Debian Bug report logs - #322133
mysql-dfsg: Buffer overflow in user defined functions

Package: mysql-dfsg; Maintainer for mysql-dfsg is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 9 Aug 2005 09:18:02 UTC

Severity: grave

Tags: security

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugs.mysql.com/?id=12575

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-dfsg: Buffer overflow in user defined functions
Date: Tue, 09 Aug 2005 11:08:13 +0200
Package: mysql-dfsg
Severity: grave
Tags: security
Justification: user security hole

A buffer overflow in user defined functions can be exploited to
possibly execute arbitrary code by user that have been granted the
privilege to create user defined functions. For full details please
see
http://www.appsecinc.com/resources/alerts/mysql/2005-002.html

This issue is already fixed in the 4.1 and 5.0 version in Debian.
There's no publicly available CVE assignment for this issue yet.

Application Security Inc. has released another advisory about a
relatively obscure way to DoS a MySQL server. It seems as if MySQL
has declined to fix it, but here's the link anyway:
http://www.appsecinc.com/resources/alerts/mysql/2005-003.html

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 322133@bugs.debian.org, dc <control@bugs.debian.org>
Subject: Re: Bug#322133: mysql-dfsg: Buffer overflow in user defined functions
Date: Sun, 14 Aug 2005 20:14:40 +0200
forwarded 322133 http://bugs.mysql.com/?id=12575
thanks

Hello Moritz

On 2005-08-09 Moritz Muehlenhoff wrote:
> A buffer overflow in user defined functions can be exploited to
> possibly execute arbitrary code by user that have been granted the
> privilege to create user defined functions. For full details please
> see http://www.appsecinc.com/resources/alerts/mysql/2005-002.html

Thanks. As I could not find anything in the changelog, I asked mysql
in the bug report mentioned above if they can provide a pointer to the
original bug report or changeset.

bye,

-christian-



Noted your statement that Bug has been forwarded to http://bugs.mysql.com/?id=12575. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #17 received at 322133@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 322133@bugs.debian.org
Subject: Re: mysql-dfsg: Buffer overflow in user defined functions
Date: Fri, 19 Aug 2005 18:02:04 +0200
[Message part 1 (text/plain, inline)]
Hi!

Moritz Muehlenhoff [2005-08-09 11:08 +0200]:
> Package: mysql-dfsg
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> A buffer overflow in user defined functions can be exploited to
> possibly execute arbitrary code by user that have been granted the
> privilege to create user defined functions. For full details please
> see
> http://www.appsecinc.com/resources/alerts/mysql/2005-002.html

This is CAN-2005-2558, btw. Christian, can you please add it to the
appropriate position of the changelog?

Thanks, 

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #22 received at 322133@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 322133@bugs.debian.org
Subject: Patch?
Date: Fri, 19 Aug 2005 18:23:08 +0200
[Message part 1 (text/plain, inline)]
Hi Christian!

Moritz Muehlenhoff [2005-08-09 11:08 +0200]:
> A buffer overflow in user defined functions can be exploited to
> possibly execute arbitrary code by user that have been granted the
> privilege to create user defined functions. For full details please
> see
> http://www.appsecinc.com/resources/alerts/mysql/2005-002.html

D'oh, this was pretty hard to find in the bug tracking system and BK.
After some searching, I found 

  http://mysql.bkbits.net:8080/mysql-4.0/cset@1.2118

for 4.0 and

  http://mysql.bkbits.net:8080/mysql-4.1/diffs/sql/sql_udf.cc@1.15.1.15

for 4.1. However, it is labeled as a "compile fix", and so I have some
doubts. Could you find anything about this or did you ask upstream for
a patch URL?

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #27 received at 322133@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, 322133@bugs.debian.org
Cc: Christian Hammers <ch@debian.org>, Debian Security Team <team@security.debian.org>, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: CAN-2005-2558: arbitrary binary libraries call execution
Date: Fri, 19 Aug 2005 14:20:24 -0400
[Message part 1 (text/plain, inline)]
hi joey, martin,

(christian may already be on vacation, so i'll try and field some
 responses from what i think is going on)

On Fri, Aug 19, 2005 at 05:29:33PM +0200, Martin Schulze wrote:
> do you have any details to this report?
> 
> http://marc.theaimsgroup.com/?l=bugtraq&m=112354450412427&w=2
> 
> I remember that we've fixed such a problem recently, so it may
> not apply to stable/oldstable anymore.

i believe it does apply to both stable and olstable still, but is
a relatively contained problem at least, as it requires the attacker
already having a certain level of privilege.

