Percona Server moved to https://jira.percona.com/projects/PS

Incompletely fixed MySQL bug

Bug #1083377 reported by Stewart Smith on 2012-11-27

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MySQL Server	Unknown	Unknown	mysql-bugs #67685
Percona Server moved to https://jira.percona.com/projects/PS	Fix Released	Critical	Vlad Lesin	Percona Server moved to https://jira.percona.com/projects/PS 5.5.28-29.3
5.1	Fix Released	Critical	Vlad Lesin	Percona Server moved to https://jira.percona.com/projects/PS 5.1.66-14.2
5.5	Fix Released	Critical	Vlad Lesin	Percona Server moved to https://jira.percona.com/projects/PS 5.5.28-29.3

Bug Description

MySQL bug 13889741 (which is CVE-2012-3163) was, apparently, not completely fixed. A very similar test case finds new, much more dangerous, buffer overflows in acl_get() and check_grant_db_routine(). They allow to overwrite the buffer by an arbitrary number of bytes, not just by one as in bug 13889741. One can trivially put a shellcode there.

To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.

This new vulnerability is registered as CVE-2012-5579

https://mariadb.atlassian.net/browse/MDEV-3884
http://bugs.mysql.com/bug.php?id=67685

http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/2643.153.26

See original description

Tags:

Related branches

lp:~vlad-lesin/percona-server/5.5-bug1083377

Merged into lp:percona-server/5.5 at revision 377

Stewart Smith (community): Approve on 2012-12-17

Sergei Glushchenko (community): Approve (g2) on 2012-12-11

lp:~vlad-lesin/percona-server/5.1-bug1083377-gca

Merged into lp:percona-server/5.1 at revision 506

Stewart Smith (community): Approve on 2012-12-17

Sergei Glushchenko (community): Approve (g2) on 2012-12-11

Vlad Lesin (vlad-lesin) on 2012-11-30

description:

updated

Revision history for this message

Vadim Tkachenko (vadim-tk) wrote on 2012-12-11:

Stewart,

I would like we decide what do we do with this bug fix.

Stewart Smith (stewart) on 2012-12-18

Changed in percona-server:
assignee:	nobody → Vlad Lesin (vlad-lesin)
status:	Triaged → Fix Committed

Laurynas Biveinis (laurynas-biveinis) on 2013-05-09

information type:

Private Security → Public Security

Laurynas Biveinis (laurynas-biveinis) on 2013-06-01

tags:

added: upstream

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2013-06-02:

Upstream fix at

5.1$ bzr log -r 3853.1.1
------------------------------------------------------------
revno: 3853.1.1
author: <email address hidden>
committer: Akhil Mohan <email address hidden>
branch nick: mysql-5.1.67-release
timestamp: Thu 2012-11-29 19:34:47 +0100
message:
applying patch for BUG15912213

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2013-06-02:

The upstream fix still allows a buffer overflow by two bytes, see bug 1186748.

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-350

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

mysql-bugs #67685 Edit

Bug watches keep track of this bug in other bug trackers.