Debian Security Advisory

DSA-212-1 mysql -- multiple problems

Date Reported:

17 Dec 2002

Affected Packages:

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 6373, BugTraq ID 6368, BugTraq ID 6375.
In Mitre's CVE dictionary: CVE-2002-1373, CVE-2002-1374, CVE-2002-1375, CVE-2002-1376.

More information:

While performing an audit of MySQL e-matters found several problems:

signed/unsigned problem in COM_TABLE_DUMP

Two sizes were taken as signed integers from a request and then cast to unsigned integers without checking for negative numbers. Since the resulting numbers where used for a memcpy() operation this could lead to memory corruption.

Password length handling in COM_CHANGE_USER

When re-authenticating to a different user MySQL did not perform all checks that are performed on initial authentication. This created two problems:

it allowed for single-character password brute forcing (as was fixed in February 2000 for initial login) which could be used by a normal user to gain root privileges to the database
it was possible to overflow the password buffer and force the server to execute arbitrary code

read_rows() overflow in libmysqlclient

When processing the rows returned by a SQL server there was no check for overly large rows or terminating NUL characters. This can be used to exploit SQL clients if they connect to a compromised MySQL server.

read_one_row() overflow in libmysqlclient

When processing a row as returned by a SQL server the returned field sizes were not verified. This can be used to exploit SQL clients if they connect to a compromised MySQL server.

For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato.

We recommend that you upgrade your mysql packages as soon as possible.

Fixed in:

Debian GNU/Linux 2.2 (oldstable)

Source:: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.3_all.deb
alpha (DEC Alpha):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_alpha.deb
arm (ARM):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_arm.deb
i386 (Intel ia32):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_i386.deb
m68k (Motorola Mc680x0):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_m68k.deb
powerpc (PowerPC):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_powerpc.deb
sparc (Sun SPARC/UltraSPARC):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_sparc.deb

Debian GNU/Linux 3.0 (stable)

Source:: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.2.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.2.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.2_all.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.2_all.deb
alpha (DEC Alpha):: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_alpha.deb
arm (ARM):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_arm.deb
hppa (HP PA RISC):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_hppa.deb
i386 (Intel ia32):: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_i386.deb
ia64 (Intel ia64):: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_ia64.deb
m68k (Motorola Mc680x0):: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_m68k.deb
mipsel (MIPS (Little Endian)):: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_mipsel.deb
powerpc (PowerPC):: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_powerpc.deb
s390 (IBM S/390):: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_s390.deb
sparc (Sun SPARC/UltraSPARC):: http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_sparc.deb

MD5 checksums of the listed files are available in the original advisory.