Debian Bug report logs - #373913
SECURITY: CAN-2006-3081: str_to_date(1,NULL) crashs the server

version graph

Package: mysql-server-4.1; Maintainer for mysql-server-4.1 is (unknown);

Reported by: Christian Hammers <ch@debian.org>

Date: Fri, 16 Jun 2006 09:33:08 UTC

Severity: grave

Tags: security, upstream

Found in version mysql-server-4.1/4.1.11a-4sarge4

Fixed in version mysql-dfsg-4.1/4.1.11a-4sarge5

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: submit@bugs.debian.org
Subject: SECURITY: CAN-2006-XXXX: str_to_date(1, NULL) crashs the server
Date: Fri, 16 Jun 2006 11:21:59 +0200
Package: mysql-server
Version: 3.23.49-8.15 4.0.24-10sarge2
Severity: grave
Tags: security

A query like "select str_to_date( 1, NULL );" crashes mysqld.
This affects:
  Woody: mysql-server 		3.23.x
  Sarge: mysql-server 		4.0.x
  Sarge: mysql-server-4.1	4.1.x
Unstable/Testing is already fixed.

We are already preparing a DSA for Woody and Sarge.

References:
  http://seclists.org/lists/fulldisclosure/2006/Jun/0434.html
  http://bugs.mysql.com/bug.php?id=15828

bye,

-christan-




Bug marked as not found in version 3.23.49-8.15. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 4.0.24-10sarge2. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `mysql-server' to `mysql-server-4.1'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4.1.11a-4sarge4. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #18 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 373913@bugs.debian.org
Cc: team@security.debian.org, seanius@debian.org
Subject: Re: MySQL DoS announced on bugtraq: str_to_date(1, NULL) -> crash
Date: Fri, 16 Jun 2006 13:55:22 +0200
Hello

On 2006-06-15 Moritz Muehlenhoff wrote:
> Christian Hammers wrote:
> > Hey
> > 
> > Long time no read :) But I guess the attached bug justifies a DSA, or?
> > I verified that it really crashes the whole server and not only the
> > one connection that is used (see below). The patch from 4.1 and 5.0
> > looks identical and very easy to backport (one line only).
> 
> If the whole mysql server can be crashed a DSA is justified, yes.
> 
> > Should I prepare packages?
> 
> Please do.

I found out that 3.23 (woody) and 4.0 (sarge) are not vulnerable as the
function str_to_date() was introduced in 4.1.1.

Packages for 4.1 (sarge) can be found on
  http://www.lathspell.de/linux/debian/mysql/sarge-4.1/

The patch from the last DSA has been renamed from
64_SECURITY_CVE-2006-XXXX.dpatch to 64_SECURITY_CVE-2006-2753.dpatch, 
I hope you don't mind that this is in the .diff.

> > AFAIK there's no CVE number assigned to this, can you register one?
> 
> If an update is public through a place like Bugtraq CVE assignments are
> done through MITRE, it'll probably trickle in very soon. We'll keep you
> posted.

The new CVE-Id should, once it is known, replace the XXXX in 
* the 65_SECURITY_CVE-2006-XXXX.dpatch filename
* the comment in this file (2x) and 
* the debian/changelog file (1x)

I verified that with this patch the function returns NULL and no longer
crashs the server.

bye,

-christian-



Tags added: upstream Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Filippo Giunchedi <filippo@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #25 received at 373913@bugs.debian.org (full text, mbox):

From: Filippo Giunchedi <filippo@debian.org>
To: Christian Hammers <ch@debian.org>, 373913@bugs.debian.org
Subject: Re: Bug#373913: SECURITY: CAN-2006-XXXX: str_to_date(1, NULL) crashs the server
Date: Sat, 17 Jun 2006 12:42:02 +0200
[Message part 1 (text/plain, inline)]
On Fri, Jun 16, 2006 at 11:21:59AM +0200, Christian Hammers wrote:
> A query like "select str_to_date( 1, NULL );" crashes mysqld.
> This affects:
>   Woody: mysql-server 		3.23.x
>   Sarge: mysql-server 		4.0.x
>   Sarge: mysql-server-4.1	4.1.x
> Unstable/Testing is already fixed.

is this supposed to work also on mysql command line client? I cannot reproduce
it. Could you please list the step to reproduce this bug?

