Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500260 (CVE-2014-0001) - <dev-db/mysql-5.5.39: Buffer Overflow Vulnerability (CVE-2014-0001)
Summary: <dev-db/mysql-5.5.39: Buffer Overflow Vulnerability (CVE-2014-0001)
Alias: CVE-2014-0001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2014-02-04 10:40 UTC by Agostino Sarubbo
Modified: 2014-09-04 08:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-04 10:40:55 UTC
From ${URL} :


A vulnerability has been reported in MySQL, which can be exploited by malicious people to compromise a 
user's system.

The vulnerability is caused due to a boundary error within MySQL client in the "main()" function when 
processing received server information (client/ and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into 
connecting to a malicious server.

No official solution is currently available.

Provided and/or discovered by:
Garth Mollett in a bug report.

Original Advisory:
Garth Mollett:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-06-17 23:17:00 UTC
This issue is fixed in 5.5.37: from : "While printing the server version, the mysql client did not check for buffer overflow in a string variable. (Bug #18186103)"

The issue was introduced in 5.1.34 c.f.

I don't see any current fix for the 5.1 branch, but it might be possible to backport the patch from 

@maintainers: Please advise what do you think is the appropriate way further; stabilization of 5.5.37-r1 or backport of patch to the 5.1 series?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 20:59:05 UTC
CVE-2014-0001 (
  Buffer overflow in client/ in Oracle MySQL and MariaDB before 5.5.35
  allows remote database servers to cause a denial of service (crash) and
  possibly execute arbitrary code via a long server version string.
Comment 3 Sergey Popov gentoo-dev 2014-09-04 07:11:20 UTC
Added to existing GLSA request
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:38 UTC
This issue was resolved and addressed in
 GLSA 201409-04 at
by GLSA coordinator Sergey Popov (pinkbyte).