Bug 7996 - mariadb new possible security issues fixed in mysql 5.5.28
: mariadb new possible security issues fixed in mysql 5.5.28
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/522961/
: MGA1TOO MGA1-64-OK MGA1-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-06 16:25 CET by David Walser
Modified: 2012-11-23 21:41 CET (History)
4 users (show)

See Also:
Source RPM: mariadb, mysql
CVE:


Attachments

Description David Walser 2012-11-06 16:25:14 CET
Ubuntu has issued an advisory on November 5:
http://www.ubuntu.com/usn/usn-1621-1/

It lists several CVEs fixed in MySQL 5.5.28, which are also listed at the bottom of this page:
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

If any of these affect MariaDB (and they likely do), we should issue an update.
Comment 1 AL13N 2012-11-06 17:52:08 CET
actually, i'm in a private security mailing list about mariadb, and the list at the bottom of the page you specified has only 3 of them that has relation to 5.5.27, the others are earlier, and i constantly keep up2date with security and major bugfixes on the stable version of mga2.

==> so, they don't likely do :-)

that being said, i forwarded this to mariadb, and they are going to do a short summary soon-ish, so i can look them over and see if we already have patches for them or not.

i'm removing mga1too, since at mga1too, we don't have mariadb, but there is mysql.
Comment 2 David Walser 2012-11-06 18:01:38 CET
(In reply to comment #1)
> i'm removing mga1too, since at mga1too, we don't have mariadb, but there is
> mysql.

This is true, but contrary to popular opinion, Mageia 1 is still supported.  I'll CC tmb since I think he's helped with the updates for mysql.  Of course, if we update that to 5.5.28 we'll have a version upgrade issue, so we need to work together to figure out how to handle this.
Comment 3 David Walser 2012-11-06 18:03:13 CET
Also, we only have 5.5.25 of MariaDB in Mageia 2, so issues in relation to just 5.5.27 may not cover everything.
Comment 4 AL13N 2012-11-06 19:33:51 CET
as i said, i have kept up2date and decided with each subrelease if we needed to patch mga2 or update. AND mariadb people will post me a summary, just in case we forgot some.

also, when i removed MGA1too, i meant that the package is differently and thus should need a different bug report. however, of course it would be interesting to work together on this.
Comment 5 David Walser 2012-11-06 20:41:46 CET
Well yes, you're absolutely right.  For now, I'd like to stick with one bug report until we actually have packages to push to QA.
Comment 6 AL13N 2012-11-12 22:12:07 CET
Oracle really annoys me to no end... most in that list have really no business being security bugs imho...

anyway, i fixed 2 from a modified patch (getting rid of the features which are bunched in the same commit) for mga2 and i'd like just that one tested and fixed.

cauldron will get 5.5.28 after alpha3 release, so, don't wait on that.

for mga1; maybe someone would like to backports the patches from mga2 mariadb to mysql.

mariadb-5.5.25-2.3

Security Advisory:
------------------
This Update fixes CVE-2012-3147 and CVE-2012-3158 which are both checking validity of certain values in protocols.
Comment 7 David Walser 2012-11-13 14:07:53 CET
Maarten, I don't quite understand what the advisory above is saying.

Packages built for this update:
mariadb-5.5.25-2.3.mga2
mysql-MariaDB-5.5.25-2.3.mga2
mariadb-feedback-5.5.25-2.3.mga2
mariadb-extra-5.5.25-2.3.mga2
mariadb-obsolete-5.5.25-2.3.mga2
mariadb-core-5.5.25-2.3.mga2
mariadb-common-core-5.5.25-2.3.mga2
mariadb-common-5.5.25-2.3.mga2
mariadb-client-5.5.25-2.3.mga2
mariadb-bench-5.5.25-2.3.mga2
libmariadb18-5.5.25-2.3.mga2
libmariadb-devel-5.5.25-2.3.mga2
libmariadb-embedded18-5.5.25-2.3.mga2
libmariadb-embedded-devel-5.5.25-2.3.mga2
Comment 8 AL13N 2012-11-13 20:05:05 CET
there's 2 CVE's fixed in this release, which check certain fields of protocols for valid values

- length of next field not being negative 
- in certain conditions the length should be exactly 6

how should the Sec Adv be reworded?

