[debian-mysql] CVE-2009-2446: Format string vulnerabilities in MySQL

Christian Hammers ch at lathspell.de
Wed Jul 29 21:06:36 UTC 2009 

Hi

Have you received the below mail? The first version was with all the 
attachments so maybe too large for your mailbox...

bye,

-christian-



Am Wed, 22 Jul 2009 22:54:41 +0200
schrieb Christian Hammers <ch at debian.org>:

> Hello Security-Team
> 
> I prepared a new version (5.0.51a-24+lenny2) of MySQL that fixes a
> security hole:
> 
>     Fix for CVE-2009-2446: Multiple format string vulnerabilities in
> the dispatch_command function in libmysqld/sql_parse.cc allow remote 
>     authenticated users to cause a denial of service (daemon crash)
> and possibly have unspecified other impact via format string
> specifiers in a database name in a (1) COM_CREATE_DB or (2)
> COM_DROP_DB request. Closes: #536726
> 
> The interdiff is quite small:
> 
>  debian/patches/95_SECURITY_CVE-2009-2446.dpatch |   95
> ++++++++++++++++++++++++
> mysql-dfsg-5.0-5.0.51a/debian/changelog         |   12 +++
> mysql-dfsg-5.0-5.0.51a/debian/patches/00list    |    1 
> 
> The patch was confirmed by Sergei Golubchik <serg at mysql.com> and
> comes directly from the upstream git repository.
> 
> The MySQL version 5.0.81-1 (sid) and 5.1.36-1 (experimental) are not
> affected. 5.0.32-7etch8 probably is, I attached a patche for that
> version, too, but only verified that it applies. Due to strange tetex
> errors during "apt-get build-dep" neither pbuilder nor I were able to
> setup a proper chroot. The upstream patch applied without changes
> though, so I expect it to work (famous last words, I know :))
> 
> Below is a trace which I made to verify that the patch works. 
> The mysql_format.c source is in the original Bugtraq announcement.
> 
> I assume that you do the rest and upload the new version, if I can be
> of any help, let me know.
> 
> bye,
> 
> -christian-
> 
> 
> -----------------------------------------------
> root at james:/tmp# mysql -uroot -pgeheim
> Welcome to the MySQL monitor.  Commands end with ; or \g.
> Your MySQL connection id is 28
> Server version: 5.0.51a-24+lenny1-log (Debian)
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
> 
> mysql> 
> 
> 
> 	========== in a second shell =================
> 
> 	root at james:/tmp# gcc -o mysql_format
> -lmysqlclient ./mysql_format.c;  ./mysql_format
> %s%s%s%s%s ./mysql_format.c: In function ‘main’: ./mysql_format.c:39:
> warning: incompatible implicit declaration of built-in function
> ‘strlen’ Connect OK
> 
>         ========== back to original shell ============
> 
> 
> mysql> SHOW PROCESSLIST;
> ERROR 2006 (HY000): MySQL server has gone away             <---------
> typical for MySQL segfault No connection. Trying to reconnect...
> Connection id:    1
> Current database: *** NONE ***
> 
> +----+------+-----------+------+---------+------+-------+------------------+
> | Id | User | Host      | db   | Command | Time | State |
> Info             |
> +----+------+-----------+------+---------+------+-------+------------------+
> |  1 | root | localhost | NULL | Query   |    0 | NULL  | SHOW
> PROCESSLIST |
> +----+------+-----------+------+---------+------+-------+------------------+
> 1 row in set (0.00 sec)
> 
> mysql> Bye
> 
> root at james:/tmp# dpkg -i
> libmysqlclient15off_5.0.51a-24+lenny2_amd64.deb
> mysql-server-5.0_5.0.51a-24+lenny2_amd64.deb (Lese Datenbank ...
> 18455 Dateien und Verzeichnisse sind derzeit installiert.)
> Vorbereiten zum Ersetzen von libmysqlclient15off 5.0.51a-24+lenny1
> (durch libmysqlclient15off_5.0.51a-24+lenny2_amd64.deb) ... Entpacke
> Ersatz für libmysqlclient15off ... Vorbereiten zum Ersetzen von
> mysql-server-5.0 5.0.51a-24+lenny1 (durch
> mysql-server-5.0_5.0.51a-24+lenny2_amd64.deb) ... Entpacke Ersatz für
> mysql-server-5.0 ... Richte libmysqlclient15off ein
> (5.0.51a-24+lenny2) ... Richte mysql-server-5.0 ein
> (5.0.51a-24+lenny2) ... Verarbeite Trigger für man-db ...
> root at james:/tmp# /etc/init.d/mysql restart Stopping MySQL database
> server: mysqld. Starting MySQL database server: mysqld. Checking for
> corrupt, not cleanly closed and upgrade needing tables..
> root at james:/tmp# mysql -uroot -pgeheim Welcome to the MySQL monitor.
> Commands end with ; or \g. Your MySQL connection id is 28 Server
> version: 5.0.51a-24+lenny2-log (Debian)
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
> 
> mysql> SHOW PROCESLIST;
> ERROR 1064 (42000): You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'PROCESLIST' at line 1
> mysql> SHOW PROCESSLIST;
> +----+------+-----------+------+---------+------+-------+------------------+
> | Id | User | Host      | db   | Command | Time | State |
> Info             |
> +----+------+-----------+------+---------+------+-------+------------------+
> | 28 | root | localhost | NULL | Query   |    0 | NULL  | SHOW
> PROCESSLIST |
> +----+------+-----------+------+---------+------+-------+------------------+
> 1 row in set (0.00 sec)
> 
> mysql> 
>

More information about the pkg-mysql-maint mailing list