Description:
This bug was reported by Rafael Silva from rfdslabs via the MySQL security mailing list.
mysqlmanager does not properly parse--run-as-service and
--mysqld-safe-compatible parameters, which causes the applications to crash
when parsing a long string.
This problem was confirmed in the following versions of mysqlmanager
binaries, other versions may be also affected:
mysqlmanager Ver 1.0-beta for debian-linux-gnu on x86_64
Linux rfdslabs 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC
2010 x86_64 GNU/Linux
How to repeat:
/usr/sbin/mysqlmanager --mysqld-safe-compatible=`perl -e 'print "1" x
1000'`
/usr/sbin/mysqlmanager --run-as-service=`perl -e 'print "1" x 1000'`
DETAILS
Disassembly:
[New Thread 0x7ffff6852710 (LWP 5972)]
[Thread 0x7ffff6852710 (LWP 5972) exited]
[5969/140737352079136] [10/12/01 11:46:53] [INFO] IM: started.
[5969/140737352079136] [10/12/01 11:46:53] [INFO] Loading config file
'my.cnf'...
[5969/140737352079136] [10/12/01 11:46:53] [INFO] Manager: initializing...
[New Thread 0x7ffff7e26710 (LWP 5973)]
[Thread 0x7ffff7e26710 (LWP 5973) exited]
[5969/140737352079136] [10/12/01 11:46:53] [INFO] Manager: detected
threads model: POSIX threads.
[5969/140737352079136] [10/12/01 11:46:53] [INFO] Warning: password file
does not exist, nobody will be able to connect to Instance Manager.
[5969/140737352079136] [10/12/01 11:46:53] [ERROR] Can not create pid file
'/var/lib/mysql/mysqlmanager.pid': Permission denied (errno: 13)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff689c35e in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff689c35e in vfprintf () from /lib/libc.so.6
#1 0x00007ffff6950760 in __vsnprintf_chk () from /lib/libc.so.6
#2 0x00007ffff7e8529d in ?? ()
#3 0x00007ffff7e8558a in log_error(char const*, ...) ()
#4 0x00007ffff7e93114 in create_pid_file(char const*, int) ()
#5 0x00007ffff7e84f12 in Manager::main() ()
#6 0x00007ffff7e848b5 in main ()
(gdb) i r
rax 0x0 0
rbx 0x7fffffffd6c0 140737488344768
rcx 0xffffffffffffffff -1
rdx 0x30 48
rsi 0x7ffff7f0731b 140737353118491
rdi 0xff00000000000000 -72057594037927936
rbp 0x7fffffffd6b0 0x7fffffffd6b0
rsp 0x7fffffffd020 0x7fffffffd020
r8 0x3 3
r9 0xff00000000000000 -72057594037927936
r10 0x0 0
r11 0xfffffffa 4294967290
r12 0x22 34
r13 0x7fffffffdab0 140737488345776
r14 0x7ffff7f0731f 140737353118495
r15 0xffffffffffffff88 -120
rip 0x7ffff689c35e 0x7ffff689c35e <vfprintf+16318>
eflags 0x10286 [ PF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0