Bug #42495 | updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507 | ||
---|---|---|---|
Submitted: | 31 Jan 2009 8:26 | Modified: | 16 Feb 2009 17:07 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: XML functions | Severity: | S1 (Critical) |
Version: | 5.1.15, 5.1.30, 5.1.32-bzr, 6.0.9, 6.0.10-bzr | OS: | Any |
Assigned to: | Sergei Glukhov | CPU Architecture: | Any |
Tags: | DoS, ExtractValue, updatexml |
[31 Jan 2009 8:26]
Shane Bester
[31 Jan 2009 15:55]
Valeriy Kravchuk
Verified just as described on Windows XP SP2.
[3 Feb 2009 7:25]
Sergey Petrunya
Omer, Are all crashes now DoSes? If not, could you please explain how this crash is special?
[3 Feb 2009 7:26]
Sergey Petrunya
In particular, why is this marked DoS, and http://bugs.mysql.com/bug.php?id=37740 isn't ??
[3 Feb 2009 7:44]
Valeriy Kravchuk
Verified with recent 5.1.32-bzr and 6.0.10-bzr.
[3 Feb 2009 13:08]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65001 2768 Sergey Glukhov 2009-02-03 Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507 Problem: RelativeLocationPath can appear only after a node-set expression in the third and the fourth branches of this rule: PathExpr :: = LocationPath | FilterExpr | FilterExpr '/' RelativeLocationPath | FilterExpr '//' RelativeLocationPath XPatch code didn't check the type of FilterExpr and crashed. Fix: If FilterExpr is a scalar expression (variable reference, literal, number, scalar function call) return error.
[3 Feb 2009 13:11]
Alexander Barkov
The patch is ok to push.
[4 Feb 2009 11:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65127 2770 Sergey Glukhov 2009-02-04 Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507 Problem: RelativeLocationPath can appear only after a node-set expression in the third and the fourth branches of this rule: PathExpr :: = LocationPath | FilterExpr | FilterExpr '/' RelativeLocationPath | FilterExpr '//' RelativeLocationPath XPatch code didn't check the type of FilterExpr and crashed. Fix: If FilterExpr is a scalar expression (variable reference, literal, number, scalar function call) return error.
[9 Feb 2009 22:34]
Bugs System
Pushed into 5.1.32 (revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (version source revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (merge vers: 5.1.32) (pib:6)
[14 Feb 2009 13:01]
Bugs System
Pushed into 6.0.10-alpha (revid:matthias.leich@sun.com-20090212211028-y72faag15q3z3szy) (version source revid:sergey.glukhov@sun.com-20090204123759-a3v1pwjukl5nkr8n) (merge vers: 6.0.10-alpha) (pib:6)
[16 Feb 2009 17:07]
Jon Stephens
Documented as a security fix in the 5.1.32 and 6.0.10 changelogs, as follows: Using an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML() caused the server to crash. Such expressions now cause an error instead.
[17 Feb 2009 14:59]
Bugs System
Pushed into 5.1.32-ndb-6.3.23 (revid:tomas.ulin@sun.com-20090217131017-6u8qz1edkjfiobef) (version source revid:tomas.ulin@sun.com-20090216083408-rmvyaxjt6mk8sg1y) (merge vers: 5.1.32-ndb-6.3.23) (pib:6)
[17 Feb 2009 16:47]
Bugs System
Pushed into 5.1.32-ndb-6.4.3 (revid:tomas.ulin@sun.com-20090217134419-5ha6xg4dpedrbmau) (version source revid:tomas.ulin@sun.com-20090216083646-m8st11oj1hhfuuh5) (merge vers: 5.1.32-ndb-6.4.3) (pib:6)
[17 Feb 2009 18:23]
Bugs System
Pushed into 5.1.32-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090217134216-5699eq74ws4oxa0j) (version source revid:tomas.ulin@sun.com-20090211111208-wf0acl7c1vl5653e) (merge vers: 5.1.32-ndb-6.2.17) (pib:6)
[13 Mar 2009 22:39]
James Day
To exploit this you need a valid login account on the MySQL server that is authorised to connect from the location from which the account is attempting the access, normally a specified host with matching reverse DNS lookup or IP address. Versions affected are 5.1.5 through 5.1.31 inclusive and 6.0.0(?) through 6.0.9 inclusive. No versions of 5.0, 4.1, 4.0 or 3.n are affected. This is reported as vulnerability BID33972. James Day, MySQL Senior Support Engineer, Sun Microsystems
[2 Nov 2009 19:57]
James Day
This has been assigned a candidate CVE-2009-0819 . Note that it is only possible to exploit this if all of these conditions are true: 1. You're an authorised direct user of the MySQL server, able to run arbitrary SQL statements on it. 2. No firewall blocks your access, as it normally would in a secure server environment. 3. You're accessing from an authorised location for your user account. This set of requirements makes it unlikely to be exploitable in a secured environment, particularly one where applications are doing all database accessing. In this environment an added precondition is an SQL injection bug in the application that allows application users to run SQL statements.