Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.

CAN-2003-0073: The mysql package contains a bug whereby dynamically allocated memory is freed more than once, which could be deliberately triggered by an attacker to cause a crash, resulting in a denial of service condition. In order to exploit this vulnerability, a valid username and password combination for access to the MySQL server is required.

CAN-2003-0150: The mysql package contains a bug whereby a malicious user, granted certain permissions within mysql, could create a configuration file which would cause the mysql server to run as root, or any other user, rather than the mysql user.

The remote host is running a version of MySQL which is older than version 3.23.55. If you have not patched this version, then any attacker with a valid username may crash this service remotely by exploiting a double free bug.
 Further exploitation to gain a shell on the host may also be possible. 

The remote host is running a version of MySQL which is older than version 3.23.56. A vulnerability exists that may allow the mysqld service to start with elevated privileges. An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user'. 

Aleksander Adamowski informed MandrakeSoft that the MySQL developers fixed a DoS vulnerability in the recently released 3.23.55 version of MySQL. A double free() pointer bug in the mysql_change_user() handling would allow a specially hacked mysql client to crash the main mysqld server. This vulnerability can only be exploited by first logging in with a valid user account.

Updated packages are available that fix both a double-free security vulnerability and a remote root exploit security vulnerability found in the MySQL server.

[Updated 11 Aug 2003] Updated mysqlclient9 packages are now included.
These were previously missing from this erratum.

MySQL is a multi-user, multi-threaded SQL database server.

A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application.

A remote root exploit vulnerability in mysqld, for MySQL before version 3.23.56, allows MySQL users to gain root privileges by overwriting configuration files.

Previous versions of the MySQL packages do not contain the thread safe client library (libmysqlclient_r).

All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.56.

According to its banner, a version of MySQL before 3.23.55 is running on the remote host.  If you have not patched this version, then an attacker with valid credentials may be able to crash this service remotely by exploiting a double free bug. 

Further exploitation to gain a shell on the host might be possible, although it's unconfirmed so far.

The remote host is running a version of MySQL which is older than version 3.23.56. A vulnerability exists that may allow the mysqld service to start with elevated privileges. An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user'.

The remote host is running a version of MySQL which is older than version 3.23.55. If you have not patched this version, then any attacker with a valid username may crash this service remotely by exploiting a double free bug.
 Further exploitation to gain a shell on the host may also be possible.

ID	Name	Product	Family	Severity
15140	Debian DSA-303-1 : mysql - privilege escalation	Nessus	Debian Local Security Checks	high
1908	Oracle MySQL < 3.23.55 Double Free() Overflow	Nessus Network Monitor	Database	high
1900	Oracle MySQL < 3.23.56 Local Privilege Escalation	Nessus Network Monitor	Database	high
13998	Mandrake Linux Security Advisory : MYSQL (MDKSA-2003:013)	Nessus	Mandriva Local Security Checks	medium
12378	RHEL 2.1 : mysql (RHSA-2003:094)	Nessus	Red Hat Local Security Checks	high
11299	MySQL < 3.23.55 mysql_change_user() Double-free Memory Pointer DoS	Nessus	Databases	medium
801167	MySQL < 3.23.56 Local Privilege Escalation	Log Correlation Engine	Database	high
801161	MySQL < 3.23.55 Double Free() Overflow	Log Correlation Engine	Database	high

Detections

Analytics

CVE-2003-0073

high

Tenable Plugins

high

high

high

medium

high

medium

high

high