Executive Summary

Summary
TitleMySQL: Multiple vulnerabilities
Informations
NameGLSA-201201-02First vendor Publication2012-01-05
VendorGentooLast vendor Modification2012-01-05
Severity (Vendor) HighRevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score8.5Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score6.8AuthentificationRequires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were found in MySQL, some of which may allow execution of arbitrary code.

Background

MySQL is a popular open-source multi-threaded, multi-user SQL database server.

Description

Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details.

Impact

An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks.

Workaround

There is no known workaround at this time.

Resolution

All MySQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2008-3963 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963
[ 2 ] CVE-2008-4097 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097
[ 3 ] CVE-2008-4098 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098
[ 4 ] CVE-2008-4456 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456
[ 5 ] CVE-2008-7247 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247
[ 6 ] CVE-2009-2446 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446
[ 7 ] CVE-2009-4019 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019
[ 8 ] CVE-2009-4028 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028
[ 9 ] CVE-2009-4484 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484
[ 10 ] CVE-2010-1621 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621
[ 11 ] CVE-2010-1626 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626
[ 12 ] CVE-2010-1848 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848
[ 13 ] CVE-2010-1849 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849
[ 14 ] CVE-2010-1850 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850
[ 15 ] CVE-2010-2008 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008
[ 16 ] CVE-2010-3676 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676
[ 17 ] CVE-2010-3677 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677
[ 18 ] CVE-2010-3678 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678
[ 19 ] CVE-2010-3679 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679
[ 20 ] CVE-2010-3680 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680
[ 21 ] CVE-2010-3681 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681
[ 22 ] CVE-2010-3682 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682
[ 23 ] CVE-2010-3683 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683
[ 24 ] CVE-2010-3833 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833
[ 25 ] CVE-2010-3834 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834
[ 26 ] CVE-2010-3835 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835
[ 27 ] CVE-2010-3836 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836
[ 28 ] CVE-2010-3837 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837
[ 29 ] CVE-2010-3838 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838
[ 30 ] CVE-2010-3839 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839
[ 31 ] CVE-2010-3840 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201201-02.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201201-02.xml

CWE : Common Weakness Enumeration

idName
CWE-399Resource Management Errors
CWE-264Permissions, Privileges, and Access Controls
CWE-59Improper Link Resolution Before File Access ('Link Following')
CWE-134Uncontrolled Format String
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-20Improper Input Validation
CWE-189Numeric Errors
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10521
 
Oval ID: oval:org.mitre.oval:def:10521
Title: MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.
Description: MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.
Family: unix Class: vulnerability
Reference(s): CVE-2008-3963
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10591
 
Oval ID: oval:org.mitre.oval:def:10591
Title: MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Description: MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Family: unix Class: vulnerability
Reference(s): CVE-2008-4098
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11456
 
Oval ID: oval:org.mitre.oval:def:11456
Title: Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
Description: Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
Family: unix Class: vulnerability
Reference(s): CVE-2008-4456
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11857
 
Oval ID: oval:org.mitre.oval:def:11857
Title: Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.
Description: Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.
Family: unix Class: vulnerability
Reference(s): CVE-2009-2446
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8500
 
Oval ID: oval:org.mitre.oval:def:8500
Title: MySQL 5.0 and 5.1 SELECT Statement DOS Vulnerability
Description: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.
Family: windows Class: vulnerability
Reference(s): CVE-2009-4019
 Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.0
MySQL Server 5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11349
 
Oval ID: oval:org.mitre.oval:def:11349
Title: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.
Description: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4019
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8510
 
Oval ID: oval:org.mitre.oval:def:8510
Title: MySQL 5.0 and 5.1 Clients with OpenSSL Vulnerability Allows Bypassing Server Certificate Checking
Description: The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Family: windows Class: vulnerability
Reference(s): CVE-2009-4028
 Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.0
MySQL Server 5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10940
 
Oval ID: oval:org.mitre.oval:def:10940
Title: The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Description: The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4028
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9490
 