should i say: unknown vectors have unknown effects on unknown service? :-)
Comment 9 David Walser 2012-11-14 00:03:05 CET
It's just the way it was worded didn't make sense.  Still not sure what you mean by "protocols."  I'm guessing if it's listening as a TCP service, the protocol used for interacting with that has some input validation flaws.
Comment 10 AL13N 2012-11-14 11:14:05 CET
well, tbh, i'm not exactly certain which protocols they are, but i'm pretty sure it'll likely be some kind of networking protocol
Comment 11 AL13N 2012-11-14 11:15:08 CET
but since at least one of it is related to plugin authentication, it may just be the API with the auth plugin modules (like pam_auth)
Comment 12 David Walser 2012-11-15 18:58:11 CET
The Ubuntu advisory didn't mention a few CVEs that are mentioned by RedHat.

RedHat has issued an advisory on November 14:
https://rhn.redhat.com/errata/RHSA-2012-1462.html

from http://lwn.net/Vulnerabilities/525256/

Are any of these relevant or interesting to us?
CVE-2012-0540 CVE-2012-1689 CVE-2012-1734 CVE-2012-2749
Comment 13 AL13N 2012-11-15 19:36:05 CET
CVE-2012-0540: 5.5.23 and earlier
CVE-2012-1689: 5.5.22 and earlier
CVE-2012-1734: 5.5.23 and earlier
CVE-2012-2749: before 5.5.24

so no, quite old CVE's, it looks like redhat security really is subpar
Comment 14 AL13N 2012-11-15 20:50:47 CET
in the main time cauldron now has 5.5.28, looks like the splitting is on hold for 10.x due to some missing functionality, but i have confirmation that the missing functionality should be done quite soon.

is mga2 mariadb validated already?
Comment 15 David Walser 2012-11-15 20:55:23 CET
Does 5.5.28 fix all of these issues?  If so we can change the version assignments on the bug.  The Mageia 2 package hasn't been pushed to QA yet.  Thomas also has yet to comment on how to handle Mageia 1 (although I'm guessing it's wait 2 weeks, then don't fix it :o).  We can push to QA soon, although I'll let them know it's testable now (meeting starts in a few minutes).
Comment 16 AL13N 2012-11-15 21:26:39 CET
mariadb has mysql merges from 5.5.28, so, it has at least all fixes reported by oracle CVE's. which come hugely late anyway.

i suspect the mga1 sec fix is to wait 2 weeks and after that it's, upgrade to mariadb in mga2
Comment 17 David Walser 2012-11-15 21:38:38 CET
Indeed.  Changing the version assignment.  Do you have a finalized advisory you would like to use for the update?
Comment 18 AL13N 2012-11-15 21:54:22 CET
that one i had in previous comment is ok, but if it can be worded better, you may change it if you want to.
Comment 19 Thomas Backlund 2012-11-16 19:21:18 CET
Please hold of validating this one for a day or so, I'm going to review what has to be done for mysql in mga1.

If I have to bump version, this update will have to adapt to keep upgrade path...
Comment 20 AL13N 2012-11-16 19:25:22 CET
you could just get all the patches from mga2 to mga1, they will likely work
Comment 21 David Walser 2012-11-22 02:39:52 CET
The patch that was just added to mariadb works just fine for mysql.

Patched package uploaded for Mageia 1.

Packages built:
mysql-5.5.23-1.2.mga1
mysql-core-5.5.23-1.2.mga1
mysql-common-core-5.5.23-1.2.mga1
mysql-common-5.5.23-1.2.mga1
mysql-client-5.5.23-1.2.mga1
mysql-bench-5.5.23-1.2.mga1
libmysql18-5.5.23-1.2.mga1
libmysqlservices-5.5.23-1.2.mga1
libmysql-devel-5.5.23-1.2.mga1
libmysqld0-5.5.23-1.2.mga1
libmysqld-devel-5.5.23-1.2.mga1

from mysql-5.5.23-1.2.mga1.src.rpm
Comment 22 David Walser 2012-11-22 03:10:13 CET
Assigning to QA.  Thanks again Maarten.

How's this for a vague, yet specific advisory?  :o)

Using one bug since it's the same patch, same advisory, basically the same software, and the same testing procedure.  Can be split if need be.

