[gentoo-announce] [ GLSA 200410-22 ] MySQL: Multiple vulnerabilities - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-22 ] MySQL: Multiple vulnerabilities
Date:	Sun, 24 Oct 2004 14:31:45
Message-Id:	`417BBC59.6070706@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200410-22

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: MySQL: Multiple vulnerabilities

9

      Date: October 24, 2004

10

      Bugs: #67062

11

        ID: 200410-22

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Several vulnerabilities including privilege abuse, Denial of Service,

19

and potentially remote arbitrary code execution have been discovered

20

in MySQL.

21

22

Background

23

==========

24

25

MySQL is a popular open-source, multi-threaded, multi-user SQL database

26

server.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package       /  Vulnerable  /                         Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-db/mysql      < 4.0.21                              >= 4.0.21

35

36

Description

37

===========

38

39

The following vulnerabilities were found and fixed in MySQL:

40

41

Oleksandr Byelkin found that ALTER TABLE ... RENAME checks

42

CREATE/INSERT rights of the old table instead of the new one

43

(CAN-2004-0835). Another privilege checking bug allowed users to grant

44

rights on a database they had no rights on.

45

46

Dean Ellis found a defect where multiple threads ALTERing the MERGE

47

tables to change the UNION could cause the server to crash

48

(CAN-2004-0837). Another crash was found in MATCH ... AGAINST() queries

49

with missing closing double quote.

50

51

Finally, a buffer overrun in the mysql_real_connect function was found

52

by Lukasz Wojtow (CAN-2004-0836).

53

54

Impact

55

======

56

57

The privilege checking issues could be used by remote users to bypass

58

their rights on databases. The two crashes issues could be exploited by

59

a remote user to perform a Denial of Service attack on MySQL server.

60

The buffer overrun issue could also be exploited as a Denial of Service

61

attack, and may allow to execute arbitrary code with the rights of the

62

MySQL daemon (typically, the "mysql" user).

63

64

Workaround

65

==========

66

67

There is no known workaround at this time.

68

69

Resolution

70

==========

71

72

All MySQL users should upgrade to the latest version:

73

74

    # emerge sync

75

76

    # emerge -pv ">=dev-db/mysql-4.0.21"

77

    # emerge ">=dev-db/mysql-4.0.21"

78

79

References

80

==========

81

82

  [ 1 ] CAN-2004-0835

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835

84

  [ 2 ] CAN-2004-0836

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836

86

  [ 3 ] CAN-2004-0837

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837

88

  [ 4 ] Privilege granting bug

89

        http://bugs.mysql.com/bug.php?id=3933

90

  [ 5 ] MATCH ... AGAINST crash bug

91

        http://bugs.mysql.com/bug.php?id=3870

92

93

Availability

94

============

95

96

This GLSA and any updates to it are available for viewing at

97

the Gentoo Security Website:

98

99

  http://security.gentoo.org/glsa/glsa-200410-22.xml

100

101

Concerns?

102

=========

103

104

Security is a primary focus of Gentoo Linux and ensuring the

105

confidentiality and security of our users machines is of utmost

106

importance to us. Any security concerns should be addressed to

107

security@g.o or alternatively, you may file a bug at

108

http://bugs.gentoo.org.

109

110

License

111

=======

112

113

Copyright 2004 Gentoo Foundation, Inc; referenced text

114

belongs to its owner(s).

115

116

The contents of this document are licensed under the

117

Creative Commons - Attribution / Share Alike license.

118

119

http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200410-22
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: MySQL: Multiple vulnerabilities
9	Date: October 24, 2004
10	Bugs: #67062
11	ID: 200410-22
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Several vulnerabilities including privilege abuse, Denial of Service,
19	and potentially remote arbitrary code execution have been discovered
20	in MySQL.
21
22	Background
23	==========
24
25	MySQL is a popular open-source, multi-threaded, multi-user SQL database
26	server.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-db/mysql < 4.0.21 >= 4.0.21
35
36	Description
37	===========
38
39	The following vulnerabilities were found and fixed in MySQL:
40
41	Oleksandr Byelkin found that ALTER TABLE ... RENAME checks
42	CREATE/INSERT rights of the old table instead of the new one
43	(CAN-2004-0835). Another privilege checking bug allowed users to grant
44	rights on a database they had no rights on.
45
46	Dean Ellis found a defect where multiple threads ALTERing the MERGE
47	tables to change the UNION could cause the server to crash
48	(CAN-2004-0837). Another crash was found in MATCH ... AGAINST() queries
49	with missing closing double quote.
50
51	Finally, a buffer overrun in the mysql_real_connect function was found
52	by Lukasz Wojtow (CAN-2004-0836).
53
54	Impact
55	======
56
57	The privilege checking issues could be used by remote users to bypass
58	their rights on databases. The two crashes issues could be exploited by
59	a remote user to perform a Denial of Service attack on MySQL server.
60	The buffer overrun issue could also be exploited as a Denial of Service
61	attack, and may allow to execute arbitrary code with the rights of the
62	MySQL daemon (typically, the "mysql" user).
63
64	Workaround
65	==========
66
67	There is no known workaround at this time.
68
69	Resolution
70	==========
71
72	All MySQL users should upgrade to the latest version:
73
74	# emerge sync
75
76	# emerge -pv ">=dev-db/mysql-4.0.21"
77	# emerge ">=dev-db/mysql-4.0.21"
78
79	References
80	==========
81
82	[ 1 ] CAN-2004-0835
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
84	[ 2 ] CAN-2004-0836
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
86	[ 3 ] CAN-2004-0837
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
88	[ 4 ] Privilege granting bug
89	http://bugs.mysql.com/bug.php?id=3933
90	[ 5 ] MATCH ... AGAINST crash bug
91	http://bugs.mysql.com/bug.php?id=3870
92
93	Availability
94	============
95
96	This GLSA and any updates to it are available for viewing at
97	the Gentoo Security Website:
98
99	http://security.gentoo.org/glsa/glsa-200410-22.xml
100
101	Concerns?
102	=========
103
104	Security is a primary focus of Gentoo Linux and ensuring the
105	confidentiality and security of our users machines is of utmost
106	importance to us. Any security concerns should be addressed to
107	security@g.o or alternatively, you may file a bug at
108	http://bugs.gentoo.org.
109
110	License
111	=======
112
113	Copyright 2004 Gentoo Foundation, Inc; referenced text
114	belongs to its owner(s).
115
116	The contents of this document are licensed under the
117	Creative Commons - Attribution / Share Alike license.
118
119	http://creativecommons.org/licenses/by-sa/1.0