462498 – (CVE-2012-0553) <dev-db/mysql-5.1.69: yaSSL Two Buffer Overflow Vulnerabilities (CVE-2012-0553,CVE-2013-{1492,1623})

Bug 462498 (CVE-2012-0553) - <dev-db/mysql-5.1.69: yaSSL Two Buffer Overflow Vulnerabilities (CVE-2012-0553,CVE-2013-{1492,1623})

Summary: <dev-db/mysql-5.1.69: yaSSL Two Buffer Overflow Vulnerabilities (CVE-2012-055...

Status:	RESOLVED FIXED

Alias:	CVE-2012-0553

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/52445/
Whiteboard:	A1 [glsa]
Keywords:

Duplicates (1):	464082 (view as bug list)
Depends on:
Blocks:

Reported:	2013-03-20 15:21 UTC by Agostino Sarubbo
Modified:	2013-08-29 09:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-03-20 15:21:12 UTC

From ${URL} :

Description
Two vulnerabilities have been reported in MySQL, which can be exploited by malicious people to 
compromise a vulnerable system.

1) An unspecified error related to yaSSL can be exploited to cause a buffer overflow.

This vulnerability is reported in versions prior to 5.1.68 and 5.5.28.

2) An unspecified error related to yaSSL can be exploited to cause a buffer overflow.

This vulnerability is reported in versions prior to 5.1.68 and 5.5.30.


Solution
Update to version 5.1.68 or 5.5.30.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-28.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-30.html
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-68.html

Comment 1 Agostino Sarubbo gentoo-dev

2013-03-21 18:33:38 UTC

there is another CVE: CVE-2013-1623 https://secunia.com/advisories/52669/

Description
A weakness has been reported in Oracle MySQL, which can be exploited by malicious people to disclose certain sensitive information.

For more information:
SA52028

The weakness is reported in versions 5.1.x through 5.1.68, 5.5.x through 5.5.30, and 5.6.x through 5.6.10.


Solution
The vulnerabilities will be fixed in upcoming versions 5.1.69, 5.5.31, and 5.6.11.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
https://blogs.oracle.com/sunsecurity/entry/cve_2013_1623_timing_side

Comment 2 Agostino Sarubbo gentoo-dev

2013-04-01 14:12:26 UTC

*** Bug 464082 has been marked as a duplicate of this bug. ***

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2013-04-11 16:31:12 UTC

CVE-2013-1492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1492):
  Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x
  before 5.5.30, has unspecified impact and attack vectors, a different
  vulnerability than CVE-2012-0553.

CVE-2012-0553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0553):
  Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x
  before 5.5.28, has unspecified impact and attack vectors, a different
  vulnerability than CVE-2013-1492.

Comment 4 Roman Žilka 2013-05-01 12:23:26 UTC

Reminder in case it's been overlooked/forgotten. It's becoming older than old.

Comment 5 Sergey Popov (RETIRED) gentoo-dev

2013-08-29 06:51:45 UTC

5.1.70 was stabilized in bug #477474, adding to existing GLSA draft

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2013-08-29 09:11:59 UTC

This issue was resolved and addressed in
 GLSA 201308-06 at http://security.gentoo.org/glsa/glsa-201308-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).