CVE-2012-5614
Published: 3 December 2012
Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements.
Notes
Author | Note |
---|---|
mdeslaur | as of 2013-02-20, no new version from upstream |
jdstrand | per mariadb developers, this CVE is not correct (see http://www.openwall.com/lists/oss-security/2013/02/28/10). Essentially, the UpdateXML part was introduced in 5.6.6 and fixed in 5.6.10. Ubuntu does not ship MySQL 5.6. This CVE was also linked to an invalid packet vulnerability (https://mariadb.atlassian.net/browse/MDEV-3910), but this only existed in 5.5.18 and was fixed in 5.5.21. Since there is no 5.6 in Ubuntu and the invalid packet issue was introduced in 5.5.18, marking this as fixed in mysql-5.5 5.5.21 and mysql-dfsg-5.1 and mysql-5.1 as not-affected. |
Priority
Status
Package | Release | Status |
---|---|---|
mysql-5.5 Launchpad, Ubuntu, Debian |
upstream |
Released
(5.5.21)
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Not vulnerable
(5.5.29-0ubuntu0.12.04.1)
|
|
quantal |
Not vulnerable
(5.5.29-0ubuntu0.12.10.1)
|
|
raring |
Not vulnerable
(5.5.29-0ubuntu1)
|
|
mysql-dfsg-5.1 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
hardy |
Does not exist
|
|
lucid |
Not vulnerable
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
mysql-5.1 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
oneiric |
Not vulnerable
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614
- http://seclists.org/fulldisclosure/2012/Dec/7
- http://www.openwall.com/lists/oss-security/2012/12/02/4
- http://www.openwall.com/lists/oss-security/2012/12/02/3
- http://www.openwall.com/lists/oss-security/2013/02/28/10
- https://mariadb.atlassian.net/browse/MDEV-3910
- NVD
- Launchpad
- Debian