While performing an audit of MySQL e-matters found several problems: signed/unsigned problem in COM_TABLE_DUMP Two sizes were taken as signed integers from a request and then cast to unsigned integers without checking for negative numbers. Since the resulting numbers where used for a memcpy() operation this could lead to memory corruption. Password length handling in COM_CHANGE_USER When re-authenticating to a different user MySQL did not perform all checks that are performed on initial authentication. This created two problems: it allowed for single-character password brute forcing (as was fixed in February 2000 for initial login) which could be used by a normal user to gain root privileges to the database it was possible to overflow the password buffer and force the server to execute arbitrary code read_rows() overflow in libmysqlclient When processing the rows returned by a SQL server there was no check for overly large rows or terminating NUL characters. This can be used to exploit SQL clients if they connect to a compromised MySQL server. read_one_row() overflow in libmysqlclient When processing a row as returned by a SQL server the returned field sizes were not verified. This can be used to exploit SQL clients if they connect to a compromised MySQL server. For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato. We recommend that you upgrade your mysql packages as soon as possible.
While performing an audit of MySQL e-matters found several problems:
For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato.
We recommend that you upgrade your mysql packages as soon as possible.
MD5 checksums of the listed files are available in the original advisory.
Vulmon