-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2002.706 -- Debian Security Advisory DSA-212-1
                      Multiple MySQL vulnerabilities
                             18 December 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                mysql
Vendor:                 Debian
Operating System:       Debian 2.2
                        Debian 3.0
                        Linux
                        UNIX
Impact:                 Root Compromise
                        Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-212-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December 17, 2002
- - ------------------------------------------------------------------------


Package        : mysql
Problem type   : multiple problems
Debian-specific: no
CVE references : CAN-2002-1373, CAN-2002-1374, CAN-2002-1375, CAN-2002-1376

While performing an audit of MySQL e-matters found several problems:

* signed/unsigned problem in COM_TABLE_DUMP
  Two sizes were taken as signed integers from a request and then cast
  to unsigned integers without checking for negative numbers. Since the
  resulting numbers where used for a memcpy() operation this could lead
  to memory corruption.

* Password length handling in COM_CHANGE_USER
  When re-authenticating to a different user MySQL did not perform
  all checks that are performed on initial authentication. This created
  two problems:
  * it allowed for single-character password brute forcing (as was fixed in
    February 2000 for initial login) which could be used by a normal user to
    gain root privileges to the database
  * it was possible to overflow the password buffer and force the server
    to execute arbitrary code

* read_rows() overflow in libmysqlclient
  When processing the rows returned by a SQL server there was no check
  for overly large rows or terminating NUL characters. This can be used
  to exploit SQL clients if they connect to a compromised MySQL server.

* read_one_row() overflow in libmysqlclient
  When processing a row as returned by a SQL server the returned field
  sizes were not verified. This can be used to exploit SQL clients if they
  connect to a compromised MySQL server.

For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2
and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato.

We recommend that you upgrade your mysql packages as soon as possible.

- - ------------------------------------------------------------------------

Obtaining updates:

  By hand:
    wget URL
        will fetch the file for you.
    dpkg -i FILENAME.deb
        will install the fetched file.

  With apt:
    deb http://security.debian.org/ stable/updates main
        added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- - ------------------------------------------------------------------------

Debian 2.2 (oldstable)
- - ----------------------

  Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.dsc
      Size/MD5 checksum:     1305 26482e7b5f51fe036c9270043877483a
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
      Size/MD5 checksum:  4296259 e3d9cb3038a2e4378c9c0f4f9d8c2d58
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.diff.gz
      Size/MD5 checksum:    84166 79faf5c0f1e6ab6c4c3b7511f9cc1e71

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.3_all.deb
      Size/MD5 checksum:  1687018 e3d348a98e08bbff4085215356c5dcc7

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_alpha.deb
      Size/MD5 checksum:   790098 2d103be33a041fa8af05a6d1a8fae1fc
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_alpha.deb
      Size/MD5 checksum:    99516 c3803f9e8e090bc9755cc8502f7dd860

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_arm.deb
      Size/MD5 checksum:   603710 028266a7c4c99365a8fe715fda7635b9
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_arm.deb
      Size/MD5 checksum:    87190 0f6e1c53dd71bd45ec0bfc7bdd3e92c3

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_i386.deb
      Size/MD5 checksum:   585150 54c0e5b9aa43a2d4fd2137f22851243a
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_i386.deb
      Size/MD5 checksum:    86768 fe2974d4fc341c7fc5c3866636a49676

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_m68k.deb
      Size/MD5 checksum:   554888 5d636134e003bdd33f6dd74e60ca6570
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_m68k.deb
      Size/MD5 checksum:    84534 47f6aa149c3b872722b5357bb962c0a7

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_powerpc.deb
      Size/MD5 checksum:   632736 47f997aa3cac2d514ec11fba8e7d3709
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_powerpc.deb
      Size/MD5 checksum:    87560 7b63bd18ce24d663bb097c13d43260b7

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_sparc.deb
      Size/MD5 checksum:   611600 5871877cc4fbbfc89e9d05718abcf2ba
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_sparc.deb
      Size/MD5 checksum:    94226 b4e520c575a3bbe5ffe5a939da37f5b1


Debian 3.0 (stable)
- - -------------------

  Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.2.dsc
      Size/MD5 checksum:     1528 66425fd9b3184175d22bd054d42e3826
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.2.diff.gz
      Size/MD5 checksum:    71860 ad8e754da89a07d7cd7932087375dae6

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.2_all.deb
      Size/MD5 checksum:  1962666 97241ff082a952ff7bc1f24cff9fc5e2
    http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.2_all.deb
      Size/MD5 checksum:    16394 b88f843f1cbefbe58c4edf88a5c874f9

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_alpha.deb
      Size/MD5 checksum:   162986 48a041beb743999e8deed6c90bcee001
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_alpha.deb
      Size/MD5 checksum:   778250 a118e60347db03acdae167a7255aa517
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_alpha.deb
      Size/MD5 checksum:  3633582 6b8adc0cc7df343b709339a73d193dd5
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_alpha.deb
      Size/MD5 checksum:   277222 7d1757b438b655ed991ece3fbfad8037

