Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Dec 2012 21:46:26 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Sergei Golubchik <serg@...monty.org>
cc: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>,
        king cope <isowarez.isowarez.isowarez@...glemail.com>,
        todd@...ketstormsecurity.org, submit@...sec.com,
        Mitre CVE assign department <cve-assign@...re.org>,
        security@...iadb.org, security@...ql.com,
        Ritwik Ghoshal <ritwik.ghoshal@...cle.com>, moderators@...db.org
Subject: Re: Re: [Full-disclosure] MySQL (Linux) Stack based
 buffer overrun PoC Zeroday


(removed the full-disclosure/bugtraq mailing lists, they don't need to be 
further spammed with minor CVE assignment details.)


On Sun, 2 Dec 2012, Sergei Golubchik wrote:

> Hi, Huzaifa!
>
> Here's the vendor's reply:
>
> On Dec 02, Huzaifa Sidhpurwala wrote:
>>
>> * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
>> http://seclists.org/fulldisclosure/2012/Dec/4
>> https://bugzilla.redhat.com/show_bug.cgi?id=882599
>
> A duplicate of CVE-2012-5579
> Already fixed in all stable MariaDB version.

Kurt - I suggest we REJECT CVE-2012-5579 and preserve CVE-2012-5611 
because of the strong likelihood that CVE-2012-5611 will be more commonly 
referenced in the very near future.

>> * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
>> Exploit
>> http://seclists.org/fulldisclosure/2012/Dec/6
>> https://bugzilla.redhat.com/show_bug.cgi?id=882606
>
> Not a bug. MySQL manual specifies many times very explicitly:
>
> ===
>   * Do not grant the `FILE' privilege to nonadministrative users. Any

Misconfigurations generally should not be captured with CVE IDs.  At best, 
we will probably describe CVE-2012-5613 to emphasis the sysadmin's role.

Just to toss a droplet of esoteric commentary into the bloodbath - while I 
generally agree with the belief that distinct privileges should imply 
boundaries that can not be broken, the reality is that most privilege 
models are not well-documented or well-understood, and some privileges 
might (by design) be effectively equivalent.  So, privilege issues aren't 
necessarily guaranteed to be treated as vulnerabilities if they don't 
violate the intended security policy.  There was some discussion about 
this kind of challenge in the Linux kernel on oss-security a while back 
that makes my head hurt just thinking about it.

>> * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
>> http://seclists.org/fulldisclosure/2012/Dec/9
>> https://bugzilla.redhat.com/show_bug.cgi?id=882608
>
> This is hardly a "zeroday" issue, it was known for, like, ten years.

Does anybody have any URLs for older reports of this issue?

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.