Date: 06 May 2009
References: AA-2009.0025 ESB-2009.1242 ESB-2009.1281
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0109 AUSCERT Advisory
[Win][UNIX/Linux]
MySQL Community Server: Multiple Vulnerabilities
6 May 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: MySQL Community Server 5.0.77 and prior
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Denial of Service
Access Confidential Data
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2079
Member content until: Wednesday, June 03 2009
Ref: AA-2009.0025
OVERVIEW
MySQL Community Server 5.0.81 has been released correcting some
security vulnerabilities.
IMPACT
The new release corrects multiple vulnerabilities including
execution of arbitrary code and denial of services (crash). See
the details section for specific information.
DETAILS
* Security Enhancement: To enable stricter control over the
location from which user-defined functions can be loaded,
the plugin_dir system variable has been backported from
MySQL 5.1. If the value is non-empty, user-defined
function object files can be loaded only from the
directory named by this variable. If the value is empty,
the behavior that is used prior to the inclusion of
plugin_dir applies: The UDF object files must be located
in a directory that is searched by your system's dynamic
linker. (Bug#37428: http://bugs.mysql.com/37428)
* Important Change: Security Fix: Additional corrections
were made for the symlink-related privilege problem
originally addressed in MySQL 5.0.60. The original fix
did not correctly handle the data directory path name if
it contained symlinked directories in its path, and the
check was made only at table-creation time, not at
table-opening time later.
(Bug#32167: http://bugs.mysql.com/32167, CVE-2008-2079
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2
079))
See also Bug#39277: http://bugs.mysql.com/39277.
* Security Enhancement: The server consumed excess memory
while parsing statements with hundreds or thousands of
nested boolean conditions (such as OR (OR ... (OR ...
))). This could lead to a server crash or incorrect
statement execution, or cause other client statements to
fail due to lack of memory. The latter result constitutes
a denial of service.
(Bug#38296: http://bugs.mysql.com/38296)
* SET PASSWORD caused a server crash if the account name
was given as CURRENT_USER().
(Bug#41456: http://bugs.mysql.com/41456)
* In debug builds, obsolete debug code could be used to
crash the server.
(Bug#41041: http://bugs.mysql.com/41041)
* The server could crash during a sort-order optimization
of a dependent subquery.
(Bug#39844: http://bugs.mysql.com/39844)
* With binary logging enabled CREATE VIEW was subject to
possible buffer overwrite and a server crash.
(Bug#39040: http://bugs.mysql.com/39040)
* Queries of the form SELECT ... REGEXP BINARY NULL could
lead to a hung or crashed server.
(Bug#39021: http://bugs.mysql.com/39021)
* Statements of the form INSERT ... SELECT .. ON DUPLICATE
KEY UPDATE col_name = DEFAULT could result in a server
crash. (Bug#39002: http://bugs.mysql.com/39002)
* Column names constructed due to wild-card expansion done
inside a stored procedure could point to freed memory if
the expansion was performed after the first call to the
stored procedure.
(Bug#38823: http://bugs.mysql.com/38823)
* Repeated CREATE TABLE ... SELECT statements, where the
created table contained an AUTO_INCREMENT column, could
lead to an assertion failure.
(Bug#38821: http://bugs.mysql.com/38821)
* If delayed insert failed to upgrade the lock, it did not
free the temporary memory storage used to keep newly
constructed BLOB values in memory, resulting in a memory
leak. (Bug#38693: http://bugs.mysql.com/38693)
* A server crash resulted from concurrent execution of a
multiple-table UPDATE that used a NATURAL or USING join
together with FLUSH TABLES WITH READ LOCK or ALTER TABLE
for the table being updated.
(Bug#38691: http://bugs.mysql.com/38691)
* Stored procedures involving substrings could crash the
server on certain platforms due to invalid memory reads.
(Bug#38469: http://bugs.mysql.com/38469)
* A server crash or Valgrind warnings could result when a
stored procedure selected from a view that referenced a
function. (Bug#38291: http://bugs.mysql.com/38291)
* Incorrect handling of aggregate functions when loose
index scan was used caused a server crash.
(Bug#38195: http://bugs.mysql.com/38195)
* Queries containing a subquery with DISTINCT and ORDER BY
could cause a server crash.
(Bug#38191: http://bugs.mysql.com/38191)
* Queries with a HAVING clause could return a spurious row.
(Bug#38072: http://bugs.mysql.com/38072)
* Use of spatial data types in prepared statements could
cause memory leaks or server crashes.
(Bug#37956: http://bugs.mysql.com/37956,
Bug#37671: http://bugs.mysql.com/37671)
* The server crashed if an argument to a stored procedure
was a subquery that returned more than one row.
(Bug#37949: http://bugs.mysql.com/37949)
* When analyzing the possible index use cases, the server
was incorrectly reusing an internal structure, leading to
a server crash. (Bug#37943: http://bugs.mysql.com/37943)
* A SELECT with a NULL NOT IN condition containing a
complex subquery from the same table as in the outer
select caused an assertion failure.
