Debian Bug report logs - #300158
SECURITY bugs found by Stefano Di Paola (CAN-2005-0709,0710,0711)

version graph

Package: mysql; Maintainer for mysql is (unknown);

Reported by: Christian Hammers <ch@debian.org>

Date: Fri, 18 Mar 2005 02:18:01 UTC

Severity: critical

Tags: fixed, patch, security, woody

Found in version 3.23.49-8.9

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#300158; Package mysql. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: SECURITY bugs found by Stefano Di Paola (CAN-2005-0709,0710,0711)
Date: Fri, 18 Mar 2005 03:03:57 +0100
[Message part 1 (text/plain, inline)]
Package: mysql
Version: 3.23.49-8.9
Severity: critical
Tags: security patch woody

Hello

[in copy to team@security.debian.org]

After the packages in unstable and testing were fixed by uploading
4.0.24-1 and 4.1.10a-1 I took a look at the Woody packages and found
them vulnerable, too.

Sergei Golubchik <serg@mysql.com> provided a reference to the 4.0 patch
http://mysql.bkbits.net:8080/mysql-4.0/cset@42275cb1vIySS0vWwwUFE48ltGkmNA
which, with some minor modifications, was applicable to the 3.23 source
tree.

I afterwards verified the three prove of concept examples given by
Stefano and they did at least not work any longer as they did with the
unpatched version.
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0082.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0083.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0084.html

You can find a proposed upload for stable-security on
http://www.lathspell.de/linux/debian/mysql/woody/

To verify the patches the directory single-patches/ contains the
original patch splitted up to 11 individual files all on their 
original version and after I adjusted the patch.

The concatenation of the p*_new.diff snippets toghether with some
comments and a diff to generate the new changelog entry is in
the directory what-i-applied/. The complete and adjusted patch
was copied to debian/patches/SECURITY__CAN-2005-0709....diff
as reference after I applied it.

For the patches itself I did some minor checks i.e. looked if there are
occurances of O_TRUNC flags or my_create() functions that were not replaced.
But I would sleep better if somebody else would look over it again as I'm
getting tired :)

hope that helps,

-christian-


P.S.: Security Team, Woody's mysql has also another, although very
      minor security problem for which Sean Finney recently backported
      a patch, you might want to take a look at bug #296674 [CAN-2004-0957]

-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.10-9-amd64-k8
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)
[SECURITY__CAN-2005-0709,0710,0711.diff (text/plain, attachment)]

Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 300158-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 285276-done@bugs.debian.org, 296674-done@bugs.debian.org, 300158-done@bugs.debian.org
Subject: Closing bugs for mysql-3.23 due to the release of an DSA
Date: Wed, 13 Apr 2005 17:22:11 +0200
[Message part 1 (text/plain, inline)]
I'm closing the bug reports that were fixed by the just released DSA.

bye,

-christian-
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:16:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.