Debian Bug report logs - #375694
SECURITY: date_format('%d%s', 1) crashs server

version graph

Package: mysql-server-4.1; Maintainer for mysql-server-4.1 is (unknown);

Reported by: Maillefer Jean-David <jean-david@kesako.ch>

Date: Tue, 27 Jun 2006 16:33:12 UTC

Severity: grave

Tags: confirmed, security, upstream

Found in version mysql-server-4.1/4.1.11a-4sarge4

Fixed in version mysql-dfsg-4.1/4.1.11a-4sarge5

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugs.mysql.com/?id=20729

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Maillefer Jean-David <jean-david@kesako.ch>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>.

Your message specified a Severity: in the pseudo-header, but the severity value maybe critical was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.

Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Maillefer Jean-David <jean-david@kesako.ch>
To: submit@bugs.debian.org, ch@debian.org
Subject: Bad date_format() call makes mysql server crash
Date: Tue, 27 Jun 2006 18:30:11 +0200
[Message part 1 (text/plain, inline)]
Package: mysql-server-4.1
Version: 4.1.11a-4sarge4
Severity: maybe critical



The bug can be reproduced by entering the following SQL code:
	select date_format('%Y-%m-%d %H:%i:%s', 1151414896);

It's not correct SQL, and I expect a syntax error, but it should not
crash the server!

I think it can be simplified to:
	select date_format('%d%s', 1);  






I tried on different machines:
Debian GNU/Linux 3.1, mysql-server-4.1 4.1.11a-4sarge4
Linux skool 2.6.11 #2 SMP Thu May 26 20:53:11 CEST 2005 i686 GNU/Linux
Debian GNU/Linux 3.0, mysql-server-4.1 4.1.11a-4sarge4
Linux KSKO04 2.4.23-xfs #1 SMP Mi Dez 10 22:25:03 CET 2003 i686
GNU/Linux



Sample Run:

jdadmin@skool:~$ mysql -u root -h 192.168.1.104
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 219 to server version:
4.1.11-Debian_4sarge2-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select date_format('%Y-%m-%d %H:%i:%s', 1151414896);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> select date_format('%Y-%m-%d %H:%i:%s', 1151414896);
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: *** NONE ***

ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select;
ERROR 2006 (HY000): MySQL server has gone away
....



logs from syslog:

