Bug 116433 (CVE-2005-2558) - VUL-0: CVE-2005-2558: mysql stack-based bufferoverflow with long function names
Summary: VUL-0: CVE-2005-2558: mysql stack-based bufferoverflow with long function names
Status: RESOLVED FIXED
Alias: CVE-2005-2558
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Critical
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-2558: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-12 07:04 UTC by Thomas Biege
Modified: 2021-11-21 15:37 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xx.c (263 bytes, text/x-csrc)
2005-09-16 09:33 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-09-12 07:04:09 UTC 
Hello Klaus,
maybe we already fixed this... I'am not sure. (Nothing in bugzilla AFAICS)

[-- Die folgenden Daten sind signiert --]

Hi everybody!

A while ago a MySQL buffer overflow with long function names was
published (CAN-2005-2558). At that time the patch could not be found
in BK, so if anybody is still looking for it:

  http://mysql.bkbits.net:8080/mysql-4.0/cset@428b981bg2iwh3CbGANDaF-W6DbttA

Of course the backslash test is not required on Linux, just the buf
array patch.

HTH and have a nice weekend,

Martin
--
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[-- Ende der signierten Daten --]
Comment 1 Thomas Biege 2005-09-12 07:31:00 UTC 
Oops, got the wrong maintainer. :)
Comment 2 Marcus Meissner 2005-09-12 08:59:40 UTC 
upgrading severity.  
 
if you can do SQL injection attacks yio could exploit this to 
gain access to the mysql database user.
Comment 3 Thomas Biege 2005-09-12 13:28:15 UTC 
Maintenance-Tracker-2236
Comment 4 Petr Ostadal 2005-09-12 16:27:22 UTC 
fixed and submited for sles8, 9.0, 9.1, sles9, 9.2, 9.3 (stable and SL10 isn't
vulnerable)
Comment 5 Thomas Biege 2005-09-13 10:40:37 UTC 
/work/src/done/PATCHINFO/patchinfo.mysql
/work/src/done/PATCHINFO/patchinfo-box.mysql
Comment 6 Mads Martin Joergensen 2005-09-14 13:50:05 UTC 
Move out of the 10.0 bug queue, since it's not.
Comment 7 Marcus Meissner 2005-09-16 09:33:19 UTC 
Created attachment 50148 [details]
xx.c

gcc -shared -o libxx.so -fPIC -O2 xx.c
cp libxx.so /usr/lib   (or lib64)
Comment 8 Marcus Meissner 2005-09-16 09:34:14 UTC 
# mysql 
mysql> CREATE FUNCTION 
fooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo RETURNS STRING 
SONAME "libxx.so"; 
ERROR 2013 (HY000): Lost connection to MySQL server during query 
mysql>  
 
this should not happen. it should show a regular SQL error.
Comment 9 Marcus Meissner 2005-09-16 09:42:34 UTC 
this apparently really requires a library providing this overlong 
symbol. 
 
this makes it mostly a "denial of service" problem, except when an attacker 
could inject libraries into the system standard search paths.
Comment 10 Thomas Biege 2005-09-19 16:25:28 UTC 
packages approved
Comment 11 Thomas Biege 2009-10-13 21:20:56 UTC 
CVE-2005-2558: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)