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_arm.deb
      Size/MD5 checksum:  2805328 087808428351a2ca3ab84dcccd944ba5
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_arm.deb
      Size/MD5 checksum:   634104 bbfd016f71b5e05bb4ee0c342351bdda
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_arm.deb
      Size/MD5 checksum:   123418 34edad45d226c0c5a87976d51c1ce1a7
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_arm.deb
      Size/MD5 checksum:   237836 5f2e14d6337a442e14d9d0b83fa60134

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_hppa.deb
      Size/MD5 checksum:  3514484 2e8892a4393571055800baf3858117b0
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_hppa.deb
      Size/MD5 checksum:   140070 38b206d0f03fa42c45c057e3c8df81e1
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_hppa.deb
      Size/MD5 checksum:   743204 0702b3a97454c8619d9eca4fb0b58766
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_hppa.deb
      Size/MD5 checksum:   280120 d60043b7f0c5a8aa6fe130ba2e105a12

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_i386.deb
      Size/MD5 checksum:   576164 a3f92e9131b7c8541b79f3f3ecabcba3
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_i386.deb
      Size/MD5 checksum:  2800214 565952264f4b38ce80e6678c7e0d9a06
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_i386.deb
      Size/MD5 checksum:   234180 27d7e77b37fda1f7d5c5d9261d025d67
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_i386.deb
      Size/MD5 checksum:   122022 ef4b669142a35f7ddc12b467def3e3f1

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_ia64.deb
      Size/MD5 checksum:   848116 9b74cdcea1dc751db5b0175b9073fb6f
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_ia64.deb
      Size/MD5 checksum:   173286 10e8869167f91a55bd1bbd5b591f4077
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_ia64.deb
      Size/MD5 checksum:  3999702 3b89ff5e0f6dc01d2c49ea81bb47216b
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_ia64.deb
      Size/MD5 checksum:   314552 a3b22dec9493cc6d5166c9dcbaae2c7b

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_m68k.deb
      Size/MD5 checksum:   227180 28060088157864ce3302508c495103ad
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_m68k.deb
      Size/MD5 checksum:   117836 93b975f8476984f3c38ff7227956c5a1
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_m68k.deb
      Size/MD5 checksum:   557258 d44ba640f48524fd228e83640817c432
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_m68k.deb
      Size/MD5 checksum:  2646250 4ba7c54c2538870af0736bf0892b3415

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_mipsel.deb
      Size/MD5 checksum:   687904 a7edb0c6c681544efe80b6ccef53bafe
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_mipsel.deb
      Size/MD5 checksum:   133728 3ad484b95777df9ecd80313c9a90e434
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_mipsel.deb
      Size/MD5 checksum:   250096 ababd7ec2a3ba37fef5022a8ae86ad5b
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_mipsel.deb
      Size/MD5 checksum:  2838572 c2490489fbc988849d698d32da834014

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_powerpc.deb
      Size/MD5 checksum:   128922 d619370e667ce3bc2a45068945120592
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_powerpc.deb
      Size/MD5 checksum:   247206 9dbda1af635543ab661693a093fe5550
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_powerpc.deb
      Size/MD5 checksum:   652150 07e6bcce2cc77212c0f07e134bcf978f
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_powerpc.deb
      Size/MD5 checksum:  2822314 c8a11f51b22a0fdfde4b10f76c8958e9

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_s390.deb
      Size/MD5 checksum:   125406 9768f438acb130fcb3e350fc817bd3e2
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_s390.deb
      Size/MD5 checksum:  2636852 88419cbff7d7f340fce97f77ce641aec
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_s390.deb
      Size/MD5 checksum:   597252 ebcbe39245eb05b4d4b779d7b6ee5cee
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_s390.deb
      Size/MD5 checksum:   247538 979c18b2eadff2763555618a8eb08e2c

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.2_sparc.deb
      Size/MD5 checksum:  2938592 c52c274e39c46564dfad1dba753e320b
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.2_sparc.deb
      Size/MD5 checksum:   240700 d4b86a37ae837e652f2b0f831e58c53a
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.2_sparc.deb
      Size/MD5 checksum:   129878 487867fdea16986ded6c2f074b33882a
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.2_sparc.deb
      Size/MD5 checksum:   615274 edeb1707bce25a18e131584f37b87d09

- - -- 
- - ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9/xDHPLiSUC+jvC0RAkw+AJ4xoprUJ0T5Q3OFncabQq9ukq+lUgCdGWLR
W7WtjlpzfRic+x7KU6Mep2g=
=SnDI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author\'s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPgBIQih9+71yA2DNAQGWwwQAmm+dULW47neYtQ45Jf1CS86nHNpq+sXJ
ybPdE+PaC1YVLP1LvsYWB+QH0iRJ5olmfkYrIG2rWS1ea22xTW0C2LFV/7NNNvmR
55rzNxzQbmwDIhgGmJxU/oueorBC8XqKdItBUatuUqn+BeVQMsL6WJ8+kF6wu6j/
LQn06vz51DY=
=ARll
-----END PGP SIGNATURE-----