Jun 27 17:19:25 skool mysqld[28116]: mysqld got signal 11;
Jun 27 17:19:25 skool mysqld[28116]: This could be because you hit a
bug. It is also possible that this binary
Jun 27 17:19:25 skool mysqld[28116]: or one of the libraries it was
linked against is corrupt, improperly built,
Jun 27 17:19:25 skool mysqld[28116]: or misconfigured. This error can
also be caused by malfunctioning hardware.
Jun 27 17:19:25 skool mysqld[28116]: We will try our best to scrape up
some info that will hopefully help diagnose
Jun 27 17:19:25 skool mysqld[28116]: the problem, but since we have
already crashed, something is definitely wrong
Jun 27 17:19:25 skool mysqld[28116]: and this may fail.
Jun 27 17:19:25 skool mysqld[28116]:
Jun 27 17:19:25 skool mysqld[28116]: key_buffer_size=16777216
Jun 27 17:19:25 skool mysqld[28116]: read_buffer_size=131072
Jun 27 17:19:25 skool mysqld[28116]: max_used_connections=11
Jun 27 17:19:25 skool mysqld[28116]: max_connections=100
Jun 27 17:19:25 skool mysqld[28116]: threads_connected=2
Jun 27 17:19:25 skool mysqld[28116]: It is possible that mysqld could
use up to
Jun 27 17:19:25 skool mysqld[28116]: key_buffer_size + (read_buffer_size
+ sort_buffer_size)*max_connections = 233983 K
Jun 27 17:19:25 skool mysqld[28116]: bytes of memory
Jun 27 17:19:25 skool mysqld[28116]: Hope that's ok; if not, decrease
some variables in the equation.
Jun 27 17:19:25 skool mysqld[28116]:
Jun 27 17:19:25 skool mysqld[28116]: thd=0x8bd1158
Jun 27 17:19:25 skool mysqld[28116]: Attempting backtrace. You can use
the following information to find out
Jun 27 17:19:25 skool mysqld[28116]: where mysqld died. If you see no
messages after this, something went
Jun 27 17:19:25 skool mysqld[28116]: terribly wrong...
Jun 27 17:19:25 skool mysqld[28116]: Cannot determine thread,
fp=0xb147fc7c, backtrace may not be correct.
Jun 27 17:19:25 skool mysqld[28116]: Stack range sanity check OK,
backtrace follows:
Jun 27 17:19:25 skool mysqld[28116]: 0x818935f
Jun 27 17:19:25 skool mysqld[28116]: 0xffffe420
Jun 27 17:19:25 skool mysqld[28116]: 0x38363032
Jun 27 17:19:25 skool mysqld[28116]: Stack trace seems successful -
bottom reached
Jun 27 17:19:25 skool mysqld[28116]: Please read
http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html and follow
instruc
tions on how to resolve the stack trace. Resolved
Jun 27 17:19:25 skool mysqld[28116]: stack trace is much more helpful in
diagnosing the problem, so please do
Jun 27 17:19:25 skool mysqld[28116]: resolve it
Jun 27 17:19:25 skool mysqld[28116]: Trying to get some variables.
Jun 27 17:19:25 skool mysqld[28116]: Some pointers may be invalid and
cause the dump to abort...
Jun 27 17:19:25 skool mysqld[28116]: thd->query at 0x8bd45f0 = select
date_format('%Y-%m-%d %H:%i:%s', 1151414896)
Jun 27 17:19:25 skool mysqld[28116]: thd->thread_id=19
Jun 27 17:19:25 skool mysqld[28116]: The manual page at
http://www.mysql.com/doc/en/Crashing.html contains
Jun 27 17:19:25 skool mysqld[28116]: information that should help you
find out what is causing the crash.
Jun 27 17:19:25 skool mysqld_safe[1653]: Number of processes running
now: 0
Jun 27 17:19:25 skool mysqld_safe[1655]: restarted
Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25  InnoDB: Database
was not shut down normally!
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Starting crash recovery.
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Reading tablespace
information from the .ibd files...
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Restoring possible
half-written data pages from the doublewrite
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: buffer...
Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25  InnoDB: Starting
log scan based on checkpoint at
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: log sequence number 0
5847414.
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Doing recovery: scanned up
to log sequence number 0 5847414
Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Last MySQL binlog file
position 0 79, file name /var/log/mysql/mysql-bin.000204
Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25  InnoDB: Flushing
modified pages from the buffer pool...
Jun 27 17:19:26 skool mysqld[1658]: 060627 17:19:26  InnoDB: Started;
log sequence number 0 5847414
Jun 27 17:19:26 skool mysqld[1658]: /usr/sbin/mysqld: ready for
connections.
Jun 27 17:19:26 skool mysqld[1658]: Version: '4.1.11-Debian_4sarge4-log'
socket: '/var/run/mysqld/mysqld.sock'  port: 3306 Source distribution






jean-david maillefer - developer/network manager
http://www.kesako.ch 
_________________
[kesako] - IT & internet solutions 
18, rue des terreaux 
case postale 967 
CH-1001 lausanne 

T: +41-21 3517700 
F: +41-21 3517701 

plan a meeting http://agenda.kesako.ch/meet/jean-david


Ce message et les documents qui y sont attachés sont confidentiels et
couverts par le secret professionnel. Ils ne sont destinés qu'aux seules
personnes désignées ci-dessus. Ils ne doivent pas être diffusés ni leur
contenu utilisé ou divulgué. Dans le cas où ce message et les documents
attachés vous seraient parvenus par erreur, nous vous remercions de les
détruire aussitôt et de nous informer de l'erreur commise. 
This message and the attached documents are confidential and covered by
professional secrecy. They are intended to their adresses only. They
should not be used for any purpose and their content should not be
disclosed to anyone. In case you have received this message  and the
attached documents by mistake, please advise us and delete them
immediately. 


