Bug #12575 Security of UDF functions
Submitted: 14 Aug 2005 18:06 Modified: 9 Sep 2005 20:13
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: User-defined functions ( UDF ) Severity:S3 (Non-critical)
Version:5.0 OS:
Assigned to: Sergei Golubchik CPU Architecture:Any

[14 Aug 2005 18:06] Christian Hammers
Accordign to 
there have again been security problems with UDF functions. It has been known that
a local thread can easily be crashed by finding an arbitrary library that includes one function called *_init or *_deinit but this time this could even been used to create security relevant buffer overflows.

To requests now:
1. The advisory states that this bug has been fixed but I can't find the changelog.
    As I would like to identify the patch to maybe release fixed Debian packages, I would 
    be glad for a pointer.

2. Starting with the new major version 5.0 you really could introduce some better 
    security mechnism like forcing every UDF library to define a specific string that
    marks it as MySQL UDF.



How to repeat:

Suggested fix:
[2 Sep 2005 10:40] Valeriy Kravchuk
http://www.appsecinc.com/resources/alerts/mysql/2005-002.html says:

"MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched."

But I was also unable to find any reference to UDF or init_syms in the change logs for these versions.
[7 Sep 2005 18:26] Sergei Golubchik
This is the changeset with the bugfix:


Bugfix should be mentioned in the appropriate section of the manual. We'll correct that.
[9 Sep 2005 20:13] Paul Dubois
Noted in 4.0.25, 4.1.13, 5.0.7 changelogs.