On Fri, Aug 19, 2005 at 06:02:04PM +0200, Martin Pitt wrote:
> > A buffer overflow in user defined functions can be exploited to
> > possibly execute arbitrary code by user that have been granted the
> > privilege to create user defined functions. For full details please
> > see
> > http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
> 
> This is CAN-2005-2558, btw. Christian, can you please add it to the
> appropriate position of the changelog?

i added a reference to the 5.0.xbeta and 4.1 svn branches for posterity.
the next upload will contain a mention of it.

On Fri, Aug 19, 2005 at 06:23:08PM +0200, Martin Pitt wrote:
> D'oh, this was pretty hard to find in the bug tracking system and BK.
> After some searching, I found 
> 
>   http://mysql.bkbits.net:8080/mysql-4.0/cset@1.2118
> 
> for 4.0 and
> 
>   http://mysql.bkbits.net:8080/mysql-4.1/diffs/sql/sql_udf.cc@1.15.1.15
> 
> for 4.1. However, it is labeled as a "compile fix", and so I have some
> doubts. Could you find anything about this or did you ask upstream for
> a patch URL?

i'm not sure about the above changeset, afaict that's a windows
specific directory seperator related change or something.

christian forwarded the bug information to mysql asking for a
clarification (http://bugs.mysql.com/bug.php?id=12575) and we're
waiting to hear back from them.



	sean


-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #32 received at 322133@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: sean finney <seanius@debian.org>
Cc: Martin Pitt <mpitt@debian.org>, 322133@bugs.debian.org, Christian Hammers <ch@debian.org>, Debian Security Team <team@security.debian.org>, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: CAN-2005-2558: arbitrary binary libraries call execution
Date: Sat, 20 Aug 2005 10:30:47 +0200
sean finney wrote:
> hi joey, martin,
> 
> (christian may already be on vacation, so i'll try and field some
>  responses from what i think is going on)

[..]

> christian forwarded the bug information to mysql asking for a
> clarification (http://bugs.mysql.com/bug.php?id=12575) and we're
> waiting to hear back from them.

Ok, thanks.

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #37 received at 322133@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: 322133@bugs.debian.org
Cc: security@debian.org, mpitt@debian.org
Subject: MySQL 4.0 fix for CAN-2005-2558
Date: Fri, 9 Sep 2005 16:21:07 +0200
Hi,
MySQL has now published information about the isolated security
fix:
http://mysql.bkbits.net:8080/mysql-4.0/cset@428b981bg2iwh3CbGANDaF-W6DbttA

Cheers,
       Moritz
-- 
Moritz Muehlenhoff muehlenhoff@univention.de     fon: +49 421 22 232- 0
Development        Linux for Your Business       fax: +49 421 22 232-99
Univention GmbH    http://www.univention.de/   mobil: +49 175 22 999 23



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #42 received at 322133@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>
Cc: 322133@bugs.debian.org, security@debian.org, mpitt@debian.org
Subject: Re: MySQL 4.0 fix for CAN-2005-2558
Date: Fri, 9 Sep 2005 16:59:55 +0200
[Message part 1 (text/plain, inline)]
Hi Moritz!

Moritz Muehlenhoff [2005-09-09 16:21 +0200]:
> Hi,
> MySQL has now published information about the isolated security
> fix:
> http://mysql.bkbits.net:8080/mysql-4.0/cset@428b981bg2iwh3CbGANDaF-W6DbttA

Thanks for the notification. Since we are not affected by the
backslash issue (this seems Windows-specific), I guess the only
changes that are required are the two instances of

-      char buf[MAX_FIELD_NAME+16], *missing;
+      char buf[NAME_LEN+16], *missing;

which looks sensible.

Thanks!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #47 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Martin Pitt <mpitt@debian.org>, 322133@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, dc <control@bugs.debian.org>
Subject: Re: Bug#322133: mysql-dfsg: Buffer overflow in user defined functions
Date: Thu, 15 Sep 2005 20:58:13 +0200
tags 322133 + pending
thanks

Hello

On 2005-08-19 Martin Pitt wrote:
> This is CAN-2005-2558, btw. Christian, can you please add it to the
> appropriate position of the changelog?

