SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
(Red Hat Issues Fix) MySQL acl_init() Buffer Overflow Permits Remote Authenticated Administrators to Execute Arbitrary Code
SecurityTracker Alert ID:  1007907
SecurityTracker URL:  http://securitytracker.com/id/1007907
CVE Reference:   CAN-2003-0780   (Links to External Site)
Date:  Oct 9 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.14 and prior 4.0 versions; 3.0.57 and prior versions
Description:   A buffer overflow vulnerability was reported in MySQL in the processing of user passwords. An authenticated administrator can execute arbitrary code on the system.

It is reported that a function that checks MySQL user passwords does not properly validate the length of a user-supplied password field. An authenticated user with administrative privileges can set a "Password" field to a specially crafted value that is longer than 16 characters to trigger an overlow and execute arbitrary code. The code will run with the privileges of the MySQL server process.

The report indicates that an administrator can invoke a function (such as 'FLUSH PRIVILEGES') to trigger an overflow in acl_init(). The exploit password length must be set to a multiple of 8.

A demonstration exploit example is provided in the Source Message.

According to the report, this has been confirmed on on OpenBSD 3.3-RELEASE, FreeBSD 4.8-STABLE, and Gentoo Linux 1.4.
Impact:   A remote authenticated administrator can execute arbitrary code on the system with the privileges of the MySQL process.
Solution:   Red Hat has released a fix.

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/mysql-3.23.58-2.71.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/mysql-3.23.58-2.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mysql-server-3.23.58-2.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mysql-devel-3.23.58-2.71.i386.rpm

Red Hat Linux 7.1 for iSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/mysql-3.23.58-2.71.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm

Red Hat Linux 7.1 for pSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/mysql-3.23.58-2.71.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/mysql-3.23.58-1.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mysql-server-3.23.58-1.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mysql-devel-3.23.58-1.72.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-3.23.58-1.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-server-3.23.58-1.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-devel-3.23.58-1.72.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/mysql-3.23.58-1.73.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/mysql-3.23.58-1.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mysql-server-3.23.58-1.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mysql-devel-3.23.58-1.73.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/mysql-3.23.58-1.80.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/mysql-3.23.58-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mysql-server-3.23.58-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mysql-devel-3.23.58-1.80.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/mysql-3.23.58-1.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/mysql-3.23.58-1.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mysql-server-3.23.58-1.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mysql-devel-3.23.58-1.9.i386.rpm


The verification checksums are:

