[VIM] Clarification on MySQL versions for single-row subselect DoS

Steven M. Christey coley at mitre.org
Wed Mar 21 17:29:57 UTC 2007


FYI, MySQL notified CVE that this was originally reported as being
before 5.0.37, but it's before 5.0.36.  It was also originally
reported by a different organization, so we have another parallel
discovery if anybody tracks those things.

What wasn't originally entirely apparent to me was that this seems to
be an issue only when doing sorting on a set with just one row.  I bet
there are similar bugs out there in other products with similar
difficulties.

- Steve

======================================================
Name: CVE-2007-1420
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420
Reference: BUGTRAQ:20070309 SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial of Service
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/462339/100/0/threaded
Reference: MISC:http://www.sec-consult.com/284.html
Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-36.html
Reference: CONFIRM:http://bugs.mysql.com/bug.php?id=24630
Reference: BID:22900
Reference: URL:http://www.securityfocus.com/bid/22900
Reference: FRSIRT:ADV-2007-0908
Reference: URL:http://www.frsirt.com/english/advisories/2007/0908
Reference: SECUNIA:24483
Reference: URL:http://secunia.com/advisories/24483

MySQL 5.x before 5.0.36 allows local users to cause a denial of
service (database crash) by performing information_schema table
subselects and using ORDER BY to sort a single-row result, which
prevents certain structure elements from being initialized and
triggers a NULL dereference in the filesort function.




More information about the VIM mailing list