(back from holydays...)
Done. The packages have just been uploaded, I overlooked this bug report
though. Will close it when the packages are accepted. Martin Schulze is
working on the DSA.

bye,

-christian-



Tags added: pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #54 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Debian Security Team <team@security.debian.org>
Cc: 322133@bugs.debian.org
Subject: Re: CAN-2005-2558: buffer overflow in CREATE FUNCTION
Date: Fri, 23 Sep 2005 02:54:22 +0200
Hello Joey & Co

I just want to ping you in this issue to make sure that it has not been
forgotten and to ask if I can be of help somehow.

bye,

-christian-

(quoting parts of my last private mails to you to the BTS)
---------------------------------------------------------------------------
vulnerable versions matrix:
                      	woody  		sarge  		etch  		sid
before 5.0.7-beta	N/A		N/A		5.0.12beta-2	5.0.12beta-2
before 4.1.13		N/A		4.1.11a-4 !	4.1.11a-4 !	4.1.14-3
before 4.0.25		N/A		4.0.24-10 !	N/A             N/A
unknown for 3.23?	3.23.49-8.13 !	N/A		N/A		N/A

(4.1.14-3 has FTBFS problems on two powerpc+s390...)

...
As Woody seems to be vulnerable, I prepared a new version, built it with
pbuilder and put it on http://www.lathspell.de/linux/debian/mysql/

The small changes in this Makefile you can see with interdiff can be ignored,
apparently the rules file always does a "./configure" before "make clean"...
---------------------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #59 received at 322133@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 322133@bugs.debian.org
Subject: still not fixed (and UTFC)
Date: Sun, 25 Sep 2005 15:08:50 +0200
[Message part 1 (text/plain, inline)]
> Done. The packages have just been uploaded, I overlooked this bug report
> though. Will close it when the packages are accepted. Martin Schulze is
> working on the DSA.

No, close your bugs in the changelog. This avoids massively wasting my
time and erm, lets us know the bug was fixed.

Which it wasn't btw, the latest version of mysql-dfsg in the archive was
released this May.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #64 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Joey Hess <joeyh@debian.org>, 322133@bugs.debian.org
Subject: Re: Bug#322133: still not fixed (and UTFC)
Date: Mon, 26 Sep 2005 09:40:02 +0200
Hello Joey

(first, what means "UTFC" in the subject?)

On 2005-09-25 Joey Hess wrote:
> > Done. The packages have just been uploaded, I overlooked this bug report
> > though. Will close it when the packages are accepted. Martin Schulze is
> > working on the DSA.
> 
> No, close your bugs in the changelog. This avoids massively wasting my
> time and erm, lets us know the bug was fixed.

mysql-dfsg-4.1 was affected and needs a DSA. Would it be correct if I
close the bug in unstable also the bug is still present in stable?
(I could have used "found" tags though).

The CAN-2005-2558 is mentioned in the debian/changelog of the unstable
uploads for reference.


> Which it wasn't btw, the latest version of mysql-dfsg in the archive was
> released this May.

The unstable version has had build problems for the last months on some
archs (and I was on holyday when the bug was found). Currently I try to
get someone from the s390 team to install me the build-deps in a dchroot
but s390@buildd.debian.org seems to go to /dev/null :-(

Anyway I'm working on s390 for unstable/testing and waiting for Martin
Schulze to get the DSA out.

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #69 received at 322133@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Christian Hammers <ch@debian.org>
Cc: 322133@bugs.debian.org
Subject: Re: Bug#322133: still not fixed (and UTFC)
Date: Mon, 26 Sep 2005 10:37:00 +0200
[Message part 1 (text/plain, inline)]
Christian Hammers wrote:
> (first, what means "UTFC" in the subject?)

Use The **** Changelog.

> mysql-dfsg-4.1 was affected and needs a DSA. Would it be correct if I
> close the bug in unstable also the bug is still present in stable?
> (I could have used "found" tags though).

Just use Closes: in the chanbgelog. Belive it or not, the BTS will do
the right thing. See recent posts to debian-devel-announce.

> > Which it wasn't btw, the latest version of mysql-dfsg in the archive was
> > released this May.
> 
> The unstable version has had build problems for the last months on some
> archs (and I was on holyday when the bug was found). Currently I try to
> get someone from the s390 team to install me the build-deps in a dchroot
> but s390@buildd.debian.org seems to go to /dev/null :-(
> 
> Anyway I'm working on s390 for unstable/testing and waiting for Martin
> Schulze to get the DSA out.

