Bug #92951 mysql sets wrong password
Submitted: 25 Oct 2018 21:58 Modified: 18 Dec 2018 13:16
Reporter: Muhammad Irfan Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1, 5.5 OS:Any
Assigned to: CPU Architecture:Any
Tags: password hexadecimal

[25 Oct 2018 21:58] Muhammad Irfan
Description:
The check for a hashed password on SET PASSWORD failes to validate and setz unrecoverable password.
I understand, password should be set with PASSWORD() but wondering why it's generating wrong string which is not set.

How to repeat:
mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%version%';
+-------------------------+------------------------------+
| Variable_name           | Value                        |
+-------------------------+------------------------------+
| innodb_version          | 5.5.61                       |
| protocol_version        | 10                           |
| slave_type_conversions  |                              |
| version                 | 5.5.61                       |
| version_comment         | MySQL Community Server (GPL) |
| version_compile_machine | x86_64                       |
| version_compile_os      | linux-glibc2.12              |
+-------------------------+------------------------------+
7 rows in set (0.00 sec)

mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%pass%';
+-----------------+-------+
| Variable_name   | Value |
+-----------------+-------+
| old_passwords   | OFF   |
| report_password |       |
+-----------------+-------+
2 rows in set (0.00 sec)

mysql [localhost] {root} ((none)) > SHOW GLOBAL VARIABLES LIKE '%auth%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| secure_auth   | OFF   |
+---------------+-------+
1 row in set (0.00 sec)

mysql [localhost] {root} ((none)) > SELECT PASSWORD('c7TYEzcPsboE3DdN');
+-------------------------------------------+
| PASSWORD('c7TYEzcPsboE3DdN')              |
+-------------------------------------------+
| *18C13FE1288B3482259CE49DC35CFC21FB165478 |
+-------------------------------------------+

The following string produces the issue and the wrong hash, but no Error message.

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'c7TYEzcPsboE3DdN';
Query OK, 0 rows affected (0.00 sec)

mysql [localhost] {root} ((none)) > show grants for moon@localhost;
+--------------------------------------------------------------------------------------+
| Grants for moon@localhost                                                            |
+--------------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO 'moon'@'localhost' IDENTIFIED BY PASSWORD 'c8f303d91cc8e3de7' |
+--------------------------------------------------------------------------------------+

The expected behavior should be:
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

Like below:

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'sdlkjgskgjsfd;gklfd';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

mysql [localhost] {root} ((none)) > SET PASSWORD FOR 'moon'@'localhost' = 'sdlkjgskgjsfd';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number
[30 Oct 2018 14:05] MySQL Verification Team
Hi,

I have tested this situation and in my opinion, this is a bug. However, ......

There is only one more release left for 5.5 and that one is coming very soon. Hence, we can not go on verifying this bug, without knowing what might be its destiny. Particularly since this bug does not exist in 5.7 and 8.0.
[31 Oct 2018 13:39] MySQL Verification Team
Hi,

I managed to verify it. I have reduced the Severity, since this is not really a security bug, since this only about the error / warning message.

Regarding fixing this bug, this still remains to be seen whether it will find its way into the final 5.5 release.

Verified as reported.
[12 Dec 2018 13:53] MySQL Verification Team
Since, this bug is no longer considered a security bug and since 5.5 maintenance expires at the end of this month, this bug will, most probably, fall into the "Won't fix" category.
[13 Dec 2018 13:40] MySQL Verification Team
Hi,

This bug is fixed in version 5.6 and higher.

It will not be fixed in 5.5, due to its EOL, id est, end-of-life. Which means that its maintenance is over.