thanks,
filippo
--
Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

I find television very educating. Every time somebody turns on the
set, I go into the other room and read a book.
-- Groucho Marx
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@lathspell.de>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #30 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@lathspell.de>
To: Filippo Giunchedi <filippo@debian.org>
Cc: Christian Hammers <ch@debian.org>, 373913@bugs.debian.org
Subject: Re: Bug#373913: SECURITY: CAN-2006-XXXX: str_to_date(1, NULL) crashs the server
Date: Sun, 18 Jun 2006 14:20:37 +0200
On Sat, 17 Jun 2006 12:42:02 +0200
Filippo Giunchedi <filippo@debian.org> wrote:

> On Fri, Jun 16, 2006 at 11:21:59AM +0200, Christian Hammers wrote:
> > A query like "select str_to_date( 1, NULL );" crashes mysqld.
> > This affects:
> >   Woody: mysql-server 		3.23.x
> >   Sarge: mysql-server 		4.0.x
> >   Sarge: mysql-server-4.1	4.1.x
> > Unstable/Testing is already fixed.
> 
> is this supposed to work also on mysql command line client? I cannot reproduce
> it. Could you please list the step to reproduce this bug?

Er, "subject says all" :) Just type "SELECT str_to_date(1, NULL);" and watch your connection
go away. If you get "NULL" as result without any error message then your version is safe.

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Filippo Giunchedi <filippo@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #35 received at 373913@bugs.debian.org (full text, mbox):

From: Filippo Giunchedi <filippo@debian.org>
To: Christian Hammers <ch@debian.org>, 373913@bugs.debian.org
Subject: Re: Bug#373913: SECURITY: CAN-2006-XXXX: str_to_date(1, NULL) crashs the server
Date: Sun, 18 Jun 2006 17:17:57 +0200
[Message part 1 (text/plain, inline)]
On Sun, Jun 18, 2006 at 02:20:37PM +0200, Christian Hammers wrote:
> 
> Er, "subject says all" :) Just type "SELECT str_to_date(1, NULL);" and watch your connection
> go away. If you get "NULL" as result without any error message then your version is safe.

ahem, I didn't read your second message to this bug stating that sarge's 4.0
isn't affected, sorry for the noise :)

filippo
--
Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

Date: Tuesday, 2002/10/22 - 08:09
dselect proves the existence of Satan. It's the worst part of Debian.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #40 received at 373913@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Free Software Distribution Vendors <vendor-sec@lst.de>
Cc: Christian Hammers <ch@debian.org>, 373913@bugs.debian.org
Subject: [coley@mitre.org: CVE-2006-3081 assigned to MySQL str_to_date() DoS]
Date: Mon, 19 Jun 2006 19:32:07 +0200
FYI

Regards,

	Joey

----- Forwarded message from "Steven M. Christey" <coley@mitre.org> -----

======================================================
Name: CVE-2006-3081
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3081
Reference: BUGTRAQ:20060614 MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/437145
Reference: BUGTRAQ:20060615 Re: MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/437277
Reference: BUGTRAQ:20060615 Re: MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/437571/100/0/threaded
Reference: FULLDISC:20060615 MySQL DoS
Reference: URL:http://seclists.org/lists/fulldisclosure/2006/Jun/0434.html
Reference: CONFIRM:http://bugs.mysql.com/bug.php?id=15828
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373913
Reference: BID:18439
Reference: URL:http://www.securityfocus.com/bid/18439

mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x
before 5.1.6 allows remote authorized users to cause a denial of
service (crash) via a NULL second argument to the str_to_date
function.


----- End forwarded message -----

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/



Changed Bug title. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #47 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: team@security.debian.org
Cc: Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sun, 9 Jul 2006 19:34:29 +0200
Hello

On 2006-07-04 Christian Hammers wrote:
> It's time for a new MySQL DSA :) On
>   http://www.lathspell.de/linux/debian/mysql/sarge-4.1 
> you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> 
>    * Fixed DoS bug where any user could crash the server with
>      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
>      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
>      Closes: #373913
>    * Fixed DoS bug where any user could crash the server with
>      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
>      The vulnerability was discovered by Maillefer Jean-David
>      <jean-david@kesako.ch> and filed as MySQL bug #20729.
>      Closes: #375694

What's the current status of this prepared security update? (Moritz?)
The current packages on lathepell.de contain now the official MySQL
patch für the second bug so there's not much work needed anymore.
We just need a CVE id for it.

