12/19/02
CAN 2002-1374
The MySQL server's authentication mechanism works by checking
the password provided by the client, but only up to the
number of characters provided by the client. Normally this does not
present a problem because recent versions of MySQL require
the provided password to be eight characters long. However, this
safeguard is not applied to the COM_CHANGE_USER
command. Thus, an authenticated database user could log in
as any other user (including the root account) by correctly
providing as little as one character of the correct password.
Since there are only 32 possible characters, the attacker
would gain access in 32 attempts or fewer.
CAN 2002-1375
Furthermore, by supplying a password which is over 16 characters, an
attacker could create a stack buffer overflow, and possibly
overwrite the return pointer with randomly generated data.
Since the new return pointer would be random, this buffer
overflow would be difficult to exploit, but not impossible
on Linux systems.
MySQL 3.23.53a and earlier and MySQL 4.0 through 4.0.5a are affected by these vulnerabilities.
4/29/03
CAN 2003-0150
The privileges with which the MySQL server runs are set
in the MySQL configuration.
By default, MySQL reads a configuration file called
my.cnf in each data directory, which overrides
the parameters present in the global configuration file,
/etc/my.cnf. By creating a database and
using the INSERT IN
and SELECT * INTO OUTFILE SQL commands, any
MySQL user could create a my.cnf file
containing arbitrary parameters. By setting user
to root within this file and then waiting for the
MySQL server to restart, the user could cause MySQL to run
with root privileges. In combination with other
possible vulnerabilities, this could allow the user to
gain root access to the system. MySQL prior to
3.23.56 is affected by this vulnerability.
2/11/03
CAN 2003-0073
A problem in the mysql_change_user function
in MySQL versions prior to 3.23.55 could cause the same memory
buffer to be deallocated twice. This could allow a remote
attacker to crash the MySQL service.
12/19/02
CAN 2002-1373
MySQL 3.23.53a and earlier and MySQL 4.0 through 4.0.5a
are affected by a signed integer
vulnerability. A negative length value could be used to cause
a large amount of memory to be copied onto the heap,
resulting in a crash or an endless loop of
segmentation faults, leading to a denial of service.
The double-free vulnerability was reported in the MySQL 3.23.55 release notes.
The process ownership modification vulnerability was posted to Bugtraq.