Thread: MySQL vulnerability

MySQL vulnerability

From
"Thomas G. Lockhart"
Date:
I found this item on a list of security vulnerabilities:

mysql(1114) Remote stack overflow, create world-writable root-owned
files

(Port 1114 is mysql's listening port). I guess Postgres doesn't have a
vulnerability for root ownership since nothing we do is run under the
root account, right?

Are we vulnerable to stack or buffer overflows with our on the wire
protocol?
                  - Tom


Re: [HACKERS] MySQL vulnerability

From
Tom Lane
Date:
"Thomas G. Lockhart" <lockhart@alumni.caltech.edu> writes:
> I found this item on a list of security vulnerabilities:
> mysql(1114) Remote stack overflow, create world-writable root-owned
> files
> (Port 1114 is mysql's listening port). I guess Postgres doesn't have a
> vulnerability for root ownership since nothing we do is run under the
> root account, right?

Not unless someone ignores the instructions and installs it to run as
root :-(

> Are we vulnerable to stack or buffer overflows with our on the wire
> protocol?

The postmaster seems to be secure against that --- pqpacket.c will
reject oversize packets out of hand.  The backend used to have an
off-by-one bug in pq_getstr, such that an overlength query would write
one byte past the end of the query buffer, but that's been fixed (it'd
be hard to exploit anyway).  libpq is careful about this sort of
thing also, although I suspect you could force a client application
crash by sending a query response large enough to exhaust memory :-(

Of course, a bad guy who's able to get past the postmaster's
authorization checks can do you far more damage by messing up your
database than by just crashing a particular backend or client...
        regards, tom lane


Re: [HACKERS] MySQL vulnerability

From
Goran Thyni
Date:
"Thomas G. Lockhart" wrote:
> Are we vulnerable to stack or buffer overflows with our on the wire
> protocol?

There are lots of sprintf and such in there, 
which are potential stack overflows.

A security audit should be good thing, but it is a where time consuming
(and not very fun) task in a complex system like a RDBMS.
regards,
-- 
-----------------
Göran Thyni
This is Penguin Country. On a quiet night you can hear Windows NT
reboot!