CVE-2006-3486
CVSS2.1
发布时间 :2006-07-10 17:05:00
修订时间 :2011-03-07 00:00:00
NMCO    

[原文]** DISPUTED ** Off-by-one buffer overflow in the Instance_options::complete_initialization function in instance_options.cc in the Instance Manager in MySQL before 5.0.23 and 5.1 before 5.1.12 might allow local users to cause a denial of service (application crash) via unspecified vectors, which triggers the overflow when the convert_dirname function is called. NOTE: the vendor has disputed this issue via e-mail to CVE, saying that it is only exploitable when the user has access to the configuration file or the Instance Manager daemon. Due to intended functionality, this level of access would already allow the user to disrupt program operation, so this does not cross security boundaries and is not a vulnerability.


[CNNVD]MySQL 'nstance_options.cc'的Instance_options::complete_initialization 函数缓冲区漏洞(CNNVD-200607-120)

        **有争议** MySQL 5.0.23之前版本及5.1.12 之前的5.1版本中的instance_options.cc的Instance_options::complete_initialization 函数存在Off-by-one(大小差一)缓冲区漏洞。本地用户可以借助可在调用convert_dirname函数时触发溢出的未明向量,引起拒绝服务(应用程序崩溃)。注:厂商在发给CVE的电子邮件中对此问题提出反驳,表示只有在用户已经访问配置文件或Instance Manager daemon程序时才能利用这个问题。 由于预期的功能性,这种访问等级已经允许用户中断程序操作,因此这并未跨越安全界限,并不是漏洞。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/a:mysql:mysql:5.0.17MySQL MySQL 5.0.17
cpe:/a:mysql:mysql:5.1.9MySQL 5.1.9
cpe:/a:mysql:mysql:5.0.21MySQL MySQL 5.0.21
cpe:/a:mysql:mysql:5.0.12MySQL MySQL 5.0.12
cpe:/a:mysql:mysql:5.0.3MySQL MySQL 5.0.3
cpe:/a:mysql:mysql:5.0.10MySQL MySQL 5.0.10
cpe:/a:mysql:mysql:5.1.7MySQL 5.1.7
cpe:/a:mysql:mysql:5.0.0MySQL MySQL 5.0.0
cpe:/a:mysql:mysql:5.1.3MySQL 5.1.3
cpe:/a:mysql:mysql:5.1.11MySQL 5.1.11
cpe:/a:mysql:mysql:5.0.22MySQL MySQL 5.0.22
cpe:/a:mysql:mysql:5.0.15MySQL MySQL 5.0.15
cpe:/a:mysql:mysql:5.0.9MySQL MySQL 5.0.9
cpe:/a:mysql:mysql:5.1.6MySQL 5.1.6
cpe:/a:mysql:mysql:5.0.20aMySQL MySQL 5.0.20a
cpe:/a:mysql:mysql:5.0.6MySQL MySQL 5.0.6
cpe:/a:mysql:mysql:5.0.19MySQL MySQL 5.0.19
cpe:/a:mysql:mysql:5.0.5MySQL MySQL 5.0.5
cpe:/a:mysql:mysql:5.0.1MySQL MySQL 5.0.1
cpe:/a:mysql:mysql:5.1.2MySQL 5.1.2
cpe:/a:mysql:mysql:5.1.1MySQL 5.1.1
cpe:/a:mysql:mysql:5.1.8MySQL 5.1.8
cpe:/a:mysql:mysql:5.0.4MySQL MySQL 5.0.4
cpe:/a:mysql:mysql:5.1.4MySQL 5.1.4
cpe:/a:mysql:mysql:5.0.13MySQL MySQL 5.0.13
cpe:/a:mysql:mysql:5.0.14MySQL MySQL 5.0.14
cpe:/a:mysql:mysql:5.0.16MySQL MySQL 5.0.16
cpe:/a:mysql:mysql:5.0.2MySQL MySQL 5.0.2
cpe:/a:mysql:mysql:5.0.8MySQL MySQL 5.0.8
cpe:/a:mysql:mysql:5.0.18MySQL MySQL 5.0.18
cpe:/a:mysql:mysql:5.0.11MySQL MySQL 5.0.11
cpe:/a:mysql:mysql:5.1.5MySQL 5.1.5
cpe:/a:mysql:mysql:5.1.10MySQL 5.1.10
cpe:/a:mysql:mysql:5.0.20MySQL MySQL 5.0.20
cpe:/a:mysql:mysql:5.0.7MySQL MySQL 5.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3486
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-120
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27635
(UNKNOWN)  XF  mysql-instancemanager-dos(27635)
http://www.vupen.com/english/advisories/2006/2700
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2700
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html
(UNKNOWN)  MISC  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html
(UNKNOWN)  MISC  http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html
http://bugs.mysql.com/bug.php?id=20622
(UNKNOWN)  MISC  http://bugs.mysql.com/bug.php?id=20622

- 漏洞信息

MySQL 'nstance_options.cc'的Instance_options::complete_initialization 函数缓冲区漏洞
低危 缓冲区溢出
2006-07-10 00:00:00 2006-07-25 00:00:00
本地  
        **有争议** MySQL 5.0.23之前版本及5.1.12 之前的5.1版本中的instance_options.cc的Instance_options::complete_initialization 函数存在