[debian-mysql] CVE-2009-2446: Format string vulnerabilities in MySQL
Christian Hammers
ch at lathspell.de
Wed Jul 29 21:06:36 UTC 2009
Hi
Have you received the below mail? The first version was with all the
attachments so maybe too large for your mailbox...
bye,
-christian-
Am Wed, 22 Jul 2009 22:54:41 +0200
schrieb Christian Hammers <ch at debian.org>:
> Hello Security-Team
>
> I prepared a new version (5.0.51a-24+lenny2) of MySQL that fixes a
> security hole:
>
> Fix for CVE-2009-2446: Multiple format string vulnerabilities in
> the dispatch_command function in libmysqld/sql_parse.cc allow remote
> authenticated users to cause a denial of service (daemon crash)
> and possibly have unspecified other impact via format string
> specifiers in a database name in a (1) COM_CREATE_DB or (2)
> COM_DROP_DB request. Closes: #536726
>
> The interdiff is quite small:
>
> debian/patches/95_SECURITY_CVE-2009-2446.dpatch | 95
> ++++++++++++++++++++++++
> mysql-dfsg-5.0-5.0.51a/debian/changelog | 12 +++
> mysql-dfsg-5.0-5.0.51a/debian/patches/00list | 1
>
> The patch was confirmed by Sergei Golubchik <serg at mysql.com> and
> comes directly from the upstream git repository.
>
> The MySQL version 5.0.81-1 (sid) and 5.1.36-1 (experimental) are not
> affected. 5.0.32-7etch8 probably is, I attached a patche for that
> version, too, but only verified that it applies. Due to strange tetex
> errors during "apt-get build-dep" neither pbuilder nor I were able to
> setup a proper chroot. The upstream patch applied without changes
> though, so I expect it to work (famous last words, I know :))
>
> Below is a trace which I made to verify that the patch works.
> The mysql_format.c source is in the original Bugtraq announcement.
>
> I assume that you do the rest and upload the new version, if I can be
> of any help, let me know.
>
> bye,
>
> -christian-
>
>
> -----------------------------------------------
> root at james:/tmp# mysql -uroot -pgeheim
> Welcome to the MySQL monitor. Commands end with ; or \g.
> Your MySQL connection id is 28
> Server version: 5.0.51a-24+lenny1-log (Debian)
>
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
>
> mysql>
>
>
> ========== in a second shell =================
>
> root at james:/tmp# gcc -o mysql_format
> -lmysqlclient ./mysql_format.c; ./mysql_format
> %s%s%s%s%s ./mysql_format.c: In function ‘main’: ./mysql_format.c:39:
> warning: incompatible implicit declaration of built-in function
> ‘strlen’ Connect OK
>
> ========== back to original shell ============
>
>
> mysql> SHOW PROCESSLIST;
> ERROR 2006 (HY000): MySQL server has gone away <---------
> typical for MySQL segfault No connection. Trying to reconnect...
> Connection id: 1
> Current database: *** NONE ***
>
> +----+------+-----------+------+---------+------+-------+------------------+
> | Id | User | Host | db | Command | Time | State |
> Info |
> +----+------+-----------+------+---------+------+-------+------------------+
> | 1 | root | localhost | NULL | Query | 0 | NULL | SHOW
> PROCESSLIST |
> +----+------+-----------+------+---------+------+-------+------------------+
> 1 row in set (0.00 sec)
>
> mysql> Bye
>
> root at james:/tmp# dpkg -i
> libmysqlclient15off_5.0.51a-24+lenny2_amd64.deb
> mysql-server-5.0_5.0.51a-24+lenny2_amd64.deb (Lese Datenbank ...
> 18455 Dateien und Verzeichnisse sind derzeit installiert.)
> Vorbereiten zum Ersetzen von libmysqlclient15off 5.0.51a-24+lenny1
> (durch libmysqlclient15off_5.0.51a-24+lenny2_amd64.deb) ... Entpacke
> Ersatz für libmysqlclient15off ... Vorbereiten zum Ersetzen von
> mysql-server-5.0 5.0.51a-24+lenny1 (durch
> mysql-server-5.0_5.0.51a-24+lenny2_amd64.deb) ... Entpacke Ersatz für
> mysql-server-5.0 ... Richte libmysqlclient15off ein
> (5.0.51a-24+lenny2) ... Richte mysql-server-5.0 ein
> (5.0.51a-24+lenny2) ... Verarbeite Trigger für man-db ...
> root at james:/tmp# /etc/init.d/mysql restart Stopping MySQL database
> server: mysqld. Starting MySQL database server: mysqld. Checking for
> corrupt, not cleanly closed and upgrade needing tables..
> root at james:/tmp# mysql -uroot -pgeheim Welcome to the MySQL monitor.
> Commands end with ; or \g. Your MySQL connection id is 28 Server
> version: 5.0.51a-24+lenny2-log (Debian)
>
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
>
> mysql> SHOW PROCESLIST;
> ERROR 1064 (42000): You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'PROCESLIST' at line 1
> mysql> SHOW PROCESSLIST;
> +----+------+-----------+------+---------+------+-------+------------------+
> | Id | User | Host | db | Command | Time | State |
> Info |
> +----+------+-----------+------+---------+------+-------+------------------+
> | 28 | root | localhost | NULL | Query | 0 | NULL | SHOW
> PROCESSLIST |
> +----+------+-----------+------+---------+------+-------+------------------+
> 1 row in set (0.00 sec)
>
> mysql>
>
More information about the pkg-mysql-maint
mailing list