Debian Bug report logs - #285276
mysql-server: Security bug in MySQL in woody (CAN-2004-0957)

Package: mysql-dfsg; Maintainer for mysql-dfsg is (unknown);

Reported by: Hideki Yamane <henrich@samba.gr.jp>

Date: Sun, 12 Dec 2004 06:18:02 UTC

Severity: grave

Tags: fixed, patch, security, woody

Merged with 296674

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#285276; Package mysql. Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <henrich@samba.gr.jp>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@samba.gr.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)
Date: Sun, 12 Dec 2004 15:15:29 +0900
Package: mysql
Version: 3.23.49-8.8
Severity: grave
Tags: security, woody
Justification: renders package unusable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear mysql maintainer,

 I saw Ubuntu security advisory and found that vulnerabilities in Debian 
 mysql package is not fixed yet.That Ubuntu announce is here.
 http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html

>Some query strings containing a double quote (like MATCH ... AGAINST
>(' some " query' IN BOOLEAN MODE) ) that did not have a matching
>closing double quote caused a denial of service (server crash). Again,
>this is only exploitable by authorized mysql users.  (CAN-2004-0956)
>
>If a user was granted privileges to a database with a name containing
>an underscore ("_"), the user also gained the ability to grant
>privileges to other databases with similar names. (CAN-2004-0957)


 I see that Chiristian asked about these issues in mysql BTS, but there
 is no progress since September. So,

 * check and compare other distributions' patch for their package and 
   make patch if you can 
   http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html 
   http://rhn.redhat.com/errata/RHSA-2004-597.html
   http://rhn.redhat.com/errata/RHSA-2004-611.html
   
 * or security team should help to make these issues fix


 I'll post this to make these issues easy to track. I hope you'll make
 it well and all Debian mysql users can sleep peacefully :)

 
- --
Regards,

 Hideki Yamane     henrich @ samba.gr.jp/iijmio-mail.jp



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBu+IBIu0hy8THJksRAuM5AJ9VZxL8SahjDcFiPTIW+uUZ3iga3QCghi+X
ppAWp7bhN5eq4NLfORQsc1Y=
=JE9z
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#285276; Package mysql. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 285276@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Hideki Yamane <henrich@samba.gr.jp>, 285276@bugs.debian.org
Subject: Re: Bug#285276: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)
Date: Mon, 13 Dec 2004 10:37:38 +0100
[Message part 1 (text/plain, inline)]
Hello Hideki

On 2004-12-12 Hideki Yamane wrote:
>  I saw Ubuntu security advisory and found that vulnerabilities in Debian 
>  mysql package is not fixed yet.That Ubuntu announce is here.
>  http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html

Thanks for reporting, I will have a look at it!

bye,

-christian-


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#285276; Package mysql. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 285276@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Hideki Yamane <henrich@samba.gr.jp>, 285276@bugs.debian.org
Subject: Re: Bug#285276: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)
Date: Tue, 14 Dec 2004 02:34:06 +0100
[Message part 1 (text/plain, inline)]
Hello

On 2004-12-12 Hideki Yamane wrote:
>  I saw Ubuntu security advisory and found that vulnerabilities in Debian 
>  mysql package is not fixed yet.That Ubuntu announce is here.
>  http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html
> 
> >Some query strings containing a double quote (like MATCH ... AGAINST
> >(' some " query' IN BOOLEAN MODE) ) that did not have a matching
> >closing double quote caused a denial of service (server crash). Again,
> >this is only exploitable by authorized mysql users.  (CAN-2004-0956)

This one is listed as not affecting the version that was shipped in Woody:
http://www.debian.org/security/nonvulns-woody


> >If a user was granted privileges to a database with a name containing
> >an underscore ("_"), the user also gained the ability to grant
> >privileges to other databases with similar names. (CAN-2004-0957)

>  * check and compare other distributions' patch for their package and 
>    make patch if you can 
>    http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html
Ubuntu uses 4.0 so I can't take their patches.

>    http://rhn.redhat.com/errata/RHSA-2004-597.html
>    http://rhn.redhat.com/errata/RHSA-2004-611.html
I found a promising patch for CAN-2004-0957 in 3.23.58-1.72.1.src.rpm,
hopefully I can modify it to get 3.23.49 which we use in Debian...

bye,

-christian-
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#285276; Package mysql. Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <henrich@iijmio-mail.jp>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #20 received at 285276@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@iijmio-mail.jp>
To: Christian Hammers <ch@debian.org>
Cc: Hideki Yamane <henrich@samba.gr.jp>, 285276@bugs.debian.org
Subject: Re: Bug#285276: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)
Date: Tue, 14 Dec 2004 20:42:42 +0900
Hi Christian,

  "Tue, 14 Dec 2004 02:34:06 +0100", "Christian Hammers"
  "Re: Bug#285276: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)"
>> >this is only exploitable by authorized mysql users.  (CAN-2004-0956)
>
>This one is listed as not affecting the version that was shipped in Woody:
>http://www.debian.org/security/nonvulns-woody

 OK.

 # But who checked it and how to check it is not vulnerable?
   There is no reason about that, I wonder.

 And sarge's mysql-dfsg and sid's mysql-dfsg-4.1 is newer than 
 4.0.20, good :)


>>    http://rhn.redhat.com/errata/RHSA-2004-597.html
>>    http://rhn.redhat.com/errata/RHSA-2004-611.html
>I found a promising patch for CAN-2004-0957 in 3.23.58-1.72.1.src.rpm,
>hopefully I can modify it to get 3.23.49 which we use in Debian...

 Sounds good :)  Thank you for your reply!
 

 
-- 
Regards,

 Hideki Yamane    mailto:henrich @ iijmio-mail.jp




Bug reassigned from package `mysql' to `mysql-dfsg'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 285276 296674. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#285276; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #29 received at 285276@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 285276@bugs.debian.org, 296674@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: [CAN-2004-0957] i believe this patch should do it...
Date: Fri, 11 Mar 2005 01:20:43 -0500
[Message part 1 (text/plain, inline)]
tags 285276 patch
tags 296674 patch
thanks

hi,

i believe the attached patch fixes the vulnerability.  i took the redhat
src rpm patch "mysql-3.23.58-security.patch", removed the parts of the
patch that are already addressed by other DSA's, adjusted some line
numbers, and did a little extra massaging to get it to fit.

the patch cleanly applies, the package builds and installs, mysql starts
up, and i can connect to the database all without problems.  however,
this is all in my virgin woody-i386 chroot on an unstable amd64 box, and
i haven't tested that the vulnerability is actually gone.  could someone
more familiar with the vulnerability try a before and after to see if
the problem is resolved?


	sean

-- 
[mysql-CAN-2004-0957.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hideki Yamane <henrich@samba.gr.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #48 received at 285276-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 285276-done@bugs.debian.org, 296674-done@bugs.debian.org, 300158-done@bugs.debian.org
Subject: Closing bugs for mysql-3.23 due to the release of an DSA
Date: Wed, 13 Apr 2005 17:22:11 +0200
[Message part 1 (text/plain, inline)]
I'm closing the bug reports that were fixed by the just released DSA.

bye,

-christian-
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:46:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.