I do not understand why you are waiting to upload a fix just because
s390 doesn't build. mysql-dfsg 4.0.24-10 is still vulnerable in unstable
for all architectures.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #74 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Joey Hess <joeyh@debian.org>
Cc: 322133@bugs.debian.org
Subject: Re: Bug#322133: still not fixed (and UTFC)
Date: Mon, 26 Sep 2005 10:49:26 +0200
Hello Joey

On 2005-09-26 Joey Hess wrote:
> Just use Closes: in the chanbgelog. Belive it or not, the BTS will do
> the right thing. See recent posts to debian-devel-announce.
Cool...

> I do not understand why you are waiting to upload a fix just because
> s390 doesn't build. mysql-dfsg 4.0.24-10 is still vulnerable in unstable
> for all architectures.

(actually I got it wrong, it was powerpc not s390, but doesn't matter here)

mysql-server (4.0.x) has been superceeded by mysql-server-4.1 which provides
an empty transitional package called "mysql-server" since version 4.1.14
which struggles to get into testing though. Since then the mysql-dfsg source
is only used to produce libmysqlclient12 which should be replaced by
libmysqlclient14 soon (release-team asked me to hold that transition back
so I wait until the latest 4.1 is in testing and then ask again).

As the security bugs do only affect the server I did not upload a new
4.0.x version to unstable.

As stable do contain 4.0.x I did not add a "not found 4.0.24" to the BTS.
I know that this is not easily visible so if there is any tag combination
that would help you, please let me know.

(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322133 contains a matrix
of all used mysql versions since woody)

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #79 received at 322133@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Christian Hammers <ch@debian.org>, 322133@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#322133: still not fixed (and UTFC)
Date: Mon, 26 Sep 2005 01:56:38 -0700
[Message part 1 (text/plain, inline)]
On Mon, Sep 26, 2005 at 09:40:02AM +0200, Christian Hammers wrote:
> On 2005-09-25 Joey Hess wrote:
> > > Done. The packages have just been uploaded, I overlooked this bug report
> > > though. Will close it when the packages are accepted. Martin Schulze is
> > > working on the DSA.

> > No, close your bugs in the changelog. This avoids massively wasting my
> > time and erm, lets us know the bug was fixed.

> mysql-dfsg-4.1 was affected and needs a DSA. Would it be correct if I
> close the bug in unstable also the bug is still present in stable?
> (I could have used "found" tags though).

> The CAN-2005-2558 is mentioned in the debian/changelog of the unstable
> uploads for reference.

> > Which it wasn't btw, the latest version of mysql-dfsg in the archive was
> > released this May.

> The unstable version has had build problems for the last months on some
> archs (and I was on holyday when the bug was found). Currently I try to
> get someone from the s390 team to install me the build-deps in a dchroot
> but s390@buildd.debian.org seems to go to /dev/null :-(

s390@buildd.debian.org points to the party responsible for maintaining the
autobuilder for that architecture, it does *not* point to someone who
manages user chroots on the porter machine.  For that, please contact
debian-admin.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #84 received at 322133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 322133@bugs.debian.org
Subject: Re: Bug#322133: still not fixed (and UTFC)
Date: Mon, 26 Sep 2005 12:12:49 +0200
Hello Steve

On 2005-09-26 Steve Langasek wrote:
> s390@buildd.debian.org points to the party responsible for maintaining the
> autobuilder for that architecture, it does *not* point to someone who
> manages user chroots on the porter machine.  For that, please contact
> debian-admin.

Ok, contacted them. Would be so much easier if the "apt-get build-dep"
command would be available to everybody...

thanks,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#322133; Package mysql-dfsg. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #89 received at 322133@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 322133@bugs.debian.org
Cc: security@debian.org
Subject: Provisional patch for mysql authentication bypass
Date: Wed, 28 Sep 2005 19:49:34 +0200
[Message part 1 (text/plain, inline)]
Hi!

I ported the two patches to 4.0.24:

 http://patches.ubuntu.com/patches/mysql-dfsg.CAN-2004-0627_0628.diff

they look straightforward; however, the exploit on

  http://downloads.securityfocus.com/vulnerabilities/exploits/mysql-auth-bypass.pl

still claims that access is granted. It also claims that with mysql
4.1.12-1 (which has the patch already applied upstream), so I begin to
wonder whether it is actually the exploit that is broken, not the
patch.

Christian, can upstream shed some light on this?

Thanks in advance and have a nice day!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #94 received at 322133-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 322133-done@bugs.debian.org
Subject: Fixed in recent DSA.
Date: Thu, 6 Oct 2005 19:59:09 +0200
This bug has been fixed in DSA 833-2.

bye,

-christian-



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 23:50:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:59:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.