tags 375694 + confirmed upstream security
forwarded 375694 http://bugs.mysql.com/?id=20729
severity 375694 grave
stop
Hello Jean-David
On 2006-06-27 Maillefer Jean-David wrote:
> The bug can be reproduced by entering the following SQL code:
> select date_format('%Y-%m-%d %H:%i:%s', 1151414896);
>
> It's not correct SQL, and I expect a syntax error, but it should not
> crash the server!
>
> I think it can be simplified to:
> select date_format('%d%s', 1);
It's indeed a DoS. As far as I tried 3.23 (woody), 4.0 (sarge) and 5.0 (sid)
are not vulnerable, only 4.1 (sarge). I will try the latest 4.1 version
tomorrow, if it is ok, then we might find a corresponding patch.
Did you find this bug yourself and did you already report it to MySQL?
I've just opened MySQL Bug #20729 for this. But we need to know if somebody
else has asked for a CVE security bug id already.
Security Team: As you did not yet release
#373913: SECURITY: CAN-2006-3081: str_to_date(1,NULL) crashs the server
(btw, why? what stalls it?) we could merge those two date bugs, or?
Oh, of course I tested the new bug with the not yet released and patched
version of mysql 4.1 :) Sadly the patch does not fix both problems.
bye,
-christian-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
