Bug #9147 Server Crashing Bug When You Type USE lpt1; (MS-DOS device names)
Submitted: 12 Mar 2005 17:45 Modified: 12 Mar 2005 19:23
Reporter: Mike Hillyer Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.1.10a OS:Windows (Windows XP SP2)
Assigned to: CPU Architecture:Any

[12 Mar 2005 17:45] Mike Hillyer
Description:
FROM EMAIL
--------------------------------------------------------

Thanks for your support Daniel, but of course you don't have understand
exactly the question (maybe for my *good* english ;p)
Now, I will describe the vulnerability in detail.
A vulnerability exist in the way application handle requests containing
reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN),
allowing an authenticaded user to cause the service to fail.
This issue can become serious if, for example, an host provider supply
to her customers mysql support, supplying him an user with at least one of those
privileges globally (on *.*):

- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT

I will report below how to reproduce the vulnerability:

° Connect to server using an account that own the privileges reported above
  and use database LPT1 (use LPT1;)
  After a few seconds,  mysql daemon crash. 

-----------------------------------

My own testing shows USE LPT1; and USE PRN; to be the only server crashers. NUL, CON, COM1, and AUX do not crash the server, but actually report the database successfully changed.

How to repeat:
USE LPT1;

Your server will then crash.

Suggested fix:
Block changing to these directories.
[12 Mar 2005 19:23] MySQL Verification Team
Same as http://bugs.mysql.com/bug.php?id=9148.