Debian alert: New mysql packages fix buffer overflow

Posted by dave on Sep 13, 2003 6:20 PM EDT
Mailing list
Mail this story
Print this story

MySQL, a popular relational database system, contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql"). Since the "mysql" database is used for MySQL's internal record keeping, by default the mysql administrator "root" is the only user with permission to alter its tables.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 381-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
September 13th, 2003                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mysql
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2003-0780

MySQL, a popular relational database system, contains a buffer
overflow condition which could be exploited by a user who has
permission to execute "ALTER TABLE" commands on the tables in the
"mysql" database.  If successfully exploited, this vulnerability
could allow the attacker to execute arbitrary code with the
privileges of the mysqld process (by default, user "mysql").  Since
the "mysql" database is used for MySQL's internal record keeping, by
default the mysql administrator "root" is the only user with
permission to alter its tables.

For the stable distribution (woody) this problem has been fixed in
version 3.23.49-8.5.

For the unstable distribution (sid) this problem will be fixed soon.
Refer to Debian bug #210403.

We recommend that you update your mysql package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.5.dsc
      Size/MD5 checksum:      886 7107830c1ec314067ce5dc494318d40d
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.5.diff.gz
      Size/MD5 checksum:    61337 0a916715c546b6dcab060063b9d35393
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
      Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.5_all.deb
      Size/MD5 checksum:    16702 ae5d7baf1bd72226740aff1a5de05af6
    http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb
      Size/MD5 checksum:  1962992 a4cacebaadf9d5988da0ed1a336b48e6

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_alpha.deb
      Size/MD5 checksum:   277506 404523a2d8042a221607e6b515f7b9e3
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_alpha.deb
      Size/MD5 checksum:   778546 ba259a789a9079fd64745773833d1912
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_alpha.deb
      Size/MD5 checksum:   163286 7fb3283ba5443e6d34fe1ae8865ae08e
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_alpha.deb
      Size/MD5 checksum:  3634080 35b40744a3e1969697aa32f3d9c01772

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_arm.deb
      Size/MD5 checksum:   238116 215806b2a8555a4749c81a8b93a4aad3
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_arm.deb
      Size/MD5 checksum:   634422 fd538ea69c4b07c8b16368dca2b68c55
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_arm.deb
      Size/MD5 checksum:   123714 729b51321b3dd0803a3f9a0d22d83ffe
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_arm.deb
      Size/MD5 checksum:  2805762 7334c08c8f9750428dce4e7595e11807

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_i386.deb
      Size/MD5 checksum:   234482 3acfaaccb3b96e8fc570152cc6573440
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_i386.deb
      Size/MD5 checksum:   576440 2afe39ec84c7a7753e3bd932fb0ea1cc
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_i386.deb
      Size/MD5 checksum:   122326 85462ed38b0d51a5775356d8a33fe79c
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_i386.deb
      Size/MD5 checksum:  2800542 aa338ea1e99fe7a577a51d657530485e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_ia64.deb
      Size/MD5 checksum:   314840 c0ce30c7df2a67be46030ef2996f9450
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_ia64.deb
      Size/MD5 checksum:   848376 b8a00feaa674c14be926711b0bcb70dd
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_ia64.deb
      Size/MD5 checksum:   173564 306addac744ed9d76a4b1a3ed2578f6b
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_ia64.deb
      Size/MD5 checksum:  3999942 7f3ee1c27e7f631e1862db0281a76956

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_hppa.deb
      Size/MD5 checksum:   280402 e7c21784aa4262e7b87c6e7dd7c106f9
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_hppa.deb
      Size/MD5 checksum:   743498 638190fa05f1b6b4f4accd0078a0db23
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_hppa.deb
      Size/MD5 checksum:   140382 fc6d227a8de9d27d499db2ce57d66630
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_hppa.deb
      Size/MD5 checksum:  3514718 bc700968a2326d266a385c1017e9b7aa

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_m68k.deb
      Size/MD5 checksum:   227458 301ee5a393aede312c0c387fbd8d8f10
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_m68k.deb
      Size/MD5 checksum:   557496 5a3a89901ac58539be03dc9306db3940
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_m68k.deb
      Size/MD5 checksum:   118144 c4a8dadc921151d7baf91e68a1db5619
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_m68k.deb
      Size/MD5 checksum:  2646450 54edc48fc5ba4c963311ef2e280b348e

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_mips.deb
      Size/MD5 checksum:   250720 ee73c018988e1ae8ffcecd0dd8488f45
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_mips.deb
      Size/MD5 checksum:   688834 cdf66126cd1ff17780b2b47defb7faa5
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_mips.deb
      Size/MD5 checksum:   133656 2934c95216fd1ff7150d4e271cc5cb6a
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_mips.deb
      Size/MD5 checksum:  2847598 f500c10cafdb159b41af98c7188b1de2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_mipsel.deb
      Size/MD5 checksum:   250390 816858ee19aaa2428eb33a25cf904331
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_mipsel.deb
      Size/MD5 checksum:   688154 aae88f8a2d76308a5877d6ae3a738f1e
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_mipsel.deb
      Size/MD5 checksum:   134004 5d04ab26e1ebe2be2a9881542b422b92
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_mipsel.deb
      Size/MD5 checksum:  2838974 785721f5b59fbee4628d9fcb2fc4c472

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_powerpc.deb
      Size/MD5 checksum:   247484 3afced55ed34b6eb7466aeb641812251
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_powerpc.deb
      Size/MD5 checksum:   652420 d2fe0c7ad97b934c99806b5924395c14
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_powerpc.deb
      Size/MD5 checksum:   129212 2b19bdbea7c12ce806606db4b2a54fc2
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_powerpc.deb
      Size/MD5 checksum:  2822744 825aba2752f60459586e4eef0b43bfe2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_s390.deb
      Size/MD5 checksum:   249804 90010b1005ec61befbc21bdb3a725e7f
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_s390.deb
      Size/MD5 checksum:   606890 844d89843417dd94a7a3d60f443708df
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_s390.deb
      Size/MD5 checksum:   126194 029e8fe65e03c5e6a0d9168d532e0d72
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_s390.deb
      Size/MD5 checksum:  2690976 55b0a91c74e10f327be3c1edfe18834b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.5_sparc.deb
      Size/MD5 checksum:   241002 3909504647aba0d22e2d13101762cb8e
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.5_sparc.deb
      Size/MD5 checksum:   615542 72d29f54cd2d0c66e8b6781f947f115c
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.5_sparc.deb
      Size/MD5 checksum:   130166 9b5e870572608919256b0bb0496d5089
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.5_sparc.deb
      Size/MD5 checksum:  2939208 ab104dc4342d279713bac3124dfc7b1b

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/Y9BUArxCt0PiXR4RAlmLAJ9xJl1LreHgAQDVc3rmeY73OGEixgCg32vv
xY6mLwj8y+4Oat54aruVROo=
=+mKE
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.