J-Security Center

Title: MySQL User-Defined Function Buffer Overflow Vulnerability

Severity: HIGH

Description:

MySQL is prone to a buffer-overflow vulnerability. The application fails to perform sufficient boundary checks on data supplied as an argument in a user-defined function.

The vulnerability exists in the 'init_syms()' function. This function will copy the name of the user-defined function into a finite stack-based buffer without sufficient bounds checking on the size of the source data. This could cause adjacent stack memory to be corrupted with 14 bytes of user-specified data and 8 bytes of hard-coded data. Reportedly, on architectures where the stack grows upwards, this could corrupt program-control variables.

A database user with sufficient access to create a user-defined function can exploit this issue. Attackers may also be able to exploit this issue through latent SQL-injection vulnerabilities in third-party applications that use the database as a backend.

Successful exploits will allow arbitrary code to run in the context of the database server process.

Affected Products:

  • Avaya Interactive Response 2.0
  • Avaya Interactive Response 3.0
  • Conectiva Linux 10.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 amd64
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • Linux kernel 2.4.19
  • Linux kernel 2.4.21
  • Linux kernel 2.6.5
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MySQL AB MySQL 3.22.25
  • MySQL AB MySQL 3.23.49
  • MySQL AB MySQL 4.0.0.0
  • MySQL AB MySQL 4.0.1
  • MySQL AB MySQL 4.0.10
  • MySQL AB MySQL 4.0.11
  • MySQL AB MySQL 4.0.11 -gamma
  • MySQL AB MySQL 4.0.12
  • MySQL AB MySQL 4.0.13
  • MySQL AB MySQL 4.0.14
  • MySQL AB MySQL 4.0.15
  • MySQL AB MySQL 4.0.18
  • MySQL AB MySQL 4.0.2
  • MySQL AB MySQL 4.0.20
  • MySQL AB MySQL 4.0.21
  • MySQL AB MySQL 4.0.23
  • MySQL AB MySQL 4.0.24
  • MySQL AB MySQL 4.0.3
  • MySQL AB MySQL 4.0.4
  • MySQL AB MySQL 4.0.5
  • MySQL AB MySQL 4.0.5 A
  • MySQL AB MySQL 4.0.6
  • MySQL AB MySQL 4.0.7
  • MySQL AB MySQL 4.0.7 -gamma
  • MySQL AB MySQL 4.0.8
  • MySQL AB MySQL 4.0.8 -gamma
  • MySQL AB MySQL 4.0.9
  • MySQL AB MySQL 4.0.9 -gamma
  • MySQL AB MySQL 4.1.0-0
  • MySQL AB MySQL 4.1.0.0-alpha
  • MySQL AB MySQL 4.1.10a
  • MySQL AB MySQL 4.1.11a
  • MySQL AB MySQL 4.1.2 -alpha
  • MySQL AB MySQL 4.1.3 -0
  • MySQL AB MySQL 4.1.3 -beta
  • MySQL AB MySQL 4.1.3 -beta
  • MySQL AB MySQL 4.1.4
  • MySQL AB MySQL 4.1.5
  • MySQL AB MySQL 5.0.0 .0-0
  • MySQL AB MySQL 5.0.0 .0-alpha
  • MySQL AB MySQL 5.0.1
  • MySQL AB MySQL 5.0.2
  • MySQL AB MySQL 5.0.3
  • MySQL AB MySQL 5.0.4
  • OpenPKG OpenPKG 1.3.0
  • OpenPKG OpenPKG Current
  • RedHat Fedora Core3
  • RedHat Fedora Core4
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 7.3.0 i686
  • RedHat Linux 9.0.0 i386
  • S.u.S.E. Linux Enterprise Server 7
  • S.u.S.E. Linux Enterprise Server 8
  • S.u.S.E. Linux Enterprise Server 9
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • S.u.S.E. Linux Personal 9.1.0
  • S.u.S.E. Linux Personal 9.1.0 x86_64
  • S.u.S.E. Linux Personal 9.2.0
  • S.u.S.E. Linux Personal 9.2.0 x86_64
  • S.u.S.E. Linux Personal 9.3.0
  • S.u.S.E. Linux Personal 9.3.0 x86_64
  • S.u.S.E. Linux Professional 8.2.0
  • S.u.S.E. Linux Professional 9.0.0
  • S.u.S.E. Linux Professional 9.0.0 x86_64
  • S.u.S.E. Linux Professional 9.1.0
  • S.u.S.E. Linux Professional 9.1.0 x86_64
  • S.u.S.E. Linux Professional 9.2.0
  • S.u.S.E. Linux Professional 9.2.0 x86_64
  • S.u.S.E. Linux Professional 9.3.0
  • S.u.S.E. Linux Professional 9.3.0 x86_64
  • S.u.S.E. Open-Enterprise-Server 9.0.0
  • S.u.S.E. SUSE LINUX Retail Solution 8.0.0
  • S.u.S.E. SuSE Linux Openexchange Server 4.0.0
  • S.u.S.E. SuSE Linux School Server for i386
  • S.u.S.E. SuSE Linux Standard Server 8.0.0
  • S.u.S.E. cvsup-16.1h-36.i586.rpm 0.0.0
  • SCO Unixware 7.1.4
  • Sun Solaris 10
  • Sun Solaris 10.0
  • Sun Solaris 10.0_x86
  • Sun Solaris 10_sparc
  • Sun Solaris 10_x86
  • Trustix Secure Linux 2.0.0
  • Turbolinux Appliance Server 1.0.0 Hosting Edition
  • Turbolinux Appliance Server 1.0.0 Workgroup Edition
  • Turbolinux Appliance Server 2.0
  • Turbolinux Appliance Server Hosting Edition 1.0.0
  • Turbolinux Appliance Server Workgroup Edition 1.0.0
  • Turbolinux Home
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux FUJI
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 10.0.0 x86
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 8.0.0
  • Turbolinux Turbolinux Workstation 8.0.0
  • Ubuntu Ubuntu Linux 4.1.0 ia32
  • Ubuntu Ubuntu Linux 4.1.0 ia64
  • Ubuntu Ubuntu Linux 4.1.0 ppc
  • Ubuntu Ubuntu Linux 5.0.0 4 amd64
  • Ubuntu Ubuntu Linux 5.0.0 4 i386
  • Ubuntu Ubuntu Linux 5.0.0 4 powerpc
  • Ubuntu Ubuntu Linux 5.10.0 amd64
  • Ubuntu Ubuntu Linux 5.10.0 i386
  • Ubuntu Ubuntu Linux 5.10.0 powerpc

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.