Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 3 Aug 2012 14:23:58 +0200
From: Tomas Hoger <thoger@...hat.com>
To: secalert_us@...cle.com
Cc: oss-security@...ts.openwall.com, serg@...typrogram.com,
        John Haxby
 <john.haxby@...cle.com>
Subject: Re: MySQL CVEs (was: Security vulnerability in
 MySQL/MariaDB sql/password.c)

On Wed, 27 Jun 2012 13:47:05 +0200 Tomas Hoger wrote:

> On Mon, 18 Jun 2012 18:50:01 +0200 Tomas Hoger wrote:
> 
> > Additionally, following bugs try to collect info on MySQL security
> > fixes in the last released and an upcoming Oracle CPU:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=832477
> > https://bugzilla.redhat.com/show_bug.cgi?id=832540
> > 
> > It would be nice if Oracle could confirm the mapping between CVEs
> > and particular issues to avoid any incorrect guesses.
> 
> I was really hoping to see some comments form Oracle security team and
> an explicit confirmation of the correct CVE guesses.  Is there a good
> reason why CVE mapping for public issues can not be provided?

July CPU does not mention any of the CVEs that were previously
mentioned here.

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html#AppendixMSQL

Judging from the CVSS scores, CVE-2012-2122 (password checking issue)
is not duplicated by any CVE listed.  This does not sound too
surprising, as it's quite likely no Oracle MySQL build was really
affected by this flaw, which would explain why this may have not been
treated as security for binary packages.

There does not seem to be any obvious explanation why CVE-2012-2749 and
CVE-2012-2750 are not listed.  It's quite possible they are duplicates
of or covered by (as it seems some CVEs refer to more than one issue)
CVE-2012-1734 and CVE-2012-1689 respectively.

Looking at the issue that affected 5.1 versions and going through the
change between affected and fixed versions, it seems CVEs form the CPU
refer to the following issues:


2012-07 CPU
-----------

CVE-2012-0540 GIS Extension

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.7
BUG#12414917 - ISCLOSED() CRASHES ON 64-BIT BUILDS

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.8
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.9
BUG#12537203 - CRASH WHEN SUBSELECTING GLOBAL VARIABLES IN GEOMETRY FUNCTION ARGUMENTS


CVE-2012-1734 Server Optimizer

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16
Bug#11766300 59387: FAILING ASSERTION: CURSOR->POS_STATE == 1997660512 (BTR_PCUR_IS_POSITIONE
Bug#13639204 64111: CRASH ON SELECT SUBQUERY WITH NON UNIQUE INDEX
-> CVE-2012-2749

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.13
Bug#13031606 VALUES() IN A SELECT STATEMENT CRASHES SERVER

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.3
Bug#13519724 63793: CRASH IN DTCOLLATION::SET(DTCOLLATION &SET)


CVE-2012-1689 Server Optimizer
-> dupe of / overlaps with CVE-2012-2750?

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3695
Bug#13012483:EXPLAIN EXTENDED, PREPARED STATEMENT, CRASH IN CHECK_SIMPLE_EQUALITY


+++++++++++


2012-04 CPU
-----------

CVE-2012-1703 Server Optimizer

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.9.1
Bug #11765810 58813: SERVER THREAD HANGS WHEN JOIN + WHERE + GROUP BY IS EXECUTED TWICE FROM P


CVE-2012-0583 MyISAM

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/1810.4002.1
Bug#12361113: CRASH WHEN "LOAD INDEX INTO CACHE" WITH TOO SMALL KEY CACHE


CVE-2012-1688 Server DML

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.8.4
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/2661.806.4
Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD
-> CVE-2012-2102


CVE-2012-1690 Server Optimizer

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.8.5
Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS


Oracle security team, please confirm the mapping above if it's correct,
or provide corrections.

Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.