(Bug#37894: http://bugs.mysql.com/37894)
* Nesting of IF() inside of SUM() could cause an extreme
server slowdown. (Bug#37662: http://bugs.mysql.com/37662)
* Updating a view with a subquery in the CHECK option could
cause an assertion failure.
(Bug#37460: http://bugs.mysql.com/37460)
* For a MyISAM table with CHECKSUM = 1 and ROW_FORMAT =
DYNAMIC table options, a data consistency check (maximum
record length) could fail and cause the table to be
marked as corrupted.
(Bug#37310: http://bugs.mysql.com/37310)
* CREATE INDEX could crash with InnoDB plugin 1.0.1.
(Bug#37284: http://bugs.mysql.com/37284)
* If the server failed to expire binary log files at
startup, it could crash.
(Bug#37027: http://bugs.mysql.com/37027)
* A query which had an ORDER BY DESC clause that is
satisfied with a reverse range scan could cause a server
crash for some specific CPU/compiler combinations.
(Bug#36639: http://bugs.mysql.com/36639)
* Dumping information about locks in use by sending a
SIGHUP signal to the server or by invoking the mysqladmin
debug command could lead to a server crash in debug
builds or to undefined behavior in production builds.
(Bug#36579: http://bugs.mysql.com/36579)
* Host name values in SQL statements were not being checked
for '@', which is illegal according to RFC952.
(Bug#35924: http://bugs.mysql.com/35924)
* Freeing of an internal parser stack during parsing of
complex stored programs caused a server crash.
(Bug#35577: http://bugs.mysql.com/35577,
Bug#37269: http://bugs.mysql.com/37269,
Bug#37228: http://bugs.mysql.com/37228)
* Index scans performed with the sort_union() access method
returned wrong results, caused memory to be leaked, and
caused temporary files to be deleted when the limit set
by sort_buffer_size was reached.
(Bug#35477: http://bugs.mysql.com/35477,
Bug#35478: http://bugs.mysql.com/35478)
* EXPLAIN EXTENDED evaluation of aggregate functions that
required a temporary table caused a server crash.
(Bug#34773: http://bugs.mysql.com/34773)
* Queries of the form SELECT ... WHERE string = ANY(...)
failed when the server used a single-byte character set
and the client used a multi-byte character set.
(Bug#34760: http://bugs.mysql.com/34760)
See also Bug#20835: http://bugs.mysql.com/20835.
* Using OPTIMIZE TABLE as the first statement on an InnoDB
table with an AUTO_INCREMENT column could cause a server
crash. (Bug#34286: http://bugs.mysql.com/34286)
* For a stored procedure containing a SELECT * ... RIGHT
JOIN query, execution failed for the second call.
(Bug#33811: http://bugs.mysql.com/33811)
* Cached queries that used 256 or more tables were not
properly cached, so that later query invalidation due to
a TRUNCATE TABLE for one of the tables caused the server
to hang. (Bug#33362: http://bugs.mysql.com/33362)
* For installation on Solaris using pkgadd packages, the
mysql_install_db script was generated in the scripts
directory, but the temporary files used during the
process were left there and not deleted.
(Bug#31052: http://bugs.mysql.com/31052)
* Several MySQL programs could fail if the HOME environment
variable had an empty value.
(Bug#30394: http://bugs.mysql.com/30394)
* On NetWare, mysql_install_db could appear to execute
normally even if it failed to create the initial
databases. (Bug#30129: http://bugs.mysql.com/30129)
* XA transaction rollbacks could result in corrupted
transaction states and a server crash.
(Bug#28323: http://bugs.mysql.com/28323)
* SSL support was not included in some "generic" RPM
packages. (Bug#26760: http://bugs.mysql.com/26760)
* For access to the INFORMATION_SCHEMA.VIEWS table, the
server did not check the SHOW VIEW and SELECT privileges,
leading to inconsistency between output from that table
and the SHOW CREATE VIEW statement.
(Bug#22763: http://bugs.mysql.com/22763)
* The FLUSH PRIVILEGES statement did not produce an error
when it failed. (Bug#21226: http://bugs.mysql.com/21226)
* A race condition between the mysqld.exe server and the
Windows service manager could lead to inability to stop
the server from the service manager.
(Bug#20430: http://bugs.mysql.com/20430)
* mysqld_safe would sometimes fail to remove the pid file
for the old mysql process after a crash. As a result, the
server would fail to start due to a false A mysqld
process already exists... error.
(Bug#11122: http://bugs.mysql.com/11122)
MITIGATION
Upgrade to release 5.0.81.
REFERENCES
[1] Release Notes
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-81.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFKAOqVNVH5XJJInbgRAvLOAJ9lM+cMzOx+WEIO0PNY/sjam/tHhgCdFvA/
/HZgaT1n10UHySIpbI0tmW4=
=BTYH
-----END PGP SIGNATURE-----
|