Both bugs only affects Sarge 4.1, not Woody 3.23. Sarge 4.0 or Sid 5.0.

bye,
 
 -christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #52 received at 373913@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Christian Hammers <ch@debian.org>
Cc: team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sun, 9 Jul 2006 23:22:15 +0200
Christian Hammers wrote:

Steven, can you please assign a CVE for the second DoS issue?

> On 2006-07-04 Christian Hammers wrote:
> > It's time for a new MySQL DSA :) On
> >   http://www.lathspell.de/linux/debian/mysql/sarge-4.1 
> > you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> > 
> >    * Fixed DoS bug where any user could crash the server with
> >      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
> >      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
> >      Closes: #373913
> >    * Fixed DoS bug where any user could crash the server with
> >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> >      The vulnerability was discovered by Maillefer Jean-David
> >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> >      Closes: #375694
> 
> What's the current status of this prepared security update? (Moritz?)

It's currently building.

> The current packages on lathepell.de contain now the official MySQL
> patch für the second bug so there's not much work needed anymore.
> We just need a CVE id for it.

I'm CCing Steven for this one. As it's now kind of public in the MySQL
database, assigning an ID from the Debian CNA pool might lead to clashes.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #57 received at 373913@bugs.debian.org (full text, mbox):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 14:41:23 -0400 (EDT)
On Sun, 9 Jul 2006, Moritz Muehlenhoff wrote:

> > On 2006-07-04 Christian Hammers wrote:
> > > It's time for a new MySQL DSA :) On
> > >   http://www.lathspell.de/linux/debian/mysql/sarge-4.1
> > > you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> > >
> > >    * Fixed DoS bug where any user could crash the server with
> > >      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
> > >      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
> > >      Closes: #373913
> > >    * Fixed DoS bug where any user could crash the server with
> > >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> > >      The vulnerability was discovered by Maillefer Jean-David
> > >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> > >      Closes: #375694


Use CVE-2006-3469

Is this "public enough" for me to update the CVE descriptions, or should I
leave them as reserved for now?  CVE will probably be the first point of
widespread disclosure.

- Steve



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #62 received at 373913@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 21:49:05 +0200
Steven M. Christey wrote:
> > > >    * Fixed DoS bug where any user could crash the server with
> > > >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> > > >      The vulnerability was discovered by Maillefer Jean-David
> > > >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> > > >      Closes: #375694

Package is pushed to the buildds.
 
> Use CVE-2006-3469
> 
> Is this "public enough" for me to update the CVE descriptions, or should I
> leave them as reserved for now?  CVE will probably be the first point of
> widespread disclosure.

Sure, please go ahead.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #67 received at 373913@bugs.debian.org (full text, mbox):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 16:38:22 -0400 (EDT)
Speaking of MySQL, the following item recently showed up in an FrSIRT
advisory.  In light of last week's vendor-sec discussions, let me know if
there's too much guesswork going on here :)

- Steve

======================================================
Name: CVE-2006-3486
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486
Acknowledged: yes changelog
Announced: 20060704
Flaw: buf
Reference: MISC:http://bugs.mysql.com/bug.php?id=20622
Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html
Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html
Reference: FRSIRT:ADV-2006-2700
Reference: URL:http://www.frsirt.com/english/advisories/2006/2700

Off-by-one buffer overflow in the
Instance_options::complete_initialization function in
instance_options.cc in the Instance Manager in MySQL before 5.0.23 and
5.1 before 5.1.12 might allow local users to cause a denial of service
(application crash) via unspecified vectors, which triggers the
overflow when the convert_dirname function is called.


Analysis:
ACKNOWLEDGEMENT: MySQL 5.0.23 changelog " A buffer overwrite error in
Instance Manager caused a crash. (Bug#20622)"

ACCURACY: it is not clear whether this is security-relevant, as the
input vectors are unknown.





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #72 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: "Steven M. Christey" <coley@linus.mitre.org>, 375694@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#375694: Status of last two, not yet DSA'd, MySQL security bugs
Date: Tue, 11 Jul 2006 00:07:18 +0200

On 2006-07-10 Steven M. Christey wrote:
> Speaking of MySQL, the following item recently showed up in an FrSIRT
> advisory.  In light of last week's vendor-sec discussions, let me know if
> there's too much guesswork going on here :)

I asked FrSIRT and MySQL if they have more information, and report back if I
get any news.