[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Maillefer Jean-David <jean-david@kesako.ch>, team@security.debian.org
Cc: 375694@bugs.debian.org, dc <control@bugs.debian.org>
Subject: Re: Bug#375694: Bad date_format() call makes mysql server crash
Date: Tue, 27 Jun 2006 20:58:41 +0200
tags 375694 + confirmed upstream security
forwarded 375694 http://bugs.mysql.com/?id=20729
severity 375694 grave
stop

Hello Jean-David

On 2006-06-27 Maillefer Jean-David wrote:
> The bug can be reproduced by entering the following SQL code:
> 	select date_format('%Y-%m-%d %H:%i:%s', 1151414896);
> 
> It's not correct SQL, and I expect a syntax error, but it should not
> crash the server!
> 
> I think it can be simplified to:
> 	select date_format('%d%s', 1);  

It's indeed a DoS. As far as I tried 3.23 (woody), 4.0 (sarge) and 5.0 (sid)
are not vulnerable, only 4.1 (sarge). I will try the latest 4.1 version
tomorrow, if it is ok, then we might find a corresponding patch.

Did you find this bug yourself and did you already report it to MySQL?
I've just opened MySQL Bug #20729 for this. But we need to know if somebody
else has asked for a CVE security bug id already.

Security Team: As you did not yet release
  #373913: SECURITY: CAN-2006-3081: str_to_date(1,NULL) crashs the server
(btw, why? what stalls it?) we could merge those two date bugs, or?

Oh, of course I tested the new bug with the not yet released and patched
version of mysql 4.1 :) Sadly the patch does not fix both problems.

bye,

-christian-



Tags added: confirmed, upstream, security Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://bugs.mysql.com/?id=20729. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave' from `normal' Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #23 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: security@mysql.com
Cc: 375694@bugs.debian.org
Subject: Bug #20729 security relevant?
Date: Wed, 5 Jul 2006 09:26:22 +0200
Hello MySQL Security-Team

Bug #20729 seems to be security relevant as it allowes crashing the
complete server by any unprivileged user by issuing a simple query.

Whether it crashes or just prints garbage sprintf() output probably
depends on the libc version or the compiled architecture but the bug
is clearly in the mysql code.

As it does crash on Debian we will issue a security advisory for it
(and I would be happy if someone could confirm that my self written
patch does no more harm than cure :))

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Sergei Golubchik <serg@mysql.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #28 received at 375694@bugs.debian.org (full text, mbox):

From: Sergei Golubchik <serg@mysql.com>
To: Christian Hammers <ch@debian.org>
Cc: security@mysql.com, 375694@bugs.debian.org
Subject: Re: Bug #20729 security relevant?
Date: Wed, 5 Jul 2006 11:48:38 +0200
Hi!

On Jul 05, Christian Hammers wrote:
> Hello MySQL Security-Team
> 
> Bug #20729 seems to be security relevant as it allowes crashing the
> complete server by any unprivileged user by issuing a simple query.

Agree.
 
> Whether it crashes or just prints garbage sprintf() output probably
> depends on the libc version or the compiled architecture but the bug
> is clearly in the mysql code.
> 
> As it does crash on Debian we will issue a security advisory for it

Ok, please tell us CVE number when you'll know it.
(as usual :)

> (and I would be happy if someone could confirm that my self written
> patch does no more harm than cure :))

Done.

Regards,
Sergei

-- 
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@mysql.com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, Senior Software Developer
/_/  /_/\_, /___/\___\_\___/  Kerpen, Germany
       <___/  www.mysql.com



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #33 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: team@security.debian.org
Cc: Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sun, 9 Jul 2006 19:34:29 +0200
Hello

On 2006-07-04 Christian Hammers wrote:
> It's time for a new MySQL DSA :) On
>   http://www.lathspell.de/linux/debian/mysql/sarge-4.1 
> you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> 
>    * Fixed DoS bug where any user could crash the server with
>      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
>      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
>      Closes: #373913
>    * Fixed DoS bug where any user could crash the server with
>      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
>      The vulnerability was discovered by Maillefer Jean-David
>      <jean-david@kesako.ch> and filed as MySQL bug #20729.
>      Closes: #375694

What's the current status of this prepared security update? (Moritz?)
The current packages on lathepell.de contain now the official MySQL
patch für the second bug so there's not much work needed anymore.
We just need a CVE id for it.

Both bugs only affects Sarge 4.1, not Woody 3.23. Sarge 4.0 or Sid 5.0.

bye,
 
 -christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #38 received at 375694@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Christian Hammers <ch@debian.org>
Cc: team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sun, 9 Jul 2006 23:22:15 +0200
Christian Hammers wrote:

Steven, can you please assign a CVE for the second DoS issue?

