Gentoo Logo

MySQL: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200608-09 / mysql
Release Date August 06, 2006
Latest Revision August 07, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-db/mysql < 4.1.21 >= 4.1.21, < 4.1.0 All supported architectures

Related bugreports: #142429

Synopsis

An authenticated user can crash MySQL through invalid parameters to the date_format function.

2.  Impact Information

Background

MySQL is a popular multi-threaded, multi-user SQL server.

Description

Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function.

Impact

By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All MySQL users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --verbose --oneshot ">=dev-db/mysql-4.1.21"

4.  References



Print

Page updated August 06, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.