Bug #42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507
Submitted: 31 Jan 9:26 Modified: 16 Feb 18:07
Reporter: Shane Bester
Status: Closed
Category:Server: XML Severity:S1 (Critical)
Version:5.1.15, 5.1.30, 5.1.32-bzr, 6.0.9, 6.0.10-bzr OS:Any
Assigned to: Sergey Gluhov Target Version:5.1.32
Tags: DoS, updatexml, ExtractValue
Triage: Triaged: D1 (Critical)

[31 Jan 9:26] Shane Bester 
Description:
mysqld.exe!Item_nodeset_func::Item_nodeset_func()[item_xmlfunc.cc:161]
mysqld.exe!nametestfunc()[item_xmlfunc.cc:1006]
mysqld.exe!my_xpath_parse_NodeTest_QName()[item_xmlfunc.cc:2510]
mysqld.exe!my_xpath_parse_NameTest()[item_xmlfunc.cc:2526]
mysqld.exe!my_xpath_parse_NodeTest()[item_xmlfunc.cc:1799]
mysqld.exe!my_xpath_parse_AxisSpecifier_NodeTest_opt_Predicate_list()
mysqld.exe!my_xpath_parse_Step()[item_xmlfunc.cc:1708]
mysqld.exe!my_xpath_parse_RelativeLocationPath()[item_xmlfunc.cc:1625]
mysqld.exe!my_xpath_parse_PathExpr()[item_xmlfunc.cc:1978]
mysqld.exe!my_xpath_parse_UnionExpr()[item_xmlfunc.cc:1929]
mysqld.exe!my_xpath_parse_MultiplicativeExpr()[item_xmlfunc.cc:2266]
mysqld.exe!my_xpath_parse_AdditiveExpr()[item_xmlfunc.cc:2218]
mysqld.exe!my_xpath_parse_RelationalExpr()[item_xmlfunc.cc:2176]
mysqld.exe!my_xpath_parse_EqualityExpr()[item_xmlfunc.cc:2115]
mysqld.exe!my_xpath_parse_AndExpr()[item_xmlfunc.cc:2050]
mysqld.exe!my_xpath_parse_OrExpr()[item_xmlfunc.cc:2019]
mysqld.exe!my_xpath_parse()[item_xmlfunc.cc:2552]
mysqld.exe!Item_xml_str_func::fix_length_and_dec()[item_xmlfunc.cc:2593]
mysqld.exe!Item_func::fix_fields()[item_func.cc:199]
mysqld.exe!Item_str_func::fix_fields()[item_strfunc.cc:56]
mysqld.exe!setup_fields()[sql_base.cc:7387]
mysqld.exe!JOIN::prepare()[sql_select.cc:492]
mysqld.exe!mysql_select()[sql_select.cc:2341]
mysqld.exe!handle_select()[sql_select.cc:269]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4889]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2184]
mysqld.exe!mysql_parse()[sql_parse.cc:5791]
mysqld.exe!dispatch_command()[sql_parse.cc:1202]
mysqld.exe!do_command()[sql_parse.cc:857]
mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:295]
mysqld.exe!_threadstart()[thread.c:275]
kernel32.dll!BaseThreadStart()

How to repeat:
select updatexml('','0/a','');
select extractvalue('','0/a');
[31 Jan 16:55] Valeriy Kravchuk 
Verified just as described on Windows XP SP2.
[3 Feb 8:25] Sergey Petrunya 
Omer,

Are all crashes now DoSes? If not, could you please explain how this crash is special?
[3 Feb 8:26] Sergey Petrunya 
In particular, why is this marked DoS, and http://bugs.mysql.com/bug.php?id=37740 isn't ??
[3 Feb 8:44] Valeriy Kravchuk 
Verified with recent 5.1.32-bzr and 6.0.10-bzr.
[3 Feb 14:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65001