Oval ID: oval:org.mitre.oval:def:9490
Title: MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Description: MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Family: unix Class: vulnerability
Reference(s): CVE-2010-1626
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7210
 
Oval ID: oval:org.mitre.oval:def:7210
Title: Oracle MySQL 'COM_FIELD_LIST' Command Packet Security Bypass Vulnerability
Description: Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1848
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.0
MySQL Server 5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10258
 
Oval ID: oval:org.mitre.oval:def:10258
Title: Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Description: Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Family: unix Class: vulnerability
Reference(s): CVE-2010-1848
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7328
 
Oval ID: oval:org.mitre.oval:def:7328
Title: Oracle MySQL Malformed Packet Handling Remote Denial of Service Vulnerability
Description: The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1849
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.0
MySQL Server 5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6693
 
Oval ID: oval:org.mitre.oval:def:6693
Title: Oracle MySQL 'COM_FIELD_LIST' Command Buffer Overflow Vulnerability
Description: Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1850
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.0
MySQL Server 5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10846
 
Oval ID: oval:org.mitre.oval:def:10846
Title: Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Description: Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Family: unix Class: vulnerability
Reference(s): CVE-2010-1850
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11869
 
Oval ID: oval:org.mitre.oval:def:11869
Title: Oracle MySQL 'ALTER DATABASE' Remote Denial Of Service Vulnerability
Description: MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Family: windows Class: vulnerability
Reference(s): CVE-2010-2008
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
 Product(s): MySQL Server 5.1
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application323

Open Source Vulnerability Database (OSVDB)

idDescription
69395MySQL Derived Table Grouping DoS
69394MySQL Temporary Table Expression Re-Evaluation DoS
69393MySQL GROUP_CONCAT() WITH ROLLUP Modifier DoS
69392MySQL Extreme-Value Functions Mixed Arguments DoS
69391MySQL Stored Procedures / Prepared Statements Nested Joins DoS
69390MySQL Extreme-Value Functions Argument Parsing Type Error DoS
69387MySQL LIKE Predicates Pre-Evaluation DoS
69001MySQL PolyFromWKB() Function WKB Data Remote DoS
69000MySQL HANDLER Interface Unspecified READ Request DoS
67384MySQL LOAD DATA INFILE Statement Incorrect OK Packet DoS
67383MySQL EXPLAIN Statement Item_singlerow_subselect::store Function NULL Derefer...
67381MySQL InnoDB Temporary Table Handling DoS
67380MySQL BINLOG Statement Unspecified Argument DoS
67379MySQL Multiple Operation NULL Argument Handling DoS
67378MySQL Unique SET Column Join DoS
67377MySQL DDL Statement Multiple Configuration Parameter DoS
65851MySQL ALTER DATABASE #mysql50# Prefix Handling DoS
64843MySQL DROP TABLE Command Symlink MyISAM Table Local Data Deletion
64588MySQL Large Packet Infinite Read DoS
64587MySQL COM_FIELD_LIST Command Packet Table Name Argument Overflow
64586MySQL COM_FIELD_LIST Command Packet Authentication Bypass
63903MySQL sql/sql_plugin.cc mysql_uninstall_plugin Function UNINSTALL PLUGIN Comm...
61956yaSSL Certificate Name Handling Overflow
60664MySQL sql/sql_table.cc Data Home Directory Symlink CREATE TABLE Access Restri...
60489MySQL GeomFromWKB() Function First Argument Geometry Value Handling DoS
60488MySQL SELECT Statement WHERE Clause Sub-query DoS
60487MySQL vio_verify_callback() Function Crafted Certificate MiTM Weakness
55734MySQL sql_parse.cc dispatch_command() Function Format String DoS
48710MySQL Command Line Client HTML Output XSS
48021MySQL Empty Bit-String Literal Token SQL Statement DoS
44937MySQL MyISAM Table CREATE TABLE Privilege Check Bypass

Metasploit Database

idDescription
2010-01-25 MySQL yaSSL CertDecoder::GetName Buffer Overflow