> On 2006-07-04 Christian Hammers wrote:
> > It's time for a new MySQL DSA :) On
> >   http://www.lathspell.de/linux/debian/mysql/sarge-4.1 
> > you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> > 
> >    * Fixed DoS bug where any user could crash the server with
> >      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
> >      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
> >      Closes: #373913
> >    * Fixed DoS bug where any user could crash the server with
> >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> >      The vulnerability was discovered by Maillefer Jean-David
> >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> >      Closes: #375694
> 
> What's the current status of this prepared security update? (Moritz?)

It's currently building.

> The current packages on lathepell.de contain now the official MySQL
> patch für the second bug so there's not much work needed anymore.
> We just need a CVE id for it.

I'm CCing Steven for this one. As it's now kind of public in the MySQL
database, assigning an ID from the Debian CNA pool might lead to clashes.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #43 received at 375694@bugs.debian.org (full text, mbox):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 14:41:23 -0400 (EDT)
On Sun, 9 Jul 2006, Moritz Muehlenhoff wrote:

> > On 2006-07-04 Christian Hammers wrote:
> > > It's time for a new MySQL DSA :) On
> > >   http://www.lathspell.de/linux/debian/mysql/sarge-4.1
> > > you find *sarge5.deb pacakges that fix the following two vulnerabilities:
> > >
> > >    * Fixed DoS bug where any user could crash the server with
> > >      "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
> > >      The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
> > >      Closes: #373913
> > >    * Fixed DoS bug where any user could crash the server with
> > >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> > >      The vulnerability was discovered by Maillefer Jean-David
> > >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> > >      Closes: #375694


Use CVE-2006-3469

Is this "public enough" for me to update the CVE descriptions, or should I
leave them as reserved for now?  CVE will probably be the first point of
widespread disclosure.

- Steve



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #48 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org
Cc: security@mysql.com
Subject: Re: Bug#375694: Bug #20729 security relevant?
Date: Mon, 10 Jul 2006 20:51:48 +0200
Hello

On 2006-07-05 Sergei Golubchik wrote:
> On Jul 05, Christian Hammers wrote:
> > Hello MySQL Security-Team
> > 
> > Bug #20729 seems to be security relevant as it allowes crashing the
> > complete server by any unprivileged user by issuing a simple query.
> 
> Agree.
Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough
that we can release our security advisory or do you want us to hold
it back some days (not weeks!) so that you can release a new upstream
version?

> Ok, please tell us CVE number when you'll know it.
> (as usual :)
It's CVE-2006-3469 

> > (and I would be happy if someone could confirm that my self written
> > patch does no more harm than cure :))
> Done.
Thanks, we use your patch now.

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #53 received at 375694@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 21:49:05 +0200
Steven M. Christey wrote:
> > > >    * Fixed DoS bug where any user could crash the server with
> > > >      "SELECT date_format('%d%s', 1); (CVE-2006-XXXX).
> > > >      The vulnerability was discovered by Maillefer Jean-David
> > > >      <jean-david@kesako.ch> and filed as MySQL bug #20729.
> > > >      Closes: #375694

Package is pushed to the buildds.
 
> Use CVE-2006-3469
> 
> Is this "public enough" for me to update the CVE descriptions, or should I
> leave them as reserved for now?  CVE will probably be the first point of
> widespread disclosure.

Sure, please go ahead.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #58 received at 375694@bugs.debian.org (full text, mbox):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org
Subject: Re: Status of last two, not yet DSA'd, MySQL security bugs
Date: Mon, 10 Jul 2006 16:38:22 -0400 (EDT)
Speaking of MySQL, the following item recently showed up in an FrSIRT
advisory.  In light of last week's vendor-sec discussions, let me know if
there's too much guesswork going on here :)

- Steve

======================================================
Name: CVE-2006-3486
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486
Acknowledged: yes changelog
Announced: 20060704
Flaw: buf
Reference: MISC:http://bugs.mysql.com/bug.php?id=20622
Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html
Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html
Reference: FRSIRT:ADV-2006-2700
Reference: URL:http://www.frsirt.com/english/advisories/2006/2700

Off-by-one buffer overflow in the
Instance_options::complete_initialization function in
instance_options.cc in the Instance Manager in MySQL before 5.0.23 and
5.1 before 5.1.12 might allow local users to cause a denial of service
(application crash) via unspecified vectors, which triggers the
overflow when the convert_dirname function is called.


