Re: MySQL Denial of Service Zeroday PoC

[Sergei Golubchik <serg () askmonty org>]

Hi, Kurt!

> > Cheerio, Kingcope
>
> So normally for MySQL issues Oracle would assign the CVE #. However in
> this case we have a bit of a time constraint (it's a weekend and this
> is blowing up quickly)  and the impacts are potentially quite severe.
> So I've spoken with some other Red Hat SRT members and we feel it is
> best to get CVE #'s assigned for these issues quickly so we can refer
> to them properly.
>
> I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey,
> cve-assign and OSVDB to the CC so that everyone is aware of what is
> going on.
>
> http://seclists.org/fulldisclosure/2012/Dec/7

I've just looked at CVE-2012-5614 - it's not quite correct:

* it claims the bug was in UpdateXML - if you look at the exploit,
  you'll see that it sends an invalid packet to the server, the
  UpdateXML part is after the exit statement, so it's a dead code.

* it references https://mariadb.atlassian.net/browse/MDEV-3910
  which is about the invalid packet, not about UpdateXML

* but MDEV-3910 also mentions that this invalid packet crash was
  introduced in MySQL-5.5.18 and fixed in MySQL-5.5.21. While CVE entry
  says that MySQL 5.5.19 and MariaDB 5.5.28a are vulnerable.

* UpdateXML on the other hand, was vulnerable only in MySQL, starting
  from 5.6.6 and fixed in 5.6.10. Earlier MySQL versions and all MariaDB
  are not affected.

Regards,
Sergei

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/