MDVSA-2010:107

Executive Summary

Informations
Name	MDVSA-2010:107	First vendor Publication	2010-05-25
Vendor	Mandriva	Last vendor Modification	2010-05-25
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score	6.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	8	Authentification	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities has been found and corrected in mysql:

The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST (CVE-2010-1848).

The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet CVE-2010-1849).

The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code (CVE-2010-1850).

Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:107

CWE : Common Weakness Enumeration

id	Name
CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7210

Oval ID:	oval:org.mitre.oval:def:7210
Title:	Oracle MySQL 'COM_FIELD_LIST' Command Packet Security Bypass Vulnerability
Description:	Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-1848	Version:	3
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008	Product(s):	MySQL Server 5.0 MySQL Server 5.1
Definition Synopsis:
IF MySQL 5.0 is installed AND MySQL Server 5.0 version is less than 5.0.91 OR MySQL 5.1 is installed AND MySQL Server 5.1 version is less than 5.1.47

Definition Id: oval:org.mitre.oval:def:10258

Oval ID:	oval:org.mitre.oval:def:10258
Title:	Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Description:	Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-1848	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section mysql is earlier than 0:5.0.77-4.el5_5.3 AND mysql-devel is earlier than 0:5.0.77-4.el5_5.3 AND mysql-test is earlier than 0:5.0.77-4.el5_5.3 AND mysql-bench is earlier than 0:5.0.77-4.el5_5.3 AND mysql-server is earlier than 0:5.0.77-4.el5_5.3

Definition Id: oval:org.mitre.oval:def:7328

Oval ID:	oval:org.mitre.oval:def:7328
Title:	Oracle MySQL Malformed Packet Handling Remote Denial of Service Vulnerability
Description:	The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-1849	Version:	3
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008	Product(s):	MySQL Server 5.0 MySQL Server 5.1
Definition Synopsis:
IF MySQL 5.0 is installed AND MySQL Server 5.0 version is less than 5.0.91 OR MySQL 5.1 is installed AND MySQL Server 5.1 version is less than 5.1.47

Definition Id: oval:org.mitre.oval:def:6693

Oval ID:	oval:org.mitre.oval:def:6693
Title:	Oracle MySQL 'COM_FIELD_LIST' Command Buffer Overflow Vulnerability
Description:	Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-1850	Version:	3
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008	Product(s):	MySQL Server 5.0 MySQL Server 5.1
Definition Synopsis:
IF MySQL 5.0 is installed AND MySQL Server 5.0 version is less than 5.0.91 OR MySQL 5.1 is installed AND MySQL Server 5.1 version is less than 5.1.47

Definition Id: oval:org.mitre.oval:def:10846

Oval ID:	oval:org.mitre.oval:def:10846
Title:	Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Description:	Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-1850	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section mysql is earlier than 0:5.0.77-4.el5_5.3 AND mysql-devel is earlier than 0:5.0.77-4.el5_5.3 AND mysql-test is earlier than 0:5.0.77-4.el5_5.3 AND mysql-bench is earlier than 0:5.0.77-4.el5_5.3 AND mysql-server is earlier than 0:5.0.77-4.el5_5.3