Analysis:
ACKNOWLEDGEMENT: MySQL 5.0.23 changelog " A buffer overwrite error in
Instance Manager caused a crash. (Bug#20622)"

ACCURACY: it is not clear whether this is security-relevant, as the
input vectors are unknown.





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #63 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: "Steven M. Christey" <coley@linus.mitre.org>, 375694@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#375694: Status of last two, not yet DSA'd, MySQL security bugs
Date: Tue, 11 Jul 2006 00:07:18 +0200

On 2006-07-10 Steven M. Christey wrote:
> Speaking of MySQL, the following item recently showed up in an FrSIRT
> advisory.  In light of last week's vendor-sec discussions, let me know if
> there's too much guesswork going on here :)

I asked FrSIRT and MySQL if they have more information, and report back if I
get any news.

Debian: MySQL versions 3.23, 4.0 and 4.1 are not affected as they did not
have the file in question. 5.0 (etch/sid-only) is currently beeing built
(it's on the ftp servers since days but not yet officially announced nor
linked on the web page, strange releases they made :))

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Lenz Grimmer <lenz@mysql.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #68 received at 375694@bugs.debian.org (full text, mbox):

From: Lenz Grimmer <lenz@mysql.com>
To: Christian Hammers <ch@debian.org>
Cc: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org, security@mysql.com
Subject: Re: Bug#375694: Bug #20729 security relevant?
Date: Tue, 11 Jul 2006 18:07:39 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christian,

On Mon, 10 Jul 2006, Christian Hammers wrote:

> Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough that
> we can release our security advisory or do you want us to hold it back some
> days (not weeks!) so that you can release a new upstream version?

Sergei is currently on vacation - I am going to find out how we are going to
handle this one. I think a flaw that allows a regular user to crash the
server is important enough to be fixed quickly.

> > Ok, please tell us CVE number when you'll know it.
> > (as usual :)
> It's CVE-2006-3469 

Hmm, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469 tells me 
it's not found?

> > > (and I would be happy if someone could confirm that my self written
> > > patch does no more harm than cure :))
> > Done.
> Thanks, we use your patch now.

Bye,
	LenZ
- -- 
 Lenz Grimmer <lenz@mysql.com>
 Community Relations Manager, EMEA
 MySQL GmbH, http://www.mysql.de/, Hamburg, Germany
 Visit the MySQL Forge at http://forge.mysql.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFEs8zNSVDhKrJykfIRArDNAJ41CaXBfZUZ1rRV09DrEArZ+kp/OwCdGjbP
MoqbbkxH6My7c6IVZPS15Fc=
=Z9uH
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #73 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Lenz Grimmer <lenz@mysql.com>
Cc: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org, security@mysql.com
Subject: Re: Bug#375694: Bug #20729 security relevant?
Date: Tue, 11 Jul 2006 18:26:26 +0200

On 2006-07-11 Lenz Grimmer wrote:
> > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough that
> > we can release our security advisory or do you want us to hold it back some
> > days (not weeks!) so that you can release a new upstream version?
> 
> Sergei is currently on vacation - I am going to find out how we are going
> to handle this one. I think a flaw that allows a regular user to crash the
> server is important enough to be fixed quickly.
Ok, our upgrade packages are currently building and will be published
in the next 1-2 days..
 
> > > Ok, please tell us CVE number when you'll know it.
> > > (as usual :)
> > It's CVE-2006-3469 
> 
> Hmm, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469 tells me 
> it's not found?
It has been registered yesterday and the guy from mitre wasn't sure if he
should make it public yet as there is no new mysql upstream version yet.

