Percona Server moved to https://jira.percona.com/projects/PS

Incompletely fixed MySQL bug

Bug #1083377 reported by Stewart Smith
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
Critical
Vlad Lesin
Percona Server moved to https://jira.percona.com/projects/PS 5.5.28-29.3
5.1
Fix Released
Critical
Vlad Lesin
Percona Server moved to https://jira.percona.com/projects/PS 5.1.66-14.2
5.5
Fix Released
Critical
Vlad Lesin
Percona Server moved to https://jira.percona.com/projects/PS 5.5.28-29.3
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

MySQL bug 13889741 (which is CVE-2012-3163) was, apparently, not completely fixed. A very similar test case finds new, much more dangerous, buffer overflows in acl_get() and check_grant_db_routine(). They allow to overwrite the buffer by an arbitrary number of bytes, not just by one as in bug 13889741. One can trivially put a shellcode there.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

This new vulnerability is registered as CVE-2012-5579

https://mariadb.atlassian.net/browse/MDEV-3884
http://bugs.mysql.com/bug.php?id=67685

http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26

See original description

Related branches

lp:~vlad-lesin/percona-server/5.5-bug1083377
Stewart Smith (community): Approve
Sergei Glushchenko (community): Approve (g2)
Diff: 79 lines (+28/-4)
3 files modified
Percona-Server/mysql-test/r/information_schema.result (+4/-0)
Percona-Server/mysql-test/t/information_schema.test (+8/-0)
Percona-Server/sql/sql_acl.cc (+16/-4)
lp:~vlad-lesin/percona-server/5.1-bug1083377-gca
Stewart Smith (community): Approve
Sergei Glushchenko (community): Approve (g2)
Diff: 77 lines (+28/-4)
3 files modified
Percona-Server/mysql-test/r/information_schema.result (+4/-0)
Percona-Server/mysql-test/t/information_schema.test (+8/-0)
Percona-Server/sql/sql_acl.cc (+16/-4)
Vlad Lesin (vlad-lesin)
description: updated
Revision history for this message
Vadim Tkachenko (vadim-tk) wrote :

Stewart,

I would like we decide what do we do with this bug fix.

Stewart Smith (stewart)
Changed in percona-server:
assignee: nobody → Vlad Lesin (vlad-lesin)
status: Triaged → Fix Committed
Laurynas Biveinis (laurynas-biveinis)
information type: Private Security → Public Security
Laurynas Biveinis (laurynas-biveinis)
tags: added: upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Upstream fix at

5.1$ bzr log -r 3853.1.1
------------------------------------------------------------
revno: 3853.1.1
author: <email address hidden>
committer: Akhil Mohan <email address hidden>
branch nick: mysql-5.1.67-release
timestamp: Thu 2012-11-29 19:34:47 +0100
message:
  applying patch for BUG15912213

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

The upstream fix still allows a buffer overflow by two bytes, see bug 1186748.

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-350

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.