MD5 sum Package Name
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/SRPMS/mysql-3.23.58-2.71.src.rpm
cb8182bcfe17aa1829e0e62032e79d8c 7.1/en/os/i386/mysql-3.23.58-2.71.i386.rpm
7ce3f107817c4c32163c7b2b085317bf 7.1/en/os/i386/mysql-devel-3.23.58-2.71.i386.rpm
a63d0198da176c5e25738bebc7adf96b 7.1/en/os/i386/mysql-server-3.23.58-2.71.i386.rpm
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/iSeries/SRPMS/mysql-3.23.58-2.71.src.rpm
892b2616bdc5efd5e37fd91e6d220fb8 7.1/en/os/iSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
bd60781e5bbf60f87d027f6d6460c39f 7.1/en/os/iSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm
846b26298bdf3e437954eed63757bf6e 7.1/en/os/iSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/pSeries/SRPMS/mysql-3.23.58-2.71.src.rpm
892b2616bdc5efd5e37fd91e6d220fb8 7.1/en/os/pSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
bd60781e5bbf60f87d027f6d6460c39f 7.1/en/os/pSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm
846b26298bdf3e437954eed63757bf6e 7.1/en/os/pSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ca6ec39d94f16bf21ae966d674e8ad15 7.2/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm
fd4adfe080eee307a9a78daf49688dae 7.2/en/os/i386/mysql-3.23.58-1.72.i386.rpm
a1bb526948f3fafbff27f65f2f2646f4 7.2/en/os/i386/mysql-devel-3.23.58-1.72.i386.rpm
0ef086ea42e5daf662b238c4cd3941b4 7.2/en/os/i386/mysql-server-3.23.58-1.72.i386.rpm
592cbe1df440454be5de2bde4da0aeeb 7.2/en/os/ia64/mysql-3.23.58-1.72.ia64.rpm
fb82da0bd237e8e47757deea248966f6 7.2/en/os/ia64/mysql-devel-3.23.58-1.72.ia64.rpm
321d0908982321e779c93b8b933f4d89 7.2/en/os/ia64/mysql-server-3.23.58-1.72.ia64.rpm
a9e7a07bb76dd1320e0c395ce48231b1 7.3/en/os/SRPMS/mysql-3.23.58-1.73.src.rpm
03bdb421e367c398282ea54b6cc33bfb 7.3/en/os/i386/mysql-3.23.58-1.73.i386.rpm
ade8d6e100916f3bbfac27e88700179b 7.3/en/os/i386/mysql-devel-3.23.58-1.73.i386.rpm
e197723474c4dccdcb689d6208edd766 7.3/en/os/i386/mysql-server-3.23.58-1.73.i386.rpm
c5420710b963e4b402a5ce1b0af50f5a 8.0/en/os/SRPMS/mysql-3.23.58-1.80.src.rpm
d72af1bf81fb3cdd5f1696196122dd59 8.0/en/os/i386/mysql-3.23.58-1.80.i386.rpm
be0a150e64c0c68249b7dfb6f723d696 8.0/en/os/i386/mysql-devel-3.23.58-1.80.i386.rpm
7e9295efeca974cbadc61ee2a02f6d59 8.0/en/os/i386/mysql-server-3.23.58-1.80.i386.rpm
f3320713e2a1bc787e249738bec90c4d 9/en/os/SRPMS/mysql-3.23.58-1.9.src.rpm
aa674d9d284788f8c354f3f20b6aec57 9/en/os/i386/mysql-3.23.58-1.9.i386.rpm
8eac37417227bf2c0c7d13a2eafcb80f 9/en/os/i386/mysql-devel-3.23.58-1.9.i386.rpm
78b516147ff717a2db347260e85e6688 9/en/os/i386/mysql-server-3.23.58-1.9.i386.rpm
Vendor URL:  lists.mysql.com/list.php?list=announce&post=168 (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Red Hat Linux)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 10 2003 MySQL acl_init() Buffer Overflow Permits Remote Authenticated Administrators to Execute Arbitrary Code


 Source Message Contents
Date:  Thu, 9 Oct 2003 04:59 -0400
Subject:  [RHSA-2003:281-01] Updated MySQL packages fix vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated MySQL packages fix vulnerability
Advisory ID:       RHSA-2003:281-01
Issue date:        2003-10-09
Updated on:        2003-10-09
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2003:093
CVE Names:         CAN-2003-0780
- ---------------------------------------------------------------------

1. Topic:

Updated MySQL server packages fix a buffer overflow vulnerability.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.1 for iSeries (64 bit) - ppc
Red Hat Linux 7.1 for pSeries (64 bit) - ppc
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

MySQL is a multi-user, multi-threaded SQL database server.

Frank Denis reported a bug in unpatched versions of MySQL prior to version
3.23.58. Passwords for MySQL users are stored in the Password field of the
user table. Under this bug, a Password field with a value greater than 16
characters can cause a buffer overflow. It may be possible for an attacker
with the ability to modify the user table to exploit this buffer overflow
to execute arbitrary code as the MySQL user. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0780 to
this issue.

Users of MySQL are advised to upgrade to these erratum packages containing
MySQL 3.23.58, which is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network.  To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/mysql-3.23.58-2.71.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/mysql-3.23.58-2.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mysql-server-3.23.58-2.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mysql-devel-3.23.58-2.71.i386.rpm

Red Hat Linux 7.1 for iSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/mysql-3.23.58-2.71.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm

Red Hat Linux 7.1 for pSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/mysql-3.23.58-2.71.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/mysql-3.23.58-1.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mysql-server-3.23.58-1.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mysql-devel-3.23.58-1.72.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-3.23.58-1.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-server-3.23.58-1.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/mysql-devel-3.23.58-1.72.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/mysql-3.23.58-1.73.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/mysql-3.23.58-1.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mysql-server-3.23.58-1.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mysql-devel-3.23.58-1.73.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/mysql-3.23.58-1.80.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/mysql-3.23.58-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mysql-server-3.23.58-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mysql-devel-3.23.58-1.80.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/mysql-3.23.58-1.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/mysql-3.23.58-1.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mysql-server-3.23.58-1.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mysql-devel-3.23.58-1.9.i386.rpm



6. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/SRPMS/mysql-3.23.58-2.71.src.rpm
cb8182bcfe17aa1829e0e62032e79d8c 7.1/en/os/i386/mysql-3.23.58-2.71.i386.rpm
7ce3f107817c4c32163c7b2b085317bf 7.1/en/os/i386/mysql-devel-3.23.58-2.71.i386.rpm
a63d0198da176c5e25738bebc7adf96b 7.1/en/os/i386/mysql-server-3.23.58-2.71.i386.rpm
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/iSeries/SRPMS/mysql-3.23.58-2.71.src.rpm
892b2616bdc5efd5e37fd91e6d220fb8 7.1/en/os/iSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
bd60781e5bbf60f87d027f6d6460c39f 7.1/en/os/iSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm
846b26298bdf3e437954eed63757bf6e 7.1/en/os/iSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
1af9dba0f82c30e3bd06a22ad3cce47f 7.1/en/os/pSeries/SRPMS/mysql-3.23.58-2.71.src.rpm
892b2616bdc5efd5e37fd91e6d220fb8 7.1/en/os/pSeries/ppc/mysql-3.23.58-2.71.ppc.rpm
bd60781e5bbf60f87d027f6d6460c39f 7.1/en/os/pSeries/ppc/mysql-devel-3.23.58-2.71.ppc.rpm
846b26298bdf3e437954eed63757bf6e 7.1/en/os/pSeries/ppc/mysql-server-3.23.58-2.71.ppc.rpm
ca6ec39d94f16bf21ae966d674e8ad15 7.2/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm
fd4adfe080eee307a9a78daf49688dae 7.2/en/os/i386/mysql-3.23.58-1.72.i386.rpm
a1bb526948f3fafbff27f65f2f2646f4 7.2/en/os/i386/mysql-devel-3.23.58-1.72.i386.rpm
0ef086ea42e5daf662b238c4cd3941b4 7.2/en/os/i386/mysql-server-3.23.58-1.72.i386.rpm
592cbe1df440454be5de2bde4da0aeeb 7.2/en/os/ia64/mysql-3.23.58-1.72.ia64.rpm
fb82da0bd237e8e47757deea248966f6 7.2/en/os/ia64/mysql-devel-3.23.58-1.72.ia64.rpm
321d0908982321e779c93b8b933f4d89 7.2/en/os/ia64/mysql-server-3.23.58-1.72.ia64.rpm
a9e7a07bb76dd1320e0c395ce48231b1 7.3/en/os/SRPMS/mysql-3.23.58-1.73.src.rpm
03bdb421e367c398282ea54b6cc33bfb 7.3/en/os/i386/mysql-3.23.58-1.73.i386.rpm
ade8d6e100916f3bbfac27e88700179b 7.3/en/os/i386/mysql-devel-3.23.58-1.73.i386.rpm
e197723474c4dccdcb689d6208edd766 7.3/en/os/i386/mysql-server-3.23.58-1.73.i386.rpm
c5420710b963e4b402a5ce1b0af50f5a 8.0/en/os/SRPMS/mysql-3.23.58-1.80.src.rpm
d72af1bf81fb3cdd5f1696196122dd59 8.0/en/os/i386/mysql-3.23.58-1.80.i386.rpm
be0a150e64c0c68249b7dfb6f723d696 8.0/en/os/i386/mysql-devel-3.23.58-1.80.i386.rpm
7e9295efeca974cbadc61ee2a02f6d59 8.0/en/os/i386/mysql-server-3.23.58-1.80.i386.rpm
f3320713e2a1bc787e249738bec90c4d 9/en/os/SRPMS/mysql-3.23.58-1.9.src.rpm
aa674d9d284788f8c354f3f20b6aec57 9/en/os/i386/mysql-3.23.58-1.9.i386.rpm
8eac37417227bf2c0c7d13a2eafcb80f 9/en/os/i386/mysql-devel-3.23.58-1.9.i386.rpm
78b516147ff717a2db347260e85e6688 9/en/os/i386/mysql-server-3.23.58-1.9.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


7. References:

http://www.mysql.com/doc/en/News-3.23.58.html
http://www.mysql.com/doc/en/News-3.23.57.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/hSNaXlSAg2UNWIIRAmmHAJwLMBnjO0Ee7Y/exgr6mm9dA75wAwCgl5b9
vOs0XGCftg0xMcITFEPe3T0=
=H2++
-----END PGP SIGNATURE-----


_______________________________________________
Redhat-watch-list mailing list
To unsubscribe, visit: https://www.redhat.com/mailman/listinfo/redhat-watch-list


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC