Percona Server moved to https://jira.percona.com/projects/PS

Integrate patch from MariaDB MDEV-3915 into Percona Server

Bug #1172090 reported by Jaime Sicam
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.6.11-60.3
5.1
Fix Released
High
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.1.69-14.7
5.5
Fix Released
High
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.5.31-30.3
5.6
Fix Released
High
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.6.11-60.3

Bug Description

Percona Server is affected by this bug CVE-2012-5627 where if the intruder has a unprivileged MySQL account, he can do massive brute force login attacks on other user accounts. Testing this vulnerability is described further here: http://seclists.org/fulldisclosure/2012/Dec/58

MariaDB has provided a solution which has been available in 5.5.29 - https://mariadb.atlassian.net/browse/MDEV-3915
It maybe best to implement MariaDB's solution or a custom solution to solve this bug on Percona Server.

Related branches

lp:~sergei.glushchenko/percona-server/CVE-2012-5627-bug1172090-5.6
Laurynas Biveinis (community): Approve
Diff: 758 lines (+357/-171)
11 files modified
Percona-Server/client/mysqltest.cc (+4/-1)
Percona-Server/mysql-test/r/change_user_notembedded.result (+5/-0)
Percona-Server/mysql-test/r/failed_auth_3909.result (+20/-0)
Percona-Server/mysql-test/r/mysqltest.result (+3/-3)
Percona-Server/mysql-test/t/change_user_notembedded.test (+24/-0)
Percona-Server/mysql-test/t/failed_auth_3909.test (+37/-0)
Percona-Server/sql/sql_acl.cc (+48/-6)
Percona-Server/sql/sql_class.cc (+1/-0)
Percona-Server/sql/sql_class.h (+1/-0)
Percona-Server/sql/sql_parse.cc (+18/-1)
Percona-Server/tests/mysql_client_test.c (+196/-160)
lp:~sergei.glushchenko/percona-server/CVE-2012-5627-bug1172090-5.1
Laurynas Biveinis (community): Approve
Diff: 570 lines (+249/-165)
8 files modified
Percona-Server/client/mysqltest.cc (+4/-1)
Percona-Server/mysql-test/r/change_user_notembedded.result (+5/-0)
Percona-Server/mysql-test/r/mysqltest.result (+3/-3)
Percona-Server/mysql-test/t/change_user_notembedded.test (+24/-0)
Percona-Server/sql/sql_class.cc (+1/-0)
Percona-Server/sql/sql_class.h (+1/-0)
Percona-Server/sql/sql_parse.cc (+15/-1)
Percona-Server/tests/mysql_client_test.c (+196/-160)
lp:~sergei.glushchenko/percona-server/CVE-2012-5627-bug1172090-5.5
Laurynas Biveinis (community): Approve
Diff: 758 lines (+357/-171)
11 files modified
Percona-Server/client/mysqltest.cc (+4/-1)
Percona-Server/mysql-test/r/change_user_notembedded.result (+5/-0)
Percona-Server/mysql-test/r/failed_auth_3909.result (+20/-0)
Percona-Server/mysql-test/r/mysqltest.result (+3/-3)
Percona-Server/mysql-test/t/change_user_notembedded.test (+24/-0)
Percona-Server/mysql-test/t/failed_auth_3909.test (+37/-0)
Percona-Server/sql/sql_acl.cc (+48/-6)
Percona-Server/sql/sql_class.cc (+1/-0)
Percona-Server/sql/sql_class.h (+1/-0)
Percona-Server/sql/sql_parse.cc (+18/-1)
Percona-Server/tests/mysql_client_test.c (+196/-160)

CVE References

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Triaging as High due to db-as-a-service impact.

MariaDB fix at
https://bazaar.launchpad.net/~maria-captains/maria/5.2/revision/3200
https://bazaar.launchpad.net/~maria-captains/maria/5.2/revision/3201

tags: added: security
Laurynas Biveinis (laurynas-biveinis)
information type: Private Security → Public Security
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Upstream fix revisions in 5.6:

5.6$ bzr log -n0 -m 16241992
------------------------------------------------------------
revno: 5104
committer: Georgi Kodinov <email address hidden>
branch nick: mysql-5.6
timestamp: Fri 2013-05-10 11:19:05 +0300
message:
  Addendum 2 to BUG#16241992
  Re-introduced the allocation handling calls around change_user to fix valgrind failures.
------------------------------------------------------------
revno: 5103
committer: Georgi Kodinov <email address hidden>
branch nick: mysql-5.6
timestamp: Fri 2013-05-10 10:25:32 +0300
message:
  Addendum 2 to BUG#16241992
  Re-added missing free() calls after a successful change user.
------------------------------------------------------------
revno: 5101
committer: Georgi Kodinov <email address hidden>
branch nick: B16241992-5.6
timestamp: Thu 2013-05-09 12:07:07 +0300
message:
  Bug #16241992

  A COM_CHANGE_USER failure costs very little and
  is not a subject to the same accounting a login failure
  is. This creates an unfair advantage over the ordinary
  login process.
  Fixed by making COM_CHANGE_USER failing to login
  poison the connection (using an unique error number)
  and cause disptatch_command() to exit with an error
   instead of reverting back to the previous credentials.
  Test cases updated.

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-659

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.