Bug 116433 (CVE-2005-2558)

Summary: VUL-0: CVE-2005-2558: mysql stack-based bufferoverflow with long function names
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2558: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xx.c

Description Thomas Biege 2005-09-12 07:04:09 UTC 
Hello Klaus,
maybe we already fixed this... I'am not sure. (Nothing in bugzilla AFAICS)

[-- Die folgenden Daten sind signiert --]

Hi everybody!

A while ago a MySQL buffer overflow with long function names was
published (CAN-2005-2558). At that time the patch could not be found
in BK, so if anybody is still looking for it:

  http://mysql.bkbits.net:8080/mysql-4.0/cset@428b981bg2iwh3CbGANDaF-W6DbttA

Of course the backslash test is not required on Linux, just the buf
array patch.

HTH and have a nice weekend,

Martin
--
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[-- Ende der signierten Daten --]
Comment 1 Thomas Biege 2005-09-12 07:31:00 UTC 
Oops, got the wrong maintainer. :)
Comment 2 Marcus Meissner 2005-09-12 08:59:40 UTC 
upgrading severity.  
 
if you can do SQL injection attacks yio could exploit this to 
gain access to the mysql database user.
Comment 3 Thomas Biege 2005-09-12 13:28:15 UTC 
Maintenance-Tracker-2236
Comment 4 Petr Ostadal 2005-09-12 16:27:22 UTC 
fixed and submited for sles8, 9.0, 9.1, sles9, 9.2, 9.3 (stable and SL10 isn't
vulnerable)
Comment 5 Thomas Biege 2005-09-13 10:40:37 UTC 
/work/src/done/PATCHINFO/patchinfo.mysql
/work/src/done/PATCHINFO/patchinfo-box.mysql
Comment 6 Mads Martin Joergensen 2005-09-14 13:50:05 UTC 
Move out of the 10.0 bug queue, since it's not.
Comment 7 Marcus Meissner 2005-09-16 09:33:19 UTC 
Created attachment 50148 [details]
xx.c

gcc -shared -o libxx.so -fPIC -O2 xx.c
cp libxx.so /usr/lib   (or lib64)
Comment 8 Marcus Meissner 2005-09-16 09:34:14 UTC 
# mysql 
mysql> CREATE FUNCTION 
fooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo RETURNS STRING 
SONAME "libxx.so"; 
ERROR 2013 (HY000): Lost connection to MySQL server during query 
mysql>  
 
this should not happen. it should show a regular SQL error.
Comment 9 Marcus Meissner 2005-09-16 09:42:34 UTC 
this apparently really requires a library providing this overlong 
symbol. 
 
this makes it mostly a "denial of service" problem, except when an attacker 
could inject libraries into the system standard search paths.
Comment 10 Thomas Biege 2005-09-19 16:25:28 UTC 
packages approved
Comment 11 Thomas Biege 2009-10-13 21:20:56 UTC 
CVE-2005-2558: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)