Debian: MySQL versions 3.23, 4.0 and 4.1 are not affected as they did not
have the file in question. 5.0 (etch/sid-only) is currently beeing built
(it's on the ftp servers since days but not yet officially announced nor
linked on the web page, strange releases they made :))

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #77 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: team@security.debian.org
Cc: Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Tue, 11 Jul 2006 20:50:20 +0200
[Message part 1 (text/plain, inline)]
Hello Moritz & Co

Attached is a mail from mysql. It seems to be ok for them if we release our
patch even if they need another week to release a new 4.1 version.
(I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess
we gave them time enough, given that the bug was public in the BTS)

So go ahead!

bye,

-christian-
[Message part 2 (message/rfc822, inline)]
ql.com)
	by master.debian.org with esmtp (Exim 4.50)
	id 1G0MQ5-00035q-5u
	for ch@lathspell.de; Tue, 11 Jul 2006 12:53:13 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mailgate.mysql.com (8.13.4/8.13.4) with ESMTP id k6BHr0Dp019879;
	Tue, 11 Jul 2006 19:53:00 +0200
Received: from mail.mysql.com ([10.222.1.99])
 by localhost (mailgate.mysql.com [10.222.1.98]) (amavisd-new, port 10026)
 with LMTP id 15497-05; Tue, 11 Jul 2006 19:53:00 +0200 (CEST)
Received: from metis.lenznet (10-100-68-2.mysql.internal [10.100.68.2])
	(authenticated bits=3D0)
	by mail.mysql.com (8.13.3/8.13.3) with ESMTP id k6BHqtSg016292
	(version=3DTLSv1/SSLv3 cipher=3DDHE-RSA-AES256-SHA bits=3D256 verify=3DNO);
	Tue, 11 Jul 2006 19:52:56 +0200
Received: from localhost (localhost [127.0.0.1])
	by metis.lenznet (Postfix) with ESMTP id C58C43298B;
	Tue, 11 Jul 2006 19:51:58 +0200 (CEST)
Date: Tue, 11 Jul 2006 19:51:56 +0200 (CEST)
From: Lenz Grimmer <lenz@mysql.com>
X-X-Sender: lenz@metis.lenznet
To: Christian Hammers <ch@debian.org>
Cc: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org,
	security@mysql.com, Chad Miller <cmiller@mysql.com>
Subject: Re: Bug#375694: Bug #20729 security relevant?
In-Reply-To: <20060711182626.13423972@xeniac.intern>
Message-ID: <Pine.LNX.4.64.0607111944410.31317@metis.lenznet>
References: <20060705092622.78579a0a@xeniac.intern> <20060705094838.GA17023=
@serg.mylan>
 <20060710205148.35211d04@xeniac.intern> <Pine.LNX.4.64.0607111805070.31317=
@metis.lenznet>
 <20060711182626.13423972@xeniac.intern>
X-Virus-Scanned: by amavisd-new at mailgate.mysql.com
X-Spam-Status: No, hits=3D0.1 tagged_above=3D-999.0 required=3D5.0 tests=3D=
AWL,
	FORGED_RCVD_HELO
X-Spam-Level:=20
Mime-Version: 1.0
Content-Type: text/PLAIN; charset=3DUS-ASCII

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christian,

On Tue, 11 Jul 2006, Christian Hammers wrote:

> On 2006-07-11 Lenz Grimmer wrote:
> > > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enoug=
h that
> > > we can release our security advisory or do you want us to hold it bac=
k some
> > > days (not weeks!) so that you can release a new upstream version?
> >=20
> > Sergei is currently on vacation - I am going to find out how we are goi=
ng
> > to handle this one. I think a flaw that allows a regular user to crash =
the
> > server is important enough to be fixed quickly.
>
> Ok, our upgrade packages are currently building and will be published in =
the
> next 1-2 days..

OK. Chad (copied on this message - he's a Debian Dev, too, by the way) will
apply the patch to the 4.1 tree ASAP, hopefully today. We are currently loo=
king
into how to schedule a new 4.1 release for that. We may be able to kick off=
 the
builds this week, but it may take up to next week before the release will be
published.

> > > > Ok, please tell us CVE number when you'll know it.
> > > > (as usual :)
> > > It's CVE-2006-3469=20
> >=20
> > Hmm, http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-3469 tell=
s me=20
> > it's not found?
>
> It has been registered yesterday and the guy from mitre wasn't sure if he
> should make it public yet as there is no new mysql upstream version yet.

Thanks for the info! Chad, please make sure to add that reference to the
bug report, before you assign it to docs. Thanks!

Bye,
	LenZ
- --=20
 Lenz Grimmer <lenz@mysql.com>
 Community Relations Manager, EMEA
 MySQL GmbH, http://www.mysql.de/, Hamburg, Germany
 Visit the MySQL Forge at http://forge.mysql.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFEs+U+SVDhKrJykfIRAlT4AJ9lCnu+tk202+/0/AAWuZl6svN/CgCaAwQM
FKEF30eyuaDZfmMLaB0ckvM=3D
=3D6Aaz
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #82 received at 373913@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Christian Hammers <ch@debian.org>
Cc: team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Wed, 12 Jul 2006 00:47:01 +0200
Christian Hammers wrote:
> Hello Moritz & Co
> 
> Attached is a mail from mysql. It seems to be ok for them if we release our
> patch even if they need another week to release a new 4.1 version.
> (I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess
> we gave them time enough, given that the bug was public in the BTS)
> 
> So go ahead!

Ok, will push it out once all builds are available:
The arm buildd seems currently down and the m68k ran out of diskspace (only
10 megabytes available), so it might take a few more days.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#373913; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #87 received at 373913@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 373913@bugs.debian.org, team@security.debian.org, Sean Finney <seanius@debian.org>, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sat, 15 Jul 2006 20:05:21 +0200
Hello Moritz

Any news regarding the DSA announcement of these two packages?

bye,

-christian-



Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #92 received at 373913-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 373913-done@bugs.debian.org
Subject: Fixed in recend DSA
Date: Sat, 22 Jul 2006 12:46:18 +0200
I'm not sure why the Debian Security Announcement did not automatically
close the bug but it fixed it so I do now close it.

http://www.debian.org/security/2006/dsa-1112

bye,

-christian-




Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #97 received at 373913-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 373913-close@bugs.debian.org
Subject: Bug#373913: fixed in mysql-dfsg-4.1 4.1.11a-4sarge5
Date: Wed, 30 Aug 2006 23:05:18 -0700
Source: mysql-dfsg-4.1
Source-Version: 4.1.11a-4sarge5

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive:

libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
libmysqlclient14_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_i386.deb
mysql-client-4.1_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_i386.deb
mysql-common-4.1_4.1.11a-4sarge5_all.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge5_all.deb
mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
mysql-server-4.1_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 373913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated mysql-dfsg-4.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Jun 2006 09:52:12 +0000
Source: mysql-dfsg-4.1
Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1 mysql-client-4.1
Architecture: source i386 all
Version: 4.1.11a-4sarge5
Distribution: stable-security
Urgency: low
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 libmysqlclient14 - mysql database client library
 libmysqlclient14-dev - mysql database development files
 mysql-client-4.1 - mysql database client binaries
 mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server-4.1 - mysql database server binaries
Closes: 373913 375694
Changes: 
 mysql-dfsg-4.1 (4.1.11a-4sarge5) stable-security; urgency=low
 .
   * Security upload prepared for the security team by the Debian MySQL
     package maintainers.
   * Fixed DoS bug where any user could crash the server with
     "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
     The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
     Closes: #373913
   * Fixed DoS bug where any user could crash the server with
     "SELECT date_format('%d%s', 1); (CVE-2006-3469).
     The vulnerability was discovered by Maillefer Jean-David
     <jean-david@kesako.ch> and filed as MySQL bug #20729.
     Closes: #375694
Files: 
 9cd4f7df9345856d06846e0ddb50b9ee 1021 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
 e45db0b01b3adaf09500d54090f3a1e1 168442 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
 e8115191126dc0b373a53024e5c78733 36520 misc optional mysql-common-4.1_4.1.11a-4sarge5_all.deb
 ab5768abe67a1d21c714a078f2ec86f0 1418036 libs optional libmysqlclient14_4.1.11a-4sarge5_i386.deb
 bf891e68e488947fd28a940a367d722f 5643732 libdevel optional libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
 f5d4a9e5b289d895ba021190f907829f 830724 misc optional mysql-client-4.1_4.1.11a-4sarge5_i386.deb
 b580eeaf7a3806b95a07435acbe48e27 14558034 misc optional mysql-server-4.1_4.1.11a-4sarge5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsq66Xm3vHE4uyloRAgB4AKDZu0uKZDSFB8uicz4G1oFrIR+YEwCgnzNr
E3zati36cyhJRqWDcL2bP4Q=
=HUF7
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 15:52:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:05:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.