Re: MySQL CVEs (was: Security vulnerability in MySQL/MariaDB sql/password.c)

[Tomas Hoger <thoger () redhat com>]

Hijacking this thread a bit...

On Sat, 9 Jun 2012 17:30:38 +0200 Sergei Golubchik wrote:

> MySQL bug report:
> http://bugs.mysql.com/bug.php?id=64884
> MySQL fix:
> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
> MySQL changelog:
> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

In addition to 64884 / CVE-2012-2122 reported by Sergei, 5.1.63 release
notes also mention additional security fix:

 * Security Fix: Bug #59387 was fixed.

which can be tracked to the following commit:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16

This allows non-admin mysql user to crash mysqld.  The fix is also in
5.5.24, but it is not mentioned in 5.5.24 releases notes or changelog
file included in the sources.  5.0.x is affected too.  Can the CVE be
assigned?  I'm CCing Oracle security team explicitly, so they can reply
with their existing assignment (if any), and/or are aware of the new
assignment.


Additionally, 5.5.23 changes include another security fix:

 * Security Fix: Bug #59533 was fixed.

However, I've not had much luck trying to find a commit or any further
info for this issue.  Upstream bug is private.  Does anyone have any
further info?


Additionally, following bugs try to collect info on MySQL security
fixes in the last released and an upcoming Oracle CPU:

https://bugzilla.redhat.com/show_bug.cgi?id=832477
https://bugzilla.redhat.com/show_bug.cgi?id=832540

It would be nice if Oracle could confirm the mapping between CVEs and
particular issues to avoid any incorrect guesses.

If anyone else has been looking into trying to map Oracle assigned CVEs
to specific changes and has any info missing in the above bugs, feel
free to comment there.

-- 
Tomas Hoger / Red Hat Security Response Team