Advisory:
========================

Updated mariadb and mysql packages fix security vulnerabilities:

Unspecified vulnerabilities that involve checking the validity of values
in fields in certain protocols (CVE-2012-3147, CVE-2012-3158).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158
========================

Updated packages in core/updates_testing:
========================
mysql-5.5.23-1.2.mga1
mysql-core-5.5.23-1.2.mga1
mysql-common-core-5.5.23-1.2.mga1
mysql-common-5.5.23-1.2.mga1
mysql-client-5.5.23-1.2.mga1
mysql-bench-5.5.23-1.2.mga1
libmysql18-5.5.23-1.2.mga1
libmysqlservices-5.5.23-1.2.mga1
libmysql-devel-5.5.23-1.2.mga1
libmysqld0-5.5.23-1.2.mga1
libmysqld-devel-5.5.23-1.2.mga1
mariadb-5.5.25-2.3.mga2
mysql-MariaDB-5.5.25-2.3.mga2
mariadb-feedback-5.5.25-2.3.mga2
mariadb-extra-5.5.25-2.3.mga2
mariadb-obsolete-5.5.25-2.3.mga2
mariadb-core-5.5.25-2.3.mga2
mariadb-common-core-5.5.25-2.3.mga2
mariadb-common-5.5.25-2.3.mga2
mariadb-client-5.5.25-2.3.mga2
mariadb-bench-5.5.25-2.3.mga2
libmariadb18-5.5.25-2.3.mga2
libmariadb-devel-5.5.25-2.3.mga2
libmariadb-embedded18-5.5.25-2.3.mga2
libmariadb-embedded-devel-5.5.25-2.3.mga2

from SRPMS:
mysql-5.5.23-1.2.mga1.src.rpm
mariadb-5.5.25-2.3.mga2.src.rpm
Comment 23 David Walser 2012-11-22 03:11:28 CET
Re-posting the advisory, adding the Oracle reference.

Advisory:
========================

Updated mariadb and mysql packages fix security vulnerabilities:

Unspecified vulnerabilities that involve checking the validity of values
in fields in certain protocols (CVE-2012-3147, CVE-2012-3158).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
========================

Updated packages in core/updates_testing:
========================
mysql-5.5.23-1.2.mga1
mysql-core-5.5.23-1.2.mga1
mysql-common-core-5.5.23-1.2.mga1
mysql-common-5.5.23-1.2.mga1
mysql-client-5.5.23-1.2.mga1
mysql-bench-5.5.23-1.2.mga1
libmysql18-5.5.23-1.2.mga1
libmysqlservices-5.5.23-1.2.mga1
libmysql-devel-5.5.23-1.2.mga1
libmysqld0-5.5.23-1.2.mga1
libmysqld-devel-5.5.23-1.2.mga1
mariadb-5.5.25-2.3.mga2
mysql-MariaDB-5.5.25-2.3.mga2
mariadb-feedback-5.5.25-2.3.mga2
mariadb-extra-5.5.25-2.3.mga2
mariadb-obsolete-5.5.25-2.3.mga2
mariadb-core-5.5.25-2.3.mga2
mariadb-common-core-5.5.25-2.3.mga2
mariadb-common-5.5.25-2.3.mga2
mariadb-client-5.5.25-2.3.mga2
mariadb-bench-5.5.25-2.3.mga2
libmariadb18-5.5.25-2.3.mga2
libmariadb-devel-5.5.25-2.3.mga2
libmariadb-embedded18-5.5.25-2.3.mga2
libmariadb-embedded-devel-5.5.25-2.3.mga2

from SRPMS:
mysql-5.5.23-1.2.mga1.src.rpm
mariadb-5.5.25-2.3.mga2.src.rpm
Comment 24 Dave Hodgins 2012-11-22 03:42:11 CET
Testing complete on Mageia 1 i586 and x86-64.

No poc, so just testing that mysql is working, using phpmyadmin.

I'll test Mageia 2 shortly.
Comment 25 Dave Hodgins 2012-11-22 03:54:52 CET
Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
mariadb-5.5.25-2.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
mysql-5.5.23-1.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mariadb and mysql packages fix security vulnerabilities:

Unspecified vulnerabilities that involve checking the validity of values
in fields in certain protocols (CVE-2012-3147, CVE-2012-3158).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

https://bugs.mageia.org/show_bug.cgi?id=7996
Comment 26 Thomas Backlund 2012-11-23 21:41:51 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0341

Note You need to log in before you can comment on or make changes to this bug.