[mysql-dfsg-5.0] fix for several open vulnerabilities in -proposed

Bug #201009 reported by Jamie Strandboge
256
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.0 (Ubuntu)
Undecided
Unassigned
Dapper
High
Jamie Strandboge
Edgy
High
Jamie Strandboge
Feisty
High
Jamie Strandboge
Gutsy
High
Jamie Strandboge

Bug Description

*** Impact ***
mysql as included in Ubuntu is vulnerable to several CVEs:

CVE-2006-7232 (DoS, small patch)
CVE-2007-2692 (privilege escalation, large patch)
CVE-2007-6303 (privilege escalation)
CVE-2008-0226 (overflow, small patch)
CVE-2008-0227 (DoS, small patch)

CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 are non-intrusive patches and would normally be pushed in a standard security update.

CVE-2007-6303 required an additional adapted patch for http://bugs.mysql.com/bug.php?id=21080 on dapper and edgy.

CVE-2007-2692 is fixed in Debian, but it is incomplete. To properly fix this CVE, relevant code from these upstream commits also had to be adapted and applied:
http://lists.mysql.com/commits/23056 (dapper - feisty)
http://lists.mysql.com/commits/8101 (dapper)

These changes were too extensive to apply without modification, so they were adapted to have minimal, but effective changes.

CVE-2007-6303 and CVE-2007-2692 are both important privilege escalation vulnerabilities and need to be addressed.

*** Development branch ***
These vulnerabilities are fixed in the Hardy. However, MySQL has a lot of changes in their stable 5.0.x series, and backported fixes from a later version to an earlier version can be extensive, as in the case of CVE-2007-6303 and CVE-2007-2692.

Other major distributions either have not fixed CVE-2007-6303 and CVE-2007-2692 or simply performed a MicroVersionUpdate. This option was evaluated several months ago and it was decided that a full MicroVersionUpdate would likely cause too many problems in a stable release, based on upstream release notes from 5.0.22 (dapper) to 5.0.45 (the released version that fixed these vulnerabilities).

*** Regression Testing ***
These patches have undergone testing on i386 and amd64 and do not appear to introduce any regressions. Each patch adds test cases to the internal mysql-test test suite for the issue being fixed, and all expected tests pass (edgy and feisty have a test that fails, but it failed prior to this update). In addition, packages were tested with qa-regression-testing scripts and all pass.

The patches and commits for CVE-2007-6303 and CVE-2007-2692 were verified against upstream changelogs and release notes to not introduce database incompatibilities or regressions on their own.

*** Regression Potential ***
It is believed CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 have little regression potential. CVE-2007-6303 and CVE-2007-2692 have potential for regression as the patches are larger and adapted from various commits. Users of SQL SECURITY INVOKER for stored routines and views with DEFINER values would be the most likely to see regressions.

*** Further Testing ***
Packages have been uploaded to -proposed and an email sent to get more widespread testing. Please report any regressions in the -proposed packages in this bug report.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Hardy not affected.

Changed in mysql-dfsg-5.0:
status: New → Invalid
assignee: nobody → jamie-strandboge
importance: Undecided → High
status: New → In Progress
assignee: nobody → jamie-strandboge
importance: Undecided → High
status: New → In Progress
Changed in mysql-dfsg-5.0:
assignee: nobody → jamie-strandboge
importance: Undecided → High
status: New → In Progress
assignee: nobody → jamie-strandboge
importance: Undecided → High
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
description: updated
Martin Pitt (pitti)
Changed in mysql-dfsg-5.0:
status: Invalid → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

All accepted into -proposed, please test.

Changed in mysql-dfsg-5.0:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Works for me on dapper using qa-regression-testing.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Works for me on edgy with qa-regression-testing

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Works for me on feisty with qa-regression-testing

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Works for me on gutsy with qa-regression-testing

description: updated
Revision history for this message
Peter Matulis (petermatulis) wrote :

Jamie, a Canonical support customer has reported success. Thank you.

Revision history for this message
Nick Barcet (nijaba) wrote :

Works for me in prod (about 20 DB) on Dapper

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in mysql-dfsg-5.0:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers