Bug #12575 Security of UDF functions
Submitted: 14 Aug 2005 18:06 Modified: 9 Sep 2005 20:13
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S3 (Non-critical)
Version:5.0 OS:
Assigned to: Sergei Golubchik CPU Architecture:Any

[14 Aug 2005 18:06] Christian Hammers
Description:
Accordign to 
   http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
there have again been security problems with UDF functions. It has been known that
a local thread can easily be crashed by finding an arbitrary library that includes one function called *_init or *_deinit but this time this could even been used to create security relevant buffer overflows.

To requests now:
1. The advisory states that this bug has been fixed but I can't find the changelog.
    As I would like to identify the patch to maybe release fixed Debian packages, I would 
    be glad for a pointer.

2. Starting with the new major version 5.0 you really could introduce some better 
    security mechnism like forcing every UDF library to define a specific string that
    marks it as MySQL UDF.

bye,

-christian-
    

How to repeat:
-

Suggested fix:
-
[2 Sep 2005 10:40] Valeriy Kravchuk
http://www.appsecinc.com/resources/alerts/mysql/2005-002.html says:

"MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched."

But I was also unable to find any reference to UDF or init_syms in the change logs for these versions.
[7 Sep 2005 18:26] Sergei Golubchik
This is the changeset with the bugfix:

http://mysql.bkbits.net:8080/mysql-4.0/cset@428b981bg2iwh3CbGANDaF-W6DbttA

Bugfix should be mentioned in the appropriate section of the manual. We'll correct that.
[9 Sep 2005 20:13] Paul Dubois
Noted in 4.0.25, 4.1.13, 5.0.7 changelogs.