Debian Bug report logs - #296674
mysql-server: Security bug in MySQL in woody (CAN-2004-0957)

Package: mysql-dfsg; Maintainer for mysql-dfsg is (unknown);

Reported by: Jefferson Cowart <jeff@cowart.net>

Date: Wed, 23 Feb 2005 22:18:01 UTC

Severity: grave

Tags: fixed, patch, security, woody

Merged with 285276

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Jefferson Cowart <jeff@cowart.net>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jefferson Cowart <jeff@cowart.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-server: Security bug in MySQL in woody (CAN-2004-0957)
Date: Wed, 23 Feb 2005 14:02:16 -0800
Package: mysql-server
Version: 3.23.49-8.9
Severity: grave
Tags: security woody
Justification: user security hole

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957 for more
information. Based on that writeup any version of MySQL prior to 3.23.58
is vulnerable. I have checked through the MySQL changelogs for stable
and I don't see this problem fixed there. If it is already fixed sorry
about the duplicate bug. (See also
http://www.us-cert.gov/cas/bulletins/SB05-054.html#mysql)

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux P450 2.4.18-1-686 #1 Wed Apr 14 18:20:10 UTC 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages mysql-server depends on:
ii  adduser                3.47              Add and remove users and groups
ii  debconf                1.2.35            Debian configuration management sy
ii  libc6                  2.2.5-11.8        GNU C Library: Shared libraries an
ii  libdbi-perl            1.21-2woody2      The Perl5 Database Interface by Ti
ii  libmysqlclient10       3.23.49-8.9       mysql database client library
ii  libstdc++2.10-glibc2.2 1:2.95.4-11woody1 The GNU stdc++ library
ii  libwrap0               7.6-9             Wietse Venema's TCP wrappers libra
ii  mysql-client           3.23.49-8.9       mysql database client binaries
ii  perl                   5.6.1-8.8         Larry Wall's Practical Extraction 
ii  psmisc                 20.2-2.1          Utilities that use the proc filesy
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#296674; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 296674@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Jefferson Cowart <jeff@cowart.net>, 296674@bugs.debian.org, dc <control@bugs.debian.org>
Subject: Re: Bug#296674: mysql-server: Security bug in MySQL in woody (CAN-2004-0957)
Date: Wed, 23 Feb 2005 23:41:43 +0100
reassign 285276 mysql-dfsg
reassign 296674 mysql-dfsg
merge 285276 296674
thanks

Hello Jefferson

On 2005-02-23 Jefferson Cowart wrote:
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957 for more
> information. Based on that writeup any version of MySQL prior to 3.23.58
> is vulnerable.
This bug was already existing with subject:
 "#285276: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)"
I merged the two.

The problem with this bug is that it requires either a bigger version
change (3.23.49 to 3.23.58) or a very big patch for just this issue 
(which is hard to produce or do you have one that changes nothing except
the security hole?). Both was not liked very much and the security 
implication is realy realy low (correct me if I'm wrong).

At the time of the bug disclosed I thought the Sarge release was just
some weeks away and would introduce a fixed 4.0 version with the new
"stable" version. Sadly Debian Sarge is still late with no release in
sight.

bye,

-christian-



Bug reassigned from package `mysql-server' to `mysql-dfsg'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 285276 296674. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #19 received at 296674@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 285276@bugs.debian.org, 296674@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: [CAN-2004-0957] i believe this patch should do it...
Date: Fri, 11 Mar 2005 01:20:43 -0500
[Message part 1 (text/plain, inline)]
tags 285276 patch
tags 296674 patch
thanks

hi,

i believe the attached patch fixes the vulnerability.  i took the redhat
src rpm patch "mysql-3.23.58-security.patch", removed the parts of the
patch that are already addressed by other DSA's, adjusted some line
numbers, and did a little extra massaging to get it to fit.

the patch cleanly applies, the package builds and installs, mysql starts
up, and i can connect to the database all without problems.  however,
this is all in my virgin woody-i386 chroot on an unstable amd64 box, and
i haven't tested that the vulnerability is actually gone.  could someone
more familiar with the vulnerability try a before and after to see if
the problem is resolved?


	sean

-- 
[mysql-CAN-2004-0957.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #28 received at 296674@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: sean finney <seanius@debian.org>, 296674@bugs.debian.org
Subject: Re: Bug#296674: [CAN-2004-0957] i believe this patch should do it...
Date: Fri, 11 Mar 2005 09:39:10 +0100
[Message part 1 (text/plain, inline)]
Hello Sean

On 2005-03-11 sean finney wrote:
> i believe the attached patch fixes the vulnerability.  i took the redhat
> src rpm patch "mysql-3.23.58-security.patch", removed the parts of the
> patch that are already addressed by other DSA's, adjusted some line
> numbers, and did a little extra massaging to get it to fit.
Great work! Thanks!
 
> the patch cleanly applies, the package builds and installs, mysql starts
> up, and i can connect to the database all without problems.  however,
> this is all in my virgin woody-i386 chroot on an unstable amd64 box, and
> i haven't tested that the vulnerability is actually gone.  could someone
> more familiar with the vulnerability try a before and after to see if
> the problem is resolved?
Wasn't it the one where a privilege granted to "table_name" also grants
rights on "tableXname", "tableYname" as '_' was considered as something
like a dot in a RegEx? This should be fairly easy to test.

bye,

-christian-
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #33 received at 296674@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Christian Hammers <ch@debian.org>
Cc: 296674@bugs.debian.org
Subject: Re: Bug#296674: [CAN-2004-0957] i believe this patch should do it...
Date: Fri, 11 Mar 2005 09:38:34 -0500
[Message part 1 (text/plain, inline)]
On Fri, Mar 11, 2005 at 09:39:10AM +0100, Christian Hammers wrote:
> Wasn't it the one where a privilege granted to "table_name" also grants
> rights on "tableXname", "tableYname" as '_' was considered as something
> like a dot in a RegEx? This should be fairly easy to test.

i knew it had something to do with underscores, but wasn't completely
sure.  i'll try this on the patched and unpatched version tonight.


	sean


-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #38 received at 296674@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: sean finney <seanius@debian.org>
Cc: Christian Hammers <ch@debian.org>, 296674@bugs.debian.org
Subject: Re: Bug#296674: [CAN-2004-0957] i believe this patch should do it...
Date: Fri, 18 Mar 2005 16:33:52 +0100
sean finney wrote:
> On Fri, Mar 11, 2005 at 09:39:10AM +0100, Christian Hammers wrote:
> > Wasn't it the one where a privilege granted to "table_name" also grants
> > rights on "tableXname", "tableYname" as '_' was considered as something
> > like a dot in a RegEx? This should be fairly easy to test.
> 
> i knew it had something to do with underscores, but wasn't completely
> sure.  i'll try this on the patched and unpatched version tonight.

Any results?

Regards,

	Joey

-- 
The only stupid question is the unasked one.



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #43 received at 296674@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Christian Hammers <ch@debian.org>, 296674@bugs.debian.org
Subject: Re: Bug#296674: [CAN-2004-0957] i believe this patch should do it...
Date: Sun, 20 Mar 2005 10:38:09 -0500
[Message part 1 (text/plain, inline)]
hey folks,

On Fri, Mar 18, 2005 at 04:33:52PM +0100, Martin Schulze wrote:
> sean finney wrote:
> > On Fri, Mar 11, 2005 at 09:39:10AM +0100, Christian Hammers wrote:
> > > Wasn't it the one where a privilege granted to "table_name" also grants
> > > rights on "tableXname", "tableYname" as '_' was considered as something
> > > like a dot in a RegEx? This should be fairly easy to test.
> > 
> > i knew it had something to do with underscores, but wasn't completely
> > sure.  i'll try this on the patched and unpatched version tonight.
> 
> Any results?

sorry, took off for vac before testing this, and won't have time for
another week.  in the meantime, i think christian is looking into whether
or not the latest mysql vulnerabilities also affect woody, in which case
it might make sense to just wait and roll them all together since this
one isn't all that severe and has been open for so long anyways.


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #48 received at 296674@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: sean finney <seanius@debian.org>
Cc: Martin Schulze <joey@infodrom.org>, 296674@bugs.debian.org
Subject: Re: Bug#296674: [CAN-2004-0957] i believe this patch should do it...
Date: Sun, 20 Mar 2005 16:41:31 +0100
Hello

On 2005-03-20 sean finney wrote:
> On Fri, Mar 18, 2005 at 04:33:52PM +0100, Martin Schulze wrote:
> > sean finney wrote:
> > > On Fri, Mar 11, 2005 at 09:39:10AM +0100, Christian Hammers wrote:
> > > > Wasn't it the one where a privilege granted to "table_name" also
> > > > grants rights on "tableXname", "tableYname" as '_' was considered as
> > > > something like a dot in a RegEx? This should be fairly easy to test.
> > > 
> > > i knew it had something to do with underscores, but wasn't completely
> > > sure.  i'll try this on the patched and unpatched version tonight.
> > 
> > Any results?
> 
> sorry, took off for vac before testing this, and won't have time for
> another week. 
Sean, I tried to apply your patch yesterday evening but it did not compile
against the last released 3.23.49-x.9 - can you check if you send me the
complete patch?

> in the meantime, i think christian is looking into whether
> or not the latest mysql vulnerabilities also affect woody, in which case
> it might make sense to just wait and roll them all together since this
> one isn't all that severe and has been open for so long anyways.
I alreay opened a bug report for this with patch attached. Woody is
vulnerable but the patches were easily backportable.
(See also www.lathspell.de/linux/debian/mysql/woody/)

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#296674; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #53 received at 296674@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 296674@bugs.debian.org
Cc: team@security.debian.org
Subject: finally... (CAN-2004-0957)
Date: Tue, 29 Mar 2005 00:00:42 -0500
[Message part 1 (text/plain, inline)]
the attached patch should do it!  it was constructed from the redhat
mysql patch, as well as a recent mysql changeset that i backported to
3.23.x (christian discovered the bugfix was buggy and didn't close the
hole).

the patch builds, the resulting deb installs, and i can no longer
reproduce the privilege escalation.


	sean

-- 
[CAN-2004-0957+debian_stuff.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jefferson Cowart <jeff@cowart.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #66 received at 285276-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 285276-done@bugs.debian.org, 296674-done@bugs.debian.org, 300158-done@bugs.debian.org
Subject: Closing bugs for mysql-3.23 due to the release of an DSA
Date: Wed, 13 Apr 2005 17:22:11 +0200
[Message part 1 (text/plain, inline)]
I'm closing the bug reports that were fixed by the just released DSA.

bye,

-christian-
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:46:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.