Incompletely fixed MySQL bug

Bug #1083377 reported by Stewart Smith on 2012-11-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Percona Server
Vlad Lesin
Vlad Lesin
Vlad Lesin

Bug Description

MySQL bug 13889741 (which is CVE-2012-3163) was, apparently, not completely fixed. A very similar test case finds new, much more dangerous, buffer overflows in acl_get() and check_grant_db_routine(). They allow to overwrite the buffer by an arbitrary number of bytes, not just by one as in bug 13889741. One can trivially put a shellcode there.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

This new vulnerability is registered as CVE-2012-5579

Related branches

Stewart Smith (community): Approve on 2012-12-17
Sergei Glushchenko: Approve (g2) on 2012-12-11
Stewart Smith (community): Approve on 2012-12-17
Sergei Glushchenko: Approve (g2) on 2012-12-11
Vlad Lesin (vlad-lesin) on 2012-11-30
description: updated
Vadim Tkachenko (vadim-tk) wrote :


I would like we decide what do we do with this bug fix.

Stewart Smith (stewart) on 2012-12-18
Changed in percona-server:
assignee: nobody → Vlad Lesin (vlad-lesin)
status: Triaged → Fix Committed
information type: Private Security → Public Security
tags: added: upstream

Upstream fix at

5.1$ bzr log -r 3853.1.1
revno: 3853.1.1
author: <email address hidden>
committer: Akhil Mohan <email address hidden>
branch nick: mysql-5.1.67-release
timestamp: Thu 2012-11-29 19:34:47 +0100
  applying patch for BUG15912213

The upstream fix still allows a buffer overflow by two bytes, see bug 1186748.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.