MySQL Information Disclosure and Buffer Overflow Vulnerabilities - Advisories

Software Inspectors

	Scan Online

	Personal (PSI)

	Network (NSI 2.0)

Solutions For

	Security Professionals

	Security Vendors

Free Solutions For

	Open Communities

	Journalists & Media

Secunia Advisories

	Search

	Historic Advisories

	Listed By Product

	Listed By Vendor

	Statistics / Graphs

	Secunia Research

	Report Vulnerability

	About Advisories

Virus Information

	Chronological List

	Last 10 Virus Alerts

	About Virus Information

Secunia Customers

	Customer Area

MySQL Information Disclosure and Buffer Overflow Vulnerabilities

Secunia Advisory:	SA19929
Release Date:	2006-05-03
Last Update:	2006-07-21

Critical:	Less critical
Impact:	Exposure of sensitive information DoS System access
Where:	From local network
Solution Status:	Vendor Patch

Software:	MySQL 4.x MySQL 5.x

CVE reference:	CVE-2006-1516 (Secunia mirror) CVE-2006-1517 (Secunia mirror) CVE-2006-1518 (Secunia mirror) CVE-2006-3081 (Secunia mirror) CVE-2006-3469 (Secunia mirror)

	Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS!

Description: Some vulnerabilities have been reported in MySQL, which can be exploited by malicious users to disclose potentially sensitive information, cause a DoS (Denial of Service) and compromise a vulnerable system. 1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process. The vulnerability has been reported in version 4.0.26, 4.1.18, and 5.0.20. Prior versions may also be affected. 2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution. The vulnerability has been reported in version 5.0.20. Prior versions may also be affected. 3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages. The vulnerability has been reported in version 4.0.26, 4.1.18, and 5.0.20. Prior versions may also be affected. 4) An error exists within the handling of certain queries that contain the "STR_TO_DATE(1,NULL)" clause. This can be exploited by malicious users to cause the "mysqld" process to crash. 5) An error within the handling of invalid arguments to "DATE_FORMAT()" can be exploited by malicious users to crash the service. The vulnerability has been reported in versions 4.1.17, 5.0.18, and 5.1.5. Prior versions may also be affected. Solution: Update to the fixed versions. MySQL 4.1.x: Update to version 4.1.19. http://dev.mysql.com/downloads/mysql/4.1.html MySQL 5.0.x: Update to version 5.0.21. http://dev.mysql.com/downloads/mysql/5.0.html MySQL 5.1.x: Vulnerabilities #1-#3 will be fixed in version 5.1.10, vulnerability #4 has been fixed in version 5.1.6. Provided and/or discovered by: 1-3) Stefano Di Paola 4) Kanatoko 5) The vendor credits Jean-David Maillefer Changelog: 2006-05-08: Added link to US-CERT vulnerability note. Added solution for MySQL 4.1.x. 2006-05-08: Added CVE references. 2006-06-15: Added information about additional vulnerability. 2006-06-23: Added CVE reference. 2006-07-21: Updated "Solution" section. Added additional vulnerability. Original Advisory: MySQL: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html http://dev.mysql.com/doc/connector/j/en/news-5-0-21.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-10.html Wisec: http://www.wisec.it/vulns.php?page=7 http://www.wisec.it/vulns.php?page=8 Kanatoko: http://bugs.mysql.com/bug.php?id=15828 Jean-David Maillefer: http://bugs.mysql.com/bug.php?id=20729 Other References: US-CERT VU#602457: http://www.kb.cert.org/vuls/id/602457



Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

27 Related Secunia Security Advisories, displaying 10

1. MySQL MyISAM Table Privilege Check Bypass

2. MySQL Multiple Vulnerabilities

3. MySQL Security Issue and Two Vulnerabilities

4. MySQL System Table Information Overwrite Vulnerability

5. MySQL InnoDB Denial of Service Vulnerability

6. MySQL Denial of Service Vulnerability and Multiple Security Issues

7. MySQL IF Query Denial of Service Vulnerability

8. MySQL Single-Row Subselect and INFORMATION_SCHEMA Denial of Service

9. MySQL Create Database Bypass and Privilege Escalation

10. MySQL MERGE Table Privilege Revoke Bypass

Show all related advisories

Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.

Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Most Popular Advisories

1.	OpenBSD BIND Query Port DNS Cache Poisoning

2.	Drupal Session Fixation Vulnerability

3.	Linux Kernel LDT Buffer Size Handling Vulnerability

4.	Red Hat update for kernel

5.	dnsmasq Denial of Service and DNS Cache Poisoning

6.	Apple Safari Cross-Domain Cookie Injection Vulnerability

7.	YouTube Blog Multiple Vulnerabilities

8.	Debian update for clamav

9.	Red Hat update for thunderbird

10.	Ubuntu update for php