[VIM] Vendor dispute of CVE-2006-3486 (MySQL overflow)

Steven M. Christey coley at mitre.org
Wed Jul 19 15:01:29 EDT 2006 

Apparently a terse MySQL changelog entry made it into some VDBs and
into CVE.  The vendor has since disputed the issue to us.  The CVE
follows, with the end note approved by the vendor.

I would tend to concur given the analysis.

- Steve

======================================================
Name: CVE-2006-3486
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486
Acknowledged: yes changelog
Announced: 20060704
Flaw: buf
Reference: MISC:http://bugs.mysql.com/bug.php?id=20622
Reference: MISC:http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html
Reference: MISC:http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html
Reference: FRSIRT:ADV-2006-2700
Reference: URL:http://www.frsirt.com/english/advisories/2006/2700
Reference: XF:mysql-instancemanager-dos(27635)
Reference: URL:http://xforce.iss.net/xforce/xfdb/27635

** DISPUTED **

Off-by-one buffer overflow in the
Instance_options::complete_initialization function in
instance_options.cc in the Instance Manager in MySQL before 5.0.23 and
5.1 before 5.1.12 might allow local users to cause a denial of service
(application crash) via unspecified vectors, which triggers the
overflow when the convert_dirname function is called.  NOTE: the
vendor has disputed this issue via e-mail to CVE, saying that it is
only exploitable when the user has access to the configuration file or
the Instance Manager daemon.  Due to intended functionality, this
level of access would already allow the user to disrupt program
operation, so this does not cross security boundaries and is not a
vulnerability.


Analysis:
ACKNOWLEDGEMENT: MySQL 5.0.23 changelog " A buffer overwrite error in
Instance Manager caused a crash. (Bug#20622)" This apparently
triggered some refined sources to report it as a security issue.
However, the vendor notified CVE via e-mail that the issue is not
exploitable to cross security boundaries, and approved the statement
on 20060719.

ACCURACY: it is not clear whether this is security-relevant, as the
input vectors are unknown.

More information about the VIM mailing list