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #78 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: team@security.debian.org
Cc: Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Tue, 11 Jul 2006 20:50:20 +0200
[Message part 1 (text/plain, inline)]
Hello Moritz & Co

Attached is a mail from mysql. It seems to be ok for them if we release our
patch even if they need another week to release a new 4.1 version.
(I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess
we gave them time enough, given that the bug was public in the BTS)

So go ahead!

bye,

-christian-
[Message part 2 (message/rfc822, inline)]
ql.com)
	by master.debian.org with esmtp (Exim 4.50)
	id 1G0MQ5-00035q-5u
	for ch@lathspell.de; Tue, 11 Jul 2006 12:53:13 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mailgate.mysql.com (8.13.4/8.13.4) with ESMTP id k6BHr0Dp019879;
	Tue, 11 Jul 2006 19:53:00 +0200
Received: from mail.mysql.com ([10.222.1.99])
 by localhost (mailgate.mysql.com [10.222.1.98]) (amavisd-new, port 10026)
 with LMTP id 15497-05; Tue, 11 Jul 2006 19:53:00 +0200 (CEST)
Received: from metis.lenznet (10-100-68-2.mysql.internal [10.100.68.2])
	(authenticated bits=3D0)
	by mail.mysql.com (8.13.3/8.13.3) with ESMTP id k6BHqtSg016292
	(version=3DTLSv1/SSLv3 cipher=3DDHE-RSA-AES256-SHA bits=3D256 verify=3DNO);
	Tue, 11 Jul 2006 19:52:56 +0200
Received: from localhost (localhost [127.0.0.1])
	by metis.lenznet (Postfix) with ESMTP id C58C43298B;
	Tue, 11 Jul 2006 19:51:58 +0200 (CEST)
Date: Tue, 11 Jul 2006 19:51:56 +0200 (CEST)
From: Lenz Grimmer <lenz@mysql.com>
X-X-Sender: lenz@metis.lenznet
To: Christian Hammers <ch@debian.org>
Cc: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org,
	security@mysql.com, Chad Miller <cmiller@mysql.com>
Subject: Re: Bug#375694: Bug #20729 security relevant?
In-Reply-To: <20060711182626.13423972@xeniac.intern>
Message-ID: <Pine.LNX.4.64.0607111944410.31317@metis.lenznet>
References: <20060705092622.78579a0a@xeniac.intern> <20060705094838.GA17023=
@serg.mylan>
 <20060710205148.35211d04@xeniac.intern> <Pine.LNX.4.64.0607111805070.31317=
@metis.lenznet>
 <20060711182626.13423972@xeniac.intern>
X-Virus-Scanned: by amavisd-new at mailgate.mysql.com
X-Spam-Status: No, hits=3D0.1 tagged_above=3D-999.0 required=3D5.0 tests=3D=
AWL,
	FORGED_RCVD_HELO
X-Spam-Level:=20
Mime-Version: 1.0
Content-Type: text/PLAIN; charset=3DUS-ASCII

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christian,

On Tue, 11 Jul 2006, Christian Hammers wrote:

> On 2006-07-11 Lenz Grimmer wrote:
> > > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enoug=
h that
> > > we can release our security advisory or do you want us to hold it bac=
k some
> > > days (not weeks!) so that you can release a new upstream version?
> >=20
> > Sergei is currently on vacation - I am going to find out how we are goi=
ng
> > to handle this one. I think a flaw that allows a regular user to crash =
the
> > server is important enough to be fixed quickly.
>
> Ok, our upgrade packages are currently building and will be published in =
the
> next 1-2 days..

OK. Chad (copied on this message - he's a Debian Dev, too, by the way) will
apply the patch to the 4.1 tree ASAP, hopefully today. We are currently loo=
king
into how to schedule a new 4.1 release for that. We may be able to kick off=
 the
builds this week, but it may take up to next week before the release will be
published.

> > > > Ok, please tell us CVE number when you'll know it.
> > > > (as usual :)
> > > It's CVE-2006-3469=20
> >=20
> > Hmm, http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-3469 tell=
s me=20
> > it's not found?
>
> It has been registered yesterday and the guy from mitre wasn't sure if he
> should make it public yet as there is no new mysql upstream version yet.

Thanks for the info! Chad, please make sure to add that reference to the
bug report, before you assign it to docs. Thanks!

Bye,
	LenZ
- --=20
 Lenz Grimmer <lenz@mysql.com>
 Community Relations Manager, EMEA
 MySQL GmbH, http://www.mysql.de/, Hamburg, Germany
 Visit the MySQL Forge at http://forge.mysql.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFEs+U+SVDhKrJykfIRAlT4AJ9lCnu+tk202+/0/AAWuZl6svN/CgCaAwQM
FKEF30eyuaDZfmMLaB0ckvM=3D
=3D6Aaz
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #83 received at 375694@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Christian Hammers <ch@debian.org>
Cc: team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Wed, 12 Jul 2006 00:47:01 +0200
Christian Hammers wrote:
> Hello Moritz & Co
> 
> Attached is a mail from mysql. It seems to be ok for them if we release our
> patch even if they need another week to release a new 4.1 version.
> (I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess
> we gave them time enough, given that the bug was public in the BTS)
> 
> So go ahead!

