mailing list archives
Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Sun, 2 Dec 2012 21:46:26 -0500 (EST)
(removed the full-disclosure/bugtraq mailing lists, they don't need to be
further spammed with minor CVE assignment details.)
On Sun, 2 Dec 2012, Sergei Golubchik wrote:
Here's the vendor's reply:
On Dec 02, Huzaifa Sidhpurwala wrote:
* CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
A duplicate of CVE-2012-5579
Already fixed in all stable MariaDB version.
Kurt - I suggest we REJECT CVE-2012-5579 and preserve CVE-2012-5611
because of the strong likelihood that CVE-2012-5611 will be more commonly
referenced in the very near future.
* CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
Not a bug. MySQL manual specifies many times very explicitly:
* Do not grant the `FILE' privilege to nonadministrative users. Any
Misconfigurations generally should not be captured with CVE IDs. At best,
we will probably describe CVE-2012-5613 to emphasis the sysadmin's role.
Just to toss a droplet of esoteric commentary into the bloodbath - while I
generally agree with the belief that distinct privileges should imply
boundaries that can not be broken, the reality is that most privilege
models are not well-documented or well-understood, and some privileges
might (by design) be effectively equivalent. So, privilege issues aren't
necessarily guaranteed to be treated as vulnerabilities if they don't
violate the intended security policy. There was some discussion about
this kind of challenge in the Linux kernel on oss-security a while back
that makes my head hurt just thinking about it.
* CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
This is hardly a "zeroday" issue, it was known for, like, ten years.
Does anybody have any URLs for older reports of this issue?