CVE-2012-2122 in Ubuntu

CVE-2012-2122

Priority

High

Description

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24,
and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before
5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in
certain environments with certain implementations of the memcmp function,
allows remote attackers to bypass authentication by repeatedly
authenticating with the same incorrect password, which eventually causes a
token comparison to succeed due to an improperly-checked return value.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
http://seclists.org/oss-sec/2012/q2/493
https://mariadb.atlassian.net/browse/MDEV-212
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
https://usn.ubuntu.com/usn/usn-1467-1

Bugs

http://bugs.mysql.com/bug.php?id=64884

Notes

jdstrand> mysql-cluster-7.0 not supported per Ubuntu Server team

Assigned-to

mdeslaur

Package

Source: mysql-cluster-7.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE

Package

Source: mysql-5.5 (LP Ubuntu Debian)

Upstream:	released (5.5.24)
Ubuntu 12.04 ESM (Precise Pangolin):	released (5.5.25-0ubuntu1)

Patches:

Upstream:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

Package

Source: mysql-dfsg-5.1 (LP Ubuntu Debian)

Upstream:	released (5.1.63)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE

Package

Source: mysql-dfsg-5.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE

Package

Source: mysql-5.1 (LP Ubuntu Debian)

Upstream:	released (5.1.63)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE

More Information

Updated: 2017-12-15 20:29:52 UTC (commit 13913)