Debian Bug report logs - #366162
CVE-2006-0903: Logging bypass

version graph

Package: mysql-server-4.1; Maintainer for mysql-server-4.1 is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 28 Mar 2006 13:48:11 UTC

Severity: important

Tags: fixed, security

Found in version mysql-server-4.1/4.1.11a-4sarge2

Done: Adam Conrad <adconrad@0c3.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Christian Hammers <ch@debian.org>:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-0903: Logging bypass
Date: Tue, 28 Mar 2006 15:40:25 +0200
Package: mysql-dfsg-5.0
Version: 5.0.18
Severity: important
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903 describes a
logging bypass vulnerability in MySQL 5.0 in 5.0.18. I couldn't find a direct
reference, whether this is fixed in 5.0.19. The original advisory (in Russian)
can be found at http://rst.void.ru/papers/advisory39.txt

Could you please check, whether this applies to 4.0 and 4.1 from Sarge?

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 359701@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: packagers@lists.mysql.com
Cc: 359701@bugs.debian.org
Subject: Patches for CVE-2006-0903 "logging bypass via NULL char" available?
Date: Tue, 28 Mar 2006 17:04:37 +0200
Hello

I've just got aware of the following security issue:

 CVE-2006-0903
 "MySQL 5.0.18 and earlier allows local users to bypass logging 
 mechanisms via SQL queries that contain the NULL character, 
 which are not properly handled by the mysql_real_query function."
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903

As http://bugs.mysql.com/ does currently not respond I cannot lookup
the corresponding MySQL bug report. Does anybody know if this issue
exists in 4.0 and 4.1 and if so, if patches exists that could be used
in the distributions security advisories?

BTW: I cannot find a reference to this in the official Changelog neither?

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Lenz Grimmer <lenz@mysql.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #15 received at 359701@bugs.debian.org (full text, mbox):

From: Lenz Grimmer <lenz@mysql.com>
To: Christian Hammers <ch@debian.org>
Cc: packagers@lists.mysql.com, 359701@bugs.debian.org
Subject: Re: Patches for CVE-2006-0903 "logging bypass via NULL char" available?
Date: Fri, 31 Mar 2006 19:22:54 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christian,

thanks for your message!

On Tue, 28 Mar 2006, Christian Hammers wrote:

> I've just got aware of the following security issue:
> 
>  CVE-2006-0903
>  "MySQL 5.0.18 and earlier allows local users to bypass logging 
>  mechanisms via SQL queries that contain the NULL character, 
>  which are not properly handled by the mysql_real_query function."
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903
> 
> As http://bugs.mysql.com/ does currently not respond I cannot lookup
> the corresponding MySQL bug report. Does anybody know if this issue
> exists in 4.0 and 4.1 and if so, if patches exists that could be used
> in the distributions security advisories?
> 
> BTW: I cannot find a reference to this in the official Changelog neither?

This one never came through to us via security@mysql.com. However, there is
a related bug report here: http://bugs.mysql.com/bug.php?id=17667 - a patch
has been commited and will be included in upcoming releases.

Note that this only affects the general (plaintext) log, not the binary log.

Bye,
	LenZ
- -- 
 Lenz Grimmer <lenz@mysql.com>
 Community Relations Manager, EMEA
 MySQL GmbH, http://www.mysql.de/, Hamburg, Germany
 MySQL Users Conference 2006 (Santa Clara CA, 24-27 April) - http://www.mysqluc.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFELWVxSVDhKrJykfIRAjCgAJ0Uan4dfSUrQTka/zVL9qM6wdXFiwCeNOMe
TTRqWcFyaldnzvv291uIrdM=
=AElD
-----END PGP SIGNATURE-----



Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 359701-close@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: 359701-close@bugs.debian.org
Subject: Bug#359701: fixed in mysql-dfsg-5.0 5.0.19-3
Date: Tue, 04 Apr 2006 04:02:16 -0700
Source: mysql-dfsg-5.0
Source-Version: 5.0.19-3

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:

libmysqlclient15-dev_5.0.19-3_powerpc.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.19-3_powerpc.deb
libmysqlclient15off_5.0.19-3_powerpc.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.19-3_powerpc.deb
mysql-client-5.0_5.0.19-3_powerpc.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.19-3_powerpc.deb
mysql-client_5.0.19-3_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.19-3_all.deb
mysql-common_5.0.19-3_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.19-3_all.deb
mysql-dfsg-5.0_5.0.19-3.diff.gz
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.19-3.diff.gz
mysql-dfsg-5.0_5.0.19-3.dsc
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.19-3.dsc
mysql-server-5.0_5.0.19-3_powerpc.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.19-3_powerpc.deb
mysql-server_5.0.19-3_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.19-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 359701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated mysql-dfsg-5.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  4 Apr 2006 15:23:18 +1000
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all powerpc
Version: 5.0.19-3
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 libmysqlclient15-dev - mysql database development files
 libmysqlclient15off - mysql database client library
 mysql-client - mysql database client (current version)
 mysql-client-5.0 - mysql database client binaries
 mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server - mysql database server (current version)
 mysql-server-5.0 - mysql database server binaries
Closes: 353924 357424 359701
Changes: 
 mysql-dfsg-5.0 (5.0.19-3) unstable; urgency=high
 .
   [ Christian Hammers ]
   * Fixed libmysqlclient15.README.Debian regarding package name changes
     (thanks to Leppo).
   * Moved libheap.a etc. back to /usr/lib/mysql/ as their names are just
     too generic. Closes: #353924
   [ Sean Finney ]
   * updated danish debconf translation, thanks to Claus Hindsgaul
     (closes: #357424).
   [ Adam Conrad ]
   * Send stderr from 'find' in preinst to /dev/null to tidy up chatter.
   * Backport patch for CVE-2006-0903 from the upcoming release to resolve
     a log bypass vulnerability when using non-binary logs (closes: #359701)
Files: 
 bc9e00e95dc1884a253c00488bc569b1 1084 misc optional mysql-dfsg-5.0_5.0.19-3.dsc
 e06123698ad4e9cdc1424a3a5b9fabd2 114334 misc optional mysql-dfsg-5.0_5.0.19-3.diff.gz
 67bba81fb4b718f9bbdec07df6c47897 37192 misc optional mysql-common_5.0.19-3_all.deb
 77db8900ff50ea3206e66e7e5d6c49a1 34684 misc optional mysql-server_5.0.19-3_all.deb
 6878e1259c04d1b9eacb0eb9c91f668c 34680 misc optional mysql-client_5.0.19-3_all.deb
 f82c91abd6e48987fe0a23d4e79e24c0 1420946 libs optional libmysqlclient15off_5.0.19-3_powerpc.deb
 9a3a9d03afb8d435417a609030712620 6792986 libdevel optional libmysqlclient15-dev_5.0.19-3_powerpc.deb
 3cc75993e2c04eaefc73e929f0475f00 6854772 misc optional mysql-client-5.0_5.0.19-3_powerpc.deb
 64d1e04af582fe63af3245d762a0d54e 22262590 misc optional mysql-server-5.0_5.0.19-3_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMkt7vjztR8bOoMkRAmGzAKCJNlQSddnodXwYxdk3X/gTXcKsAgCgyeyp
pn+aLu0xWN6bKy4at6ZMq+s=
=wJaU
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 359701@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 359701@bugs.debian.org, team@security.debian.org
Subject: Re: Patches for CVE-2006-0903 "logging bypass via NULL char" available?
Date: Thu, 6 Apr 2006 23:59:48 +0200
Hello

[Cc to the BTS]

On 2006-04-05 Moritz Muehlenhoff wrote:
...
> Thanks, in that case I'll prepare a DSA. Could you please verify, whether
> 4.0 and 3.23 are affected as well?

- All versions including 3.23 are affected.
- The patch provided by MySQL does not fix the problem that the 
  Query shows up only to the NUL char in the logfile but at least
  gives no result but returns with the error that the Query is malformed
  which should be sufficient.
- The patch can not be applied to 3.23 and I could not figure out how
  to exit cleanly after taking a look at the code (but I'm not used to C).
  I asked security@mysql.com and in their bug report for assistance.

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #30 received at 359701@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: security@mysql.com
Cc: 359701@bugs.debian.org
Subject: Debian needs patch for CVE-2006-0903 for MySQL 3.23
Date: Thu, 6 Apr 2006 23:55:08 +0200
Hello @MySQL

As written in http://bugs.mysql.com/bug.php?id=17667 we had shipped a
3.23.49 version of MySQL in our Debian woody release. It's the before-last
one but we would still like to provide security support for it.

Sadly the patch that the bug tracking system offers for 4.0, 4.1 and 5.0 does
not apply to 3.23. Could you help us here? If so, I would suggest to Cc
packages@lists.mysql.com as others surely have the same situation.

thanks,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#359701; Package mysql-dfsg-5.0. Full text and rfc822 format available.

Acknowledgement sent to Sergei Golubchik <serg@mysql.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #35 received at 359701@bugs.debian.org (full text, mbox):

From: Sergei Golubchik <serg@mysql.com>
To: Christian Hammers <ch@debian.org>
Cc: security@mysql.com, 359701@bugs.debian.org, packages@lists.mysql.com
Subject: Re: Debian needs patch for CVE-2006-0903 for MySQL 3.23
Date: Fri, 7 Apr 2006 08:26:02 +0200
Hi!

On Apr 06, Christian Hammers wrote:
> Hello @MySQL
> 
> As written in http://bugs.mysql.com/bug.php?id=17667 we had shipped a
> 3.23.49 version of MySQL in our Debian woody release. It's the before-last
> one but we would still like to provide security support for it.
> 
> Sadly the patch that the bug tracking system offers for 4.0, 4.1 and 5.0 does
> not apply to 3.23. Could you help us here? If so, I would suggest to Cc
> packages@lists.mysql.com as others surely have the same situation.

Check the second patch. The first does not fix the problem completely
anyway.
(though you may want to keep in mind that until bug status is
'Patch Approved', 'Documenting', or 'Closed' the patch you see is not
necessarily final)
 
Regards,
Sergei

-- 
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@mysql.com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, Senior Software Developer
/_/  /_/\_, /___/\___\_\___/  Kerpen, Germany
       <___/  www.mysql.com



Bug 359701 cloned as bugs 366162, 366163. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `mysql-dfsg-5.0' to `mysql-server-4.1'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4.1.11a-4sarge2. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 12:17:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:14:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.