Mandriva Linux Security Advisory : mysql (MDVSA-2010:155-1)

2010-08-2300:00:00

www.tenable.com

Multiple vulnerabilities has been found and corrected in mysql :

MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), … (dot dot), …/ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory (CVE-2010-2008).

Additionally many security issues noted in the 5.1.49 release notes has been addressed with this advisory as well, such as :

LOAD DATA INFILE did not check for SQL errors and sent an OK packet even when errors were already reported.
Also, an assert related to client-server protocol checking in debug servers sometimes was raised when it should not have been. (Bug#52512) (CVE-2010-3683)
Using EXPLAIN with queries of the form SELECT … UNION … ORDER BY (SELECT … WHERE …) could cause a server crash. (Bug#52711) (CVE-2010-3682)
The server could crash if there were alternate reads from two indexes on a table using the HANDLER interface.
(Bug#54007) (CVE-2010-3681)
A malformed argument to the BINLOG statement could result in Valgrind warnings or a server crash.
(Bug#54393) (CVE-2010-3679)
Incorrect handling of NULL arguments could lead to a crash for IN() or CASE operations when NULL arguments were either passed explicitly as arguments (for IN()) or implicitly generated by the WITH ROLLUP modifier (for IN() and CASE). (Bug#54477) (CVE-2010-3678)
Joins involving a table with with a unique SET column could cause a server crash. (Bug#54575) (CVE-2010-3677)
Use of TEMPORARY InnoDB tables with nullable columns could cause a server crash. (Bug#54044) (CVE-2010-3680)

The updated packages have been patched to correct these issues.

Update :

Packages for 2009.1 was not provided with the MDVSA-2010:155 advisory.
This advisory provides the missing packages.

#%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2010:155. 
# The text itself is copyright (C) Mandriva S.A.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(48399);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2010-2008", "CVE-2010-3677", "CVE-2010-3678", "CVE-2010-3679", "CVE-2010-3680", "CVE-2010-3681", "CVE-2010-3682", "CVE-2010-3683");
  script_bugtraq_id(41198, 42596, 42598, 42599, 42625, 42633, 42638, 42646);
  script_xref(name:"MDVSA", value:"2010:155-1");

  script_name(english:"Mandriva Linux Security Advisory : mysql (MDVSA-2010:155-1)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandriva Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities has been found and corrected in mysql :

MySQL before 5.1.48 allows remote authenticated users with alter
database privileges to cause a denial of service (server crash and
database loss) via an ALTER DATABASE command with a #mysql50# string
followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar
sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes
MySQL to move certain directories to the server data directory
(CVE-2010-2008).

Additionally many security issues noted in the 5.1.49 release notes
has been addressed with this advisory as well, such as :

  - LOAD DATA INFILE did not check for SQL errors and sent
    an OK packet even when errors were already reported.
    Also, an assert related to client-server protocol
    checking in debug servers sometimes was raised when it
    should not have been. (Bug#52512) (CVE-2010-3683)

  - Using EXPLAIN with queries of the form SELECT ... UNION
    ... ORDER BY (SELECT ... WHERE ...) could cause a server
    crash. (Bug#52711) (CVE-2010-3682)

  - The server could crash if there were alternate reads
    from two indexes on a table using the HANDLER interface.
    (Bug#54007) (CVE-2010-3681)

  - A malformed argument to the BINLOG statement could
    result in Valgrind warnings or a server crash.
    (Bug#54393) (CVE-2010-3679)

  - Incorrect handling of NULL arguments could lead to a
    crash for IN() or CASE operations when NULL arguments
    were either passed explicitly as arguments (for IN()) or
    implicitly generated by the WITH ROLLUP modifier (for
    IN() and CASE). (Bug#54477) (CVE-2010-3678)

  - Joins involving a table with with a unique SET column
    could cause a server crash. (Bug#54575) (CVE-2010-3677)

  - Use of TEMPORARY InnoDB tables with nullable columns
    could cause a server crash. (Bug#54044) (CVE-2010-3680)

The updated packages have been patched to correct these issues.

Update :

Packages for 2009.1 was not provided with the MDVSA-2010:155 advisory.
This advisory provides the missing packages."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=52512"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=52711"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=54007"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=54044"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=54393"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=54477"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.mysql.com/bug.php?id=54575"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mysql-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mysql-static-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mysql16");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql-static-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql16");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-bench");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-max");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-ndb-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-ndb-management");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-ndb-storage");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mysql-ndb-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64mysql-devel-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64mysql-static-devel-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64mysql16-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libmysql-devel-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libmysql-static-devel-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libmysql16-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-bench-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-client-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-common-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-doc-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-max-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-ndb-extra-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-ndb-management-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-ndb-storage-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2009.1", reference:"mysql-ndb-tools-5.1.42-0.6mdv2009.1", yank:"mdv")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
mandrivalinuxlib64mysql-develp-cpe:/a:mandriva:linux:lib64mysql-devel
mandrivalinuxlib64mysql-static-develp-cpe:/a:mandriva:linux:lib64mysql-static-devel
mandrivalinuxlib64mysql16p-cpe:/a:mandriva:linux:lib64mysql16
mandrivalinuxlibmysql-develp-cpe:/a:mandriva:linux:libmysql-devel
mandrivalinuxlibmysql-static-develp-cpe:/a:mandriva:linux:libmysql-static-devel
mandrivalinuxlibmysql16p-cpe:/a:mandriva:linux:libmysql16
mandrivalinuxmysqlp-cpe:/a:mandriva:linux:mysql
mandrivalinuxmysql-benchp-cpe:/a:mandriva:linux:mysql-bench
mandrivalinuxmysql-clientp-cpe:/a:mandriva:linux:mysql-client
mandrivalinuxmysql-commonp-cpe:/a:mandriva:linux:mysql-common

Vendor	Product	Version	CPE
mandriva	linux	lib64mysql-devel	p-cpe:/a:mandriva:linux:lib64mysql-devel
mandriva	linux	lib64mysql-static-devel	p-cpe:/a:mandriva:linux:lib64mysql-static-devel
mandriva	linux	lib64mysql16	p-cpe:/a:mandriva:linux:lib64mysql16
mandriva	linux	libmysql-devel	p-cpe:/a:mandriva:linux:libmysql-devel
mandriva	linux	libmysql-static-devel	p-cpe:/a:mandriva:linux:libmysql-static-devel
mandriva	linux	libmysql16	p-cpe:/a:mandriva:linux:libmysql16
mandriva	linux	mysql	p-cpe:/a:mandriva:linux:mysql
mandriva	linux	mysql-bench	p-cpe:/a:mandriva:linux:mysql-bench
mandriva	linux	mysql-client	p-cpe:/a:mandriva:linux:mysql-client
mandriva	linux	mysql-common	p-cpe:/a:mandriva:linux:mysql-common