Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Gentoo 200309-08: mysql buffer overflow

Gentoo 200309-08: mysql buffer overflow

by Nikola Strahija on September 15th, 2003 MySQL, a popular relational database system, contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql").


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-08
- - - ---------------------------------------------------------------------

PACKAGE : mysql
SUMMARY : buffer overflow
DATE : 2003-09-15 10:00 UTC
EXPLOIT : remote
VERSIONS AFFECTED : =mysql-4.0.14-r2(masked)
FIXED VERSION : >=mysql-3.23.57-r1 >=mysql-4.0.13-r4 >=mysql-4.0.14-r2(masked)
CVE : CAN-2003-0780

- - - ---------------------------------------------------------------------

quote from advisory:

"Anyone with global administrative privileges on a MySQL server may
execute arbitrary code even on a host he isn't supposed to have a shell
on, with the privileges of the system account running the MySQL server."

read the full advisory at:
http://www.securityfocus.com/archive/1/337012

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-db/mysql upgrade to either one of these versions:

3.23.x - mysql-3.23.57-r1
4.0.x - mysql-4.0.13-r4 OR
mysql-4.0.14-r2 if accepting "~" keywords.

emerge sync
emerge =dev-db/mysql/
emerge clean

- - - ---------------------------------------------------------------------
[email protected] - GnuPG key is available at http://dev.gentoo.org/~aliz
[email protected]
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/ZY3cfT7nyhUpoZMRAjpJAJ0ZTUg/pJxdsWeIpxTJX/cDMatkEQCeKmFU
GGrAKtwqtPNuiguwyhelHys=
=uFLV
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »