mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature

Debian Bug report logs - #706715
mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature

Date: Fri, 3 May 2013 19:01:40 +0300

[Message part 1 (text/plain, inline)]

Package: mysql-server
Version: 5.5.30+dfsg-1.1
Severity: important
Tags: security

mysql> select astext(0x0100000000030000000100000000000010);
ERROR 2013 (HY000): Lost connection to MySQL server during query

More information: http://osvdb.org/91415

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 706715@bugs.debian.org (full text, mbox, reply):

From: Simon Frankenberger <simon@wf-hosting.de>

To: <706715@bugs.debian.org>

Subject: Re: mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature

Date: Tue, 14 May 2013 12:18:24 +0200

Issue can not be reproduced using latest mysql-server-5.1 on Squeeze:

>Server version: 5.1.66-0+squeeze1 (Debian)
>
>Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights 
> reserved.
>
>Oracle is a registered trademark of Oracle Corporation and/or its
>affiliates. Other names may be trademarks of their respective
>owners.
>
>Type 'help;' or '\h' for help. Type '\c' to clear the current input 
> statement.
>
>mysql> select astext(0x0100000000030000000100000000000010);
>>ERROR 5 (HY000): Out of memory (Needed 4026531856 bytes)
>mysql> SELECT 1;
>>+---+
>>| 1 |
>>+---+
>>| 1 |
>>+---+
>>1 row in set (0.00 sec)

Regards,
Simon

Message #21 received at 706715@bugs.debian.org (full text, mbox, reply):

From: Simon Frankenberger <simon@wf-hosting.de>

To: 706715@bugs.debian.org

Subject: Re: Bug#706715: Info received (mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature)

Date: Thu, 22 Aug 2013 09:07:54 +0200

Hi,

just testet this bug against latest 5.5 from wheezy,
this version is still affected:

------- SNIP -------
Server version: 5.5.31-0+wheezy1-log (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights 
reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input 
statement.

mysql>  select astext(0x0100000000030000000100000000000010);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> SELECT 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: *** NONE ***

+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
------- SNIP -------


Content of /var/log/mysql.err:
------- SNIP -------
07:02:08 UTC - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this 
binary
or one of the libraries it was linked against is corrupt, improperly 
built,
or misconfigured. This error can also be caused by malfunctioning 
hardware.
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

key_buffer_size=2097152
read_buffer_size=131072
max_used_connections=6
max_threads=151
thread_count=4
connection_count=4
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 
332346 K  bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f30cc60e430
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f30b8846e80 thread_stack 0x30000
/usr/sbin/mysqld(my_print_stacktrace+0x29)[0x7f30ca615569]
/usr/sbin/mysqld(handle_fatal_signal+0x3d8)[0x7f30ca4fd748]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7f30c9caf030]
/usr/sbin/mysqld(_ZNK11Gis_polygon15get_data_as_wktEP6StringPPKc+0x100)[0x7f30ca5cb700]
/usr/sbin/mysqld(_ZN16Item_func_as_wkt13val_str_asciiEP6String+0x151)[0x7f30ca5515b1]
/usr/sbin/mysqld(_ZN13Item_str_func26val_str_from_val_str_asciiEP6StringS1_+0x17)[0x7f30ca55d577]
/usr/sbin/mysqld(_ZN4Item4sendEP8ProtocolP6String+0x3d)[0x7f30ca506f7d]
/usr/sbin/mysqld(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xc7)[0x7f30ca39f037]
/usr/sbin/mysqld(_ZN11select_send9send_dataER4ListI4ItemE+0x71)[0x7f30ca3da9e1]
/usr/sbin/mysqld(_ZN4JOIN4execEv+0x13f0)[0x7f30ca444750]
/usr/sbin/mysqld(_Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x11d)[0x7f30ca43f60d]
/usr/sbin/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x174)[0x7f30ca4456d4]
/usr/sbin/mysqld(+0x320464)[0x7f30ca3fe464]
/usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x1309)[0x7f30ca405189]
/usr/sbin/mysqld(+0x32a64e)[0x7f30ca40864e]
/usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x193b)[0x7f30ca40a7cb]
/usr/sbin/mysqld(_Z24do_handle_one_connectionP3THD+0x105)[0x7f30ca4a49b5]
/usr/sbin/mysqld(handle_one_connection+0x50)[0x7f30ca4a4ad0]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x6b50)[0x7f30c9ca6b50]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f30c85eaa7d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f30cc68faa0): select 
astext(0x0100000000030000000100000000000010)
Connection ID (thread ID): 12
Status: NOT_KILLED
------- SNIP -------

Regards,
Simon

Message #26 received at 706715@bugs.debian.org (full text, mbox, reply):

From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>

To: 706715@bugs.debian.org

Subject: Re: [debian-mysql] Bug#706715: Info received (mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature)

Date: Thu, 22 Aug 2013 10:24:19 +0200

This bug is fixed in MySQL 5.1.70, 5.5.32 and 5.6.12, cf. the July CPU.

Message #31 received at 706715@bugs.debian.org (full text, mbox, reply):

From: Clint Byrum <clint@ubuntu.com>

To: Norvald H. Ryeng <norvald.ryeng@oracle.com>

Cc: 706715 <706715@bugs.debian.org>

Subject: Re: [debian-mysql] Bug#706715: Bug#706715: Info received (mysql-server: CVE-2013-1861: Denial of service via a crafted geometry feature)

Date: Thu, 22 Aug 2013 09:00:24 -0700

Excerpts from Norvald H. Ryeng's message of 2013-08-22 01:24:19 -0700:
> This bug is fixed in MySQL 5.1.70, 5.5.32 and 5.6.12, cf. the July CPU.
> 

Right, working on 5.5.33 packages now, but dealing with a test failure.

Message #36 received at 706715-close@bugs.debian.org (full text, mbox, reply):

From: Clint Byrum <spamaps@debian.org>

To: 706715-close@bugs.debian.org

Subject: Bug#706715: fixed in mysql-5.5 5.5.33+dfsg-1

Date: Fri, 27 Sep 2013 01:48:58 +0000

Source: mysql-5.5
Source-Version: 5.5.33+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706715@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Byrum <spamaps@debian.org> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Sep 2013 09:14:47 -0700
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.33+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Clint Byrum <spamaps@debian.org>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 678252 706715 707280 712730 719196
Changes: 
 mysql-5.5 (5.5.33+dfsg-1) unstable; urgency=low
 .
   * d/rules, d/control: Remove gcc-4.4 dependency and disable X86
     assembly in taocrypt. (Closes: #707280) (Closes: #678252)
   * d/patches/fix-mips64el-ftbfs.patch: Fix FTBFS on mips64el.
     (Closes: #719196) Thanks YunQuiang Su.
   * New upstream release.
     SECURITY UPDATE: CVE-2013-1861 CVE-2013-3783 CVE-2013-3793
     CVE-2013-3804 CVE-2013-3802 CVE-2013-3809 CVE-2013-3812
     (Closes: #706715) (Closes: #712730)
   * d/patches/work_around_failing_rpl_deadlock.patch: Test suite
     changes upstream have left some connections active. This
     patch fixes that. Thanks Kristian Nielsen!
   * d/patches/fix-racey-rpltests.patch: Fix from Oracle for failing
     tests.
Checksums-Sha1: 
 35fc1f7c8b4f09b3ca2f341effc8b41e0813cde2 2566 mysql-5.5_5.5.33+dfsg-1.dsc
 21da4790c6bb6fa1d2acdbe270c671b5d3bac9d2 21279667 mysql-5.5_5.5.33+dfsg.orig.tar.gz
 8bc4abb16990c695eb9b2e83f33f73163e4b04f5 307361 mysql-5.5_5.5.33+dfsg-1.debian.tar.gz
 87e9a6a3723e235982dabe501b75f5ac34eb5e02 79386 mysql-common_5.5.33+dfsg-1_all.deb
 723f234fb05c1915e0e96fe66c86dcec035158aa 77656 mysql-server_5.5.33+dfsg-1_all.deb
 46a0cd08ba3683ea2a66982b5dba08aa5d29f9da 77528 mysql-client_5.5.33+dfsg-1_all.deb
 82f5ee0afea1649aebf0a93c3d72be1f47a2d624 673208 libmysqlclient18_5.5.33+dfsg-1_amd64.deb
 3603839f228d6d6550101322502098efb3762d67 3165026 libmysqld-pic_5.5.33+dfsg-1_amd64.deb
 a3a4e35f42170c1d36c4187fe2b045c6a255c68b 3163218 libmysqld-dev_5.5.33+dfsg-1_amd64.deb
 939b7ad03957207c1972db7f67aeb4b9007363ed 945798 libmysqlclient-dev_5.5.33+dfsg-1_amd64.deb
 b2cdd6d39f455cb076923e4af4bff3fe4533e70d 1837902 mysql-client-5.5_5.5.33+dfsg-1_amd64.deb
 754f1c6d1fd986c9ba7bad47b6fa897ff35e934c 3789848 mysql-server-core-5.5_5.5.33+dfsg-1_amd64.deb
 407a63723dc9802e3fa46ba3a4a85d1ea3359ae9 1800260 mysql-server-5.5_5.5.33+dfsg-1_amd64.deb
 000d8f28bcd5e17e77541fb046813e791457116d 4258552 mysql-testsuite-5.5_5.5.33+dfsg-1_amd64.deb
 830efae4e5c9f36394db27644594103f56accfe1 22791016 mysql-source-5.5_5.5.33+dfsg-1_amd64.deb
Checksums-Sha256: 
 a822f044f6627df3c9e1029af8c82f66eb06052d83a48e099d8a3c4b125f7ba5 2566 mysql-5.5_5.5.33+dfsg-1.dsc
 d7b2653099791a036d4d77111de741d0419ff51e271ca66b83346ab378048a81 21279667 mysql-5.5_5.5.33+dfsg.orig.tar.gz
 0de84b638602239145b23b0259c858d218cc9d90ddc6a30ac2cd452e7e38d538 307361 mysql-5.5_5.5.33+dfsg-1.debian.tar.gz
 6db964e80ba04f89b5d478df1cb87023d80a6705eee9c76b4e86244b4d907e29 79386 mysql-common_5.5.33+dfsg-1_all.deb
 18f50141a266c91372e640b15ea28a0d1d6ad7975d94dd45790abf675ae55f5b 77656 mysql-server_5.5.33+dfsg-1_all.deb
 52eb6b977bb09041ceb30b309d8c9b6f90f610e2fb42a570a0518671d1de5838 77528 mysql-client_5.5.33+dfsg-1_all.deb
 8a0032d8da2131a5ae61d0e02b8d11f057a3860b71c2be1b91313099c19c7385 673208 libmysqlclient18_5.5.33+dfsg-1_amd64.deb
 6ca589d2b24bc65a4d01943f0c52d0986d950708f714d0785935870780fba9ff 3165026 libmysqld-pic_5.5.33+dfsg-1_amd64.deb
 33122a96254845ab68dce1b96b8bde3aa3954ebaf71c42c6dce7266ff75bef42 3163218 libmysqld-dev_5.5.33+dfsg-1_amd64.deb
 3814e1173f1192603356ce21a33de4cb060f7f07703f4ff192d51aade8ba298b 945798 libmysqlclient-dev_5.5.33+dfsg-1_amd64.deb
 55f19bd46bf34411003f2110250a90f710c056ed4af5a852705573e45be50240 1837902 mysql-client-5.5_5.5.33+dfsg-1_amd64.deb
 5e673a4f6796a95ea1394b64efcb1a9249af8e54c8e82b8309f32847a863db26 3789848 mysql-server-core-5.5_5.5.33+dfsg-1_amd64.deb
 2031a845486689dfba1100c76207c7347e557371b67a7926b8d985fe7ba42997 1800260 mysql-server-5.5_5.5.33+dfsg-1_amd64.deb
 daf744ebb3d3246ff6117bd5f293afa05612a8b4d9e8ae78e5d950a84eacda67 4258552 mysql-testsuite-5.5_5.5.33+dfsg-1_amd64.deb
 09c5fb0433bbec8449568ee7b447c7be3f42aad19f89f78b35a898790bb483f5 22791016 mysql-source-5.5_5.5.33+dfsg-1_amd64.deb
Files: 
 3e3de2ed920029846cd9fbcaf720f0d3 2566 database optional mysql-5.5_5.5.33+dfsg-1.dsc
 f35902e01453dd7eedb2a647c69b39ec 21279667 database optional mysql-5.5_5.5.33+dfsg.orig.tar.gz
 ee02d009625acbab242e111d7f0803ae 307361 database optional mysql-5.5_5.5.33+dfsg-1.debian.tar.gz
 7a2405684f22aa585baf29f58fd40f5e 79386 database optional mysql-common_5.5.33+dfsg-1_all.deb
 c855e0ad567090132122f9cc76246c1e 77656 database optional mysql-server_5.5.33+dfsg-1_all.deb
 a85b53bea30d8865f722548f5dde2cb5 77528 database optional mysql-client_5.5.33+dfsg-1_all.deb
 5bae53a025cd5be0c8e16eda6e5fc286 673208 libs optional libmysqlclient18_5.5.33+dfsg-1_amd64.deb
 eb22899877e9c0a33bc62f4e6b09fa81 3165026 libdevel optional libmysqld-pic_5.5.33+dfsg-1_amd64.deb
 2773fae84185bc5601137862251842ce 3163218 libdevel optional libmysqld-dev_5.5.33+dfsg-1_amd64.deb
 67d7aa8c2d73cf1a54386335f23dc740 945798 libdevel optional libmysqlclient-dev_5.5.33+dfsg-1_amd64.deb
 273dcffd362dd3cf6c18fac79b8255e9 1837902 database optional mysql-client-5.5_5.5.33+dfsg-1_amd64.deb
 75b3be34c70af9d028a50ef29f1cc39b 3789848 database optional mysql-server-core-5.5_5.5.33+dfsg-1_amd64.deb
 141cd7e448d0fa25b692c16683451569 1800260 database optional mysql-server-5.5_5.5.33+dfsg-1_amd64.deb
 3bebb842b48228968e1b775ba3730406 4258552 database optional mysql-testsuite-5.5_5.5.33+dfsg-1_amd64.deb
 7208202ea5d5e2f33dabda200b88fe3d 22791016 database optional mysql-source-5.5_5.5.33+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJSRN/AAAoJEFOMB2b0vLOOSQ8IAKqxmdQATUpW90opcv+l+NLc
1/bgwujiutqhYQ6EOng52PO4Nt81xpXREIHP5UTSEnmVTSp6cSwQrVqMiQgAnPdo
srw0BjcrNJ7KGA2V3xYuLuFoq2khdJtM7rinYXpxsbDeHRUOCO0vLJMYRJdoctHi
1e2k15v7DwRvCFjqGjv5bf7LlhzFsFMuWliFV1bl/hRGFNVHxBvT8Xpa6L7Zl/dG
BtQDZqz2OJ5bBbUANsVMn/B9rvs50eccEK8zLCNJTye57Xu7JKHXY8ZXhdnIQp6M
5TThRqsDHn2vnF6CwG9Cpoz5khrMvch4nTqqLUw2Edk8Z6e1dXJG7Fl0qqJT+rU=
=dr4Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.