Bug 757258 – VUL-0: mysql: CVE-2012-2102: Server crash on HANDLER READ NEXT after DELETE

Bug 757258 - VUL-0: mysql: CVE-2012-2102: Server crash on HANDLER READ NEXT after DELETE


Summary:	VUL-0: mysql: CVE-2012-2102: Server crash on HANDLER READ NEXT after DELETE

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Michal Hrusecky
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:46787:moderate
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2012-04-16 06:41 UTC by Sebastian Krahmer
Modified:	2012-08-16 14:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
innodb_bug13510739.test (472 bytes, text/plain) 2012-08-16 14:33 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2012-04-16 06:41:24 UTC

Via oss-sec:

Date: Fri, 13 Apr 2012 19:58:25 +0200
From: Stefan Cornelius
To: oss-security

Hi,

MySQL 5.5.22 fixed a denial of service flaw in the way MySQL processed
HANDLER READ NEXT statements after deleting a record. A remote,
authenticated MySQL user could use this flaw to cause mysqld
daemon abort.

References:
[1] http://dev.mysql.com/doc/refman/5.5/en/news-5-5-22.html
[2] https://bugs.gentoo.org/show_bug.cgi?id=411503
[3]
http://eromang.zataz.com/2012/04/10/oracle-mysql-innodb-bugs-13510739-and-63775-dos-demo/

Upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/3097.15.15

Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=812431

Comment 1 Sebastian Krahmer 2012-04-16 06:41:51 UTC

CVE-2012-2102

Comment 2 Swamp Workflow Management 2012-04-16 22:00:17 UTC

bugbot adjusting priority

Comment 3 Swamp Workflow Management 2012-04-17 07:05:10 UTC

The SWAMPID for this issue is 46787.
This issue was rated as moderate.
Please submit fixed packages until 2012-05-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 4 Sebastian Krahmer 2012-04-17 07:07:03 UTC

we must take care to include bnc#756451  and bnc#677335 from planned
updates if possible

Comment 7 Marcus Meissner 2012-08-16 14:33:50 UTC

Created attachment 502541 [details]
innodb_bug13510739.test

testcase

Comment 8 Marcus Meissner 2012-08-16 14:36:36 UTC

SLE 10 and 11 with mysql 5.0.x appears not affected, this kind of syntax is likely not present.
I tried this testcase against sle11sp1, mysql-Max did not crash.


opensuse 12.1 has a newer 5.5. mysql-community-server version.

opensuse 11.4 has a 5.1 version, but its not that important.

so nothing to do.