Percona Server with XtraDB

Incompletely fixed MySQL bug

Reported by Stewart Smith on 2012-11-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Critical
Vlad Lesin
5.1
Critical
Vlad Lesin
5.5
Critical
Vlad Lesin

Bug Description

MySQL bug 13889741 (which is CVE-2012-3163) was, apparently, not completely fixed. A very similar test case finds new, much more dangerous, buffer overflows in acl_get() and check_grant_db_routine(). They allow to overwrite the buffer by an arbitrary number of bytes, not just by one as in bug 13889741. One can trivially put a shellcode there.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

This new vulnerability is registered as CVE-2012-5579

https://mariadb.atlassian.net/browse/MDEV-3884
http://bugs.mysql.com/bug.php?id=67685

http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26

Related branches

lp:~vlad-lesin/percona-server/5.1-bug1083377-gca
Merged into lp:percona-server/5.1 at revision 506
Stewart Smith (community): Approve on 2012-12-17
Sergei Glushchenko: Approve (g2) on 2012-12-11
lp:~vlad-lesin/percona-server/5.5-bug1083377
Merged into lp:percona-server/5.5 at revision 377
Stewart Smith (community): Approve on 2012-12-17
Sergei Glushchenko: Approve (g2) on 2012-12-11
Vlad Lesin (vlad-lesin) on 2012-11-30
description: updated
Vadim Tkachenko (vadim-tk) wrote :

Stewart,

I would like we decide what do we do with this bug fix.

Stewart Smith (stewart) on 2012-12-18
Changed in percona-server:
assignee: nobody → Vlad Lesin (vlad-lesin)
status: Triaged → Fix Committed
information type: Private Security → Public Security
tags: added: upstream

Upstream fix at

5.1$ bzr log -r 3853.1.1
------------------------------------------------------------
revno: 3853.1.1
author: <email address hidden>
committer: Akhil Mohan <email address hidden>
branch nick: mysql-5.1.67-release
timestamp: Thu 2012-11-29 19:34:47 +0100
message:
  applying patch for BUG15912213

The upstream fix still allows a buffer overflow by two bytes, see bug 1186748.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.