Description:
The check for a hashed password on SET PASSWORD failes to validate and setz unrecoverable password.
I understand, password should be set with PASSWORD() but wondering why it's generating wrong string which is not set.

How to repeat:
mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%version%';
+-------------------------+------------------------------+
| Variable_name           | Value                        |
+-------------------------+------------------------------+
| innodb_version          | 5.5.61                       |
| protocol_version        | 10                           |
| slave_type_conversions  |                              |
| version                 | 5.5.61                       |
| version_comment         | MySQL Community Server (GPL) |
| version_compile_machine | x86_64                       |
| version_compile_os      | linux-glibc2.12              |
+-------------------------+------------------------------+
7 rows in set (0.00 sec)

mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%pass%';
+-----------------+-------+
| Variable_name   | Value |
+-----------------+-------+
| old_passwords   | OFF   |
| report_password |       |
+-----------------+-------+
2 rows in set (0.00 sec)

mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%auth%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| secure_auth   | OFF   |
+---------------+-------+
1 row in set (0.00 sec)

mysql [localhost] {root} ((none)) > SELECT PASSWORD('c7TYEzcPsboE3DdN');
+-------------------------------------------+
| PASSWORD('c7TYEzcPsboE3DdN')              |
+-------------------------------------------+
| *18C13FE1288B3482259CE49DC35CFC21FB165478 |
+-------------------------------------------+

The following string produces the issue and the wrong hash, but no Error message.

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'c7TYEzcPsboE3DdN';
Query OK, 0 rows affected (0.00 sec)

mysql [localhost] {root} ((none)) > show grants for moon@localhost;
+--------------------------------------------------------------------------------------+
| Grants for moon@localhost                                                            |
+--------------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO 'moon'@'localhost' IDENTIFIED BY PASSWORD 'c8f303d91cc8e3de7' |
+--------------------------------------------------------------------------------------+

The expected behavior should be:
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

Like below:

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'sdlkjgskgjsfd;gklfd';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'sdlkjgskgjsfd';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

Hi,

I have tested this situation and in my opinion, this is a bug. However, ......

There is only one more release left for 5.5 and that one is coming very soon. Hence, we can not go on verifying this bug, without knowing what might be its destiny. Particularly since this bug does not exist in 5.7 and 8.0.

Hi,

I managed to verify it. I have reduced the Severity, since this is not really a security bug, since this only about the error / warning message.

Regarding fixing this bug, this still remains to be seen whether it will find its way into the final 5.5 release.

Verified as reported.

Since, this bug is no longer considered a security bug and since 5.5 maintenance expires at the end of this month, this bug will, most probably, fall into the "Won't fix" category.

Hi,

This bug is fixed in version 5.6 and higher.

It will not be fixed in 5.5, due to its EOL, id est, end-of-life. Which means that its maintenance is over.