2013-01-20 20:15:04 UTC
Stable on amd64, but the included config file doesn't work => package is broken and anything but stable!

# /etc/init.d/mysql start

* Starting mysql ...
mkdir: cannot create directory ‘@GENTOO_PORTAGE_EPREFIX@/var/run/mysqld’: No such file or directory
* Directory @GENTOO_PORTAGE_EPREFIX@/var/run/mysqld for pidfile does not exist and cannot be created
* ERROR: mysql failed to start
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-01-20 23:58:21 UTC
Gerald:
Do you have a copy of the mysql overlay or something? You shouldn't have gotten @GENTOO_PORTAGE_EPREFIX@ in any file unless your system didn't run the eprefixify function per mysql-cmake.eclass src_install.
Comment 9 Harald Glatt (hachre) 2013-01-21 01:57:25 UTC
The root cause of the bug Gerald reported has been found and is being addressed in bug 430836
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-21 13:40:24 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-01-21 14:01:09 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-01-21 14:41:01 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-01-21 16:07:35 UTC
sparc stable
Comment 14 Jeroen Roovers gentoo-dev 2013-01-21 19:29:28 UTC
Stable for HPPA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-01-21 22:13:31 UTC
CVE-2013-0389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0389):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.5.28 and earlier, allows remote authenticated users to affect
  availability via unknown vectors related to Server Optimizer.

CVE-2013-0386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0386):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users to affect availability via unknown
  vectors related to Stored Procedure.

CVE-2013-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0385):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.5.28 and earlier, allows local users to affect
  confidentiality and integrity via unknown vectors related to Server
  Replication.

CVE-2013-0384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0384):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.5.28 and earlier, allows remote authenticated users to affect
  availability via unknown vectors related to Information Schema.

CVE-2013-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0383):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.5.28 and earlier, allows remote attackers to affect
  availability via unknown vectors related to Server Locking.

CVE-2013-0375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0375):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.1.28 and earlier, allows remote authenticated users to affect
  confidentiality and integrity via unknown vectors related to Server
  Replication.

CVE-2013-0371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0371):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users to affect availability, related to
  MyISAM.

CVE-2013-0368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0368):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users to affect availability via unknown
  vectors related to InnoDB.

CVE-2013-0367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0367):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users to affect availability via unknown
  vectors related to Server Partition.

CVE-2012-5096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5096):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users with Server Privileges to affect
  availability via unknown vectors.

CVE-2012-5060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5060):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.65 and
  earlier and 5.5.27 and earlier allows remote authenticated users to affect
  availability, related to GIS Extension.

CVE-2012-1705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1705):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier and 5.5.28 and earlier allows remote authenticated users to affect
  availability via unknown vectors related to Server Optimizer.

CVE-2012-1702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1702):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier and 5.5.28 and earlier allows remote attackers to affect
  availability via unknown vectors.

CVE-2012-0578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0578):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and
  earlier allows remote authenticated users to affect availability via unknown
  vectors related to Server Optimizer.

CVE-2012-0574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0574):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier, and 5.5.28 and earlier, allows remote authenticated users to affect
  availability via unknown vectors.

CVE-2012-0572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0572):
  Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and
  earlier and 5.5.28 and earlier allows remote authenticated users to affect
  availability via unknown vectors related to InnoDB.
Comment 16 Agostino Sarubbo gentoo-dev 2013-02-08 12:04:03 UTC
sh stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-02-08 14:46:31 UTC
s390 stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-02-08 16:45:41 UTC
alpha stable
Comment 19 Sean Amoss gentoo-dev Security 2013-03-16 11:37:42 UTC
Added to existing GLSA request.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 09:11:57 UTC
This issue was resolved and addressed in
 GLSA 201308-06 at http://security.gentoo.org/glsa/glsa-201308-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 23:06:45 UTC
CVE-2012-5627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5627):
  Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x
  before 5.2.14 does not modify the salt during multiple executions of the
  change_user command within the same connection which makes it easier for
  remote authenticated users to conduct brute force password guessing attacks.