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mysql Mysql cpe:/a:mysql:mysql:5.1.9 cpe:/a:mysql:mysql:5.1.8 cpe:/a:mysql:mysql:5.1.7 cpe:/a:mysql:mysql:5.1.6 cpe:/a:mysql:mysql:5.1.5a cpe:/a:mysql:mysql:5.1.5 cpe:/a:mysql:mysql:5.1.46 cpe:/a:mysql:mysql:5.1.45 cpe:/a:mysql:mysql:5.1.44 cpe:/a:mysql:mysql:5.1.43 cpe:/a:mysql:mysql:5.1.42 cpe:/a:mysql:mysql:5.1.41 cpe:/a:mysql:mysql:5.1.40 cpe:/a:mysql:mysql:5.1.4 cpe:/a:mysql:mysql:5.1.39 cpe:/a:mysql:mysql:5.1.38 cpe:/a:mysql:mysql:5.1.37 cpe:/a:mysql:mysql:5.1.36 cpe:/a:mysql:mysql:5.1.35 cpe:/a:mysql:mysql:5.1.34 cpe:/a:mysql:mysql:5.1.33 cpe:/a:mysql:mysql:5.1.32 cpe:/a:mysql:mysql:5.1.31 cpe:/a:mysql:mysql:5.1.30 cpe:/a:mysql:mysql:5.1.3 cpe:/a:mysql:mysql:5.1.23a cpe:/a:mysql:mysql:5.1.23 cpe:/a:mysql:mysql:5.1.2 cpe:/a:mysql:mysql:5.1.17 cpe:/a:mysql:mysql:5.1.16 cpe:/a:mysql:mysql:5.1.15 cpe:/a:mysql:mysql:5.1.14 cpe:/a:mysql:mysql:5.1.13 cpe:/a:mysql:mysql:5.1.12 cpe:/a:mysql:mysql:5.1.11 cpe:/a:mysql:mysql:5.1.10 cpe:/a:mysql:mysql:5.1.1 cpe:/a:mysql:mysql:5.1 cpe:/a:mysql:mysql:5.0.91 cpe:/a:mysql:mysql:5.0.90 cpe:/a:mysql:mysql:5.0.9 cpe:/a:mysql:mysql:5.0.89 cpe:/a:mysql:mysql:5.0.88 cpe:/a:mysql:mysql:5.0.87 cpe:/a:mysql:mysql:5.0.86 cpe:/a:mysql:mysql:5.0.85 cpe:/a:mysql:mysql:5.0.84 cpe:/a:mysql:mysql:5.0.83 cpe:/a:mysql:mysql:5.0.82 cpe:/a:mysql:mysql:5.0.81 cpe:/a:mysql:mysql:5.0.8 cpe:/a:mysql:mysql:5.0.77 cpe:/a:mysql:mysql:5.0.75 cpe:/a:mysql:mysql:5.0.7 cpe:/a:mysql:mysql:5.0.67 cpe:/a:mysql:mysql:5.0.6 cpe:/a:mysql:mysql:5.0.51b cpe:/a:mysql:mysql:5.0.51a cpe:/a:mysql:mysql:5.0.5.0.21 cpe:/a:mysql:mysql:5.0.5 cpe:/a:mysql:mysql:5.0.4a cpe:/a:mysql:mysql:5.0.45b cpe:/a:mysql:mysql:5.0.45 cpe:/a:mysql:mysql:5.0.41 cpe:/a:mysql:mysql:5.0.4 cpe:/a:mysql:mysql:5.0.3a cpe:/a:mysql:mysql:5.0.37 cpe:/a:mysql:mysql:5.0.33 cpe:/a:mysql:mysql:5.0.3:beta cpe:/a:mysql:mysql:5.0.3 cpe:/a:mysql:mysql:5.0.27 cpe:/a:mysql:mysql:5.0.24a cpe:/a:mysql:mysql:5.0.24 cpe:/a:mysql:mysql:5.0.23 cpe:/a:mysql:mysql:5.0.22 cpe:/a:mysql:mysql:5.0.21 cpe:/a:mysql:mysql:5.0.20a cpe:/a:mysql:mysql:5.0.20 cpe:/a:mysql:mysql:5.0.2 cpe:/a:mysql:mysql:5.0.1a cpe:/a:mysql:mysql:5.0.19 cpe:/a:mysql:mysql:5.0.18 cpe:/a:mysql:mysql:5.0.17a cpe:/a:mysql:mysql:5.0.17 cpe:/a:mysql:mysql:5.0.16a cpe:/a:mysql:mysql:5.0.16 cpe:/a:mysql:mysql:5.0.15a cpe:/a:mysql:mysql:5.0.15 cpe:/a:mysql:mysql:5.0.14 cpe:/a:mysql:mysql:5.0.13 cpe:/a:mysql:mysql:5.0.12 cpe:/a:mysql:mysql:5.0.11 cpe:/a:mysql:mysql:5.0.10a cpe:/a:mysql:mysql:5.0.10 cpe:/a:mysql:mysql:5.0.1 cpe:/a:mysql:mysql:5.0.0.0 cpe:/a:mysql:mysql:5.0.0:alpha cpe:/a:mysql:mysql:5.0.0 cpe:/a:mysql:mysql:5.0	99

Open Source Vulnerability Database (OSVDB)

id	Description
64588	MySQL Large Packet Infinite Read DoS
64587	MySQL COM_FIELD_LIST Command Packet Table Name Argument Overflow
64586	MySQL COM_FIELD_LIST Command Packet Authentication Bypass