Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462498 (CVE-2012-0553) - <dev-db/mysql-5.1.69: yaSSL Two Buffer Overflow Vulnerabilities (CVE-2012-0553,CVE-2013-{1492,1623})
Summary: <dev-db/mysql-5.1.69: yaSSL Two Buffer Overflow Vulnerabilities (CVE-2012-055...
Status: RESOLVED FIXED
Alias: CVE-2012-0553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52445/
Whiteboard: A1 [glsa]
Keywords:
: 464082 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-03-20 15:21 UTC by Agostino Sarubbo
Modified: 2013-08-29 09:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-20 15:21:12 UTC 
From ${URL} :

Description
Two vulnerabilities have been reported in MySQL, which can be exploited by malicious people to 
compromise a vulnerable system.

1) An unspecified error related to yaSSL can be exploited to cause a buffer overflow.

This vulnerability is reported in versions prior to 5.1.68 and 5.5.28.

2) An unspecified error related to yaSSL can be exploited to cause a buffer overflow.

This vulnerability is reported in versions prior to 5.1.68 and 5.5.30.


Solution
Update to version 5.1.68 or 5.5.30.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-28.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-30.html
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-68.html
Comment 1 Agostino Sarubbo gentoo-dev 2013-03-21 18:33:38 UTC 
there is another CVE: CVE-2013-1623 https://secunia.com/advisories/52669/

Description
A weakness has been reported in Oracle MySQL, which can be exploited by malicious people to disclose certain sensitive information.

For more information:
SA52028

The weakness is reported in versions 5.1.x through 5.1.68, 5.5.x through 5.5.30, and 5.6.x through 5.6.10.


Solution
The vulnerabilities will be fixed in upcoming versions 5.1.69, 5.5.31, and 5.6.11.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
https://blogs.oracle.com/sunsecurity/entry/cve_2013_1623_timing_side
Comment 2 Agostino Sarubbo gentoo-dev 2013-04-01 14:12:26 UTC 
*** Bug 464082 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:31:12 UTC 
CVE-2013-1492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1492):
  Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x
  before 5.5.30, has unspecified impact and attack vectors, a different
  vulnerability than CVE-2012-0553.

CVE-2012-0553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0553):
  Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x
  before 5.5.28, has unspecified impact and attack vectors, a different
  vulnerability than CVE-2013-1492.
Comment 4 Roman Žilka 2013-05-01 12:23:26 UTC 
Reminder in case it's been overlooked/forgotten. It's becoming older than old.
Comment 5 Sergey Popov gentoo-dev 2013-08-29 06:51:45 UTC 
5.1.70 was stabilized in bug #477474, adding to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 09:11:59 UTC 
This issue was resolved and addressed in
 GLSA 201308-06 at http://security.gentoo.org/glsa/glsa-201308-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).