Secunia
Login
|
|
|
|
|
|
|
|
|
MySQL multiple vulnerabilities
Description
Some vulnerabilities have been reported in MySQL, which can be exploited to cause a Denial of Service and escalate privileges on a vulnerable system.
When doing COM_TABLE_DUMP, mysql does not verify the length of input, which can be exploited to crash mysqld.
When doing COM_CHANGE_USER, the challenge response is not verified correctly. This allows malicious users to bruteforce other accounts as there is only 32 combinations. It also seems possible to overflow a stack buffer by sending more than 16 characters, which has been proven exploitable on Linux systems.
Applications relying on libmysqlclient may be crashed due to two bugs. One is caused due to a destination buffer not being verified, which can be exploited by supplying a negative fieldsize in a response. When the libmysqlclient library fetches results one by one, field sizes are not verified, which allows overwriting of arbitrary addresses with a '\0'.
Solution:
Version 3.23.54 is not vulnerable.
Further details available to Secunia VIM customers
Provided and/or discovered by:
Stefan Esser, e-matters
Deep Links:
Links available to Secunia VIM customers
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com
Subject: MySQL multiple vulnerabilities
|
No posts yet |
|
You must be logged in to post a comment. |