Ok, will push it out once all builds are available:
The arm buildd seems currently down and the m68k ran out of diskspace (only
10 megabytes available), so it might take a few more days.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#375694; Package mysql-server-4.1. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #88 received at 375694@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 373913@bugs.debian.org, team@security.debian.org, Sean Finney <seanius@debian.org>, 375694@bugs.debian.org
Subject: Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs
Date: Sat, 15 Jul 2006 20:05:21 +0200
Hello Moritz

Any news regarding the DSA announcement of these two packages?

bye,

-christian-



Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Maillefer Jean-David <jean-david@kesako.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #93 received at 375694-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 375694-done@bugs.debian.org
Subject: Re: SECURITY: date_format('%d%s', 1) crashs server
Date: Sat, 22 Jul 2006 12:53:03 +0200
I'm closing this bug report as it was not automatically done
by the Debian Security Announcement that fixed it:
http://www.debian.org/security/2006/dsa-1112

bye,

-christian-




Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Maillefer Jean-David <jean-david@kesako.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #98 received at 375694-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 375694-close@bugs.debian.org
Subject: Bug#375694: fixed in mysql-dfsg-4.1 4.1.11a-4sarge5
Date: Wed, 30 Aug 2006 23:05:18 -0700
Source: mysql-dfsg-4.1
Source-Version: 4.1.11a-4sarge5

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive:

libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
libmysqlclient14_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_i386.deb
mysql-client-4.1_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_i386.deb
mysql-common-4.1_4.1.11a-4sarge5_all.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge5_all.deb
mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
mysql-server-4.1_4.1.11a-4sarge5_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 375694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated mysql-dfsg-4.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Jun 2006 09:52:12 +0000
Source: mysql-dfsg-4.1
Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1 mysql-client-4.1
Architecture: source i386 all
Version: 4.1.11a-4sarge5
Distribution: stable-security
Urgency: low
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 libmysqlclient14 - mysql database client library
 libmysqlclient14-dev - mysql database development files
 mysql-client-4.1 - mysql database client binaries
 mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server-4.1 - mysql database server binaries
Closes: 373913 375694
Changes: 
 mysql-dfsg-4.1 (4.1.11a-4sarge5) stable-security; urgency=low
 .
   * Security upload prepared for the security team by the Debian MySQL
     package maintainers.
   * Fixed DoS bug where any user could crash the server with
     "SELECT str_to_date(1, NULL);" (CVE-2006-3081).
     The vulnerability was discovered by Kanatoko <anvil@jumperz.net>.
     Closes: #373913
   * Fixed DoS bug where any user could crash the server with
     "SELECT date_format('%d%s', 1); (CVE-2006-3469).
     The vulnerability was discovered by Maillefer Jean-David
     <jean-david@kesako.ch> and filed as MySQL bug #20729.
     Closes: #375694
Files: 
 9cd4f7df9345856d06846e0ddb50b9ee 1021 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
 e45db0b01b3adaf09500d54090f3a1e1 168442 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
 e8115191126dc0b373a53024e5c78733 36520 misc optional mysql-common-4.1_4.1.11a-4sarge5_all.deb
 ab5768abe67a1d21c714a078f2ec86f0 1418036 libs optional libmysqlclient14_4.1.11a-4sarge5_i386.deb
 bf891e68e488947fd28a940a367d722f 5643732 libdevel optional libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
 f5d4a9e5b289d895ba021190f907829f 830724 misc optional mysql-client-4.1_4.1.11a-4sarge5_i386.deb
 b580eeaf7a3806b95a07435acbe48e27 14558034 misc optional mysql-server-4.1_4.1.11a-4sarge5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsq66Xm3vHE4uyloRAgB4AKDZu0uKZDSFB8uicz4G1oFrIR+YEwCgnzNr
E3zati36cyhJRqWDcL2bP4Q=
=HUF7
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 06:01:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:02:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.