2768 Sergey Glukhov	2009-02-03
      Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line
2507
      Problem:
      RelativeLocationPath can appear only after a node-set expression
      in the third and the fourth branches of this rule:
        PathExpr :: =  LocationPath
                       | FilterExpr
                       | FilterExpr '/' RelativeLocationPath
                       | FilterExpr '//' RelativeLocationPath
      XPatch code didn't check the type of FilterExpr and crashed.
      Fix:
      If FilterExpr is a scalar expression
      (variable reference, literal, number, scalar function call)
      return error.
[3 Feb 14:11] Alexander Barkov 
The patch is ok to push.
[4 Feb 12:40] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65127

2770 Sergey Glukhov	2009-02-04
      Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line
2507
      Problem:
         RelativeLocationPath can appear only after a node-set expression
         in the third and the fourth branches of this rule:
           PathExpr :: =  LocationPath
                          | FilterExpr
                          | FilterExpr '/' RelativeLocationPath
                          | FilterExpr '//' RelativeLocationPath
         XPatch code didn't check the type of FilterExpr and crashed.
      Fix:
         If FilterExpr is a scalar expression
         (variable reference, literal, number, scalar function call)
         return error.
[9 Feb 23:34] Bugs System 
Pushed into 5.1.32 (revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (version
source revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (merge vers: 5.1.32)
(pib:6)
[14 Feb 14:01] Bugs System 
Pushed into 6.0.10-alpha (revid:matthias.leich@sun.com-20090212211028-y72faag15q3z3szy)
(version source revid:sergey.glukhov@sun.com-20090204123759-a3v1pwjukl5nkr8n) (merge vers:
6.0.10-alpha) (pib:6)
[16 Feb 18:07] Jon Stephens 
Documented as a security fix in the 5.1.32 and 6.0.10 changelogs, as follows:

        Using an XPath expression employing a scalar expression as a
        FilterExpr with ExtractValue() or UpdateXML() caused the server
        to crash. Such expressions now cause an error instead.
[17 Feb 15:59] Bugs System 
Pushed into 5.1.32-ndb-6.3.23 (revid:tomas.ulin@sun.com-20090217131017-6u8qz1edkjfiobef)
(version source revid:tomas.ulin@sun.com-20090216083408-rmvyaxjt6mk8sg1y) (merge vers:
5.1.32-ndb-6.3.23) (pib:6)
[17 Feb 17:47] Bugs System 
Pushed into 5.1.32-ndb-6.4.3 (revid:tomas.ulin@sun.com-20090217134419-5ha6xg4dpedrbmau)
(version source revid:tomas.ulin@sun.com-20090216083646-m8st11oj1hhfuuh5) (merge vers:
5.1.32-ndb-6.4.3) (pib:6)
[17 Feb 19:23] Bugs System 
Pushed into 5.1.32-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090217134216-5699eq74ws4oxa0j)
(version source revid:tomas.ulin@sun.com-20090211111208-wf0acl7c1vl5653e) (merge vers:
5.1.32-ndb-6.2.17) (pib:6)
[13 Mar 23:39] James Day 
To exploit this you need a valid login account on the MySQL server that is authorised to
connect from the location from which the account is attempting the access, normally a
specified host with matching reverse DNS lookup or IP address.

Versions affected are 5.1.5 through 5.1.31 inclusive and 6.0.0(?) through 6.0.9 inclusive.
No versions of 5.0, 4.1, 4.0 or 3.n are affected.

This is reported as vulnerability BID33972. 

James Day, MySQL Senior Support Engineer, Sun Microsystems
[2 Nov 20:57] James Day 
This has been assigned a candidate CVE-2009-0819 . Note that it is only possible to
exploit this if all of these conditions are true:

1. You're an authorised direct user of the MySQL server, able to run arbitrary SQL
statements on it.
2. No firewall blocks your access, as it normally would in a secure server environment.
3. You're accessing from an authorised location for your user account.

This set of requirements makes it unlikely to be exploitable in a secured environment,
particularly one where applications are doing all database accessing. In this environment
an added precondition is an SQL injection bug in the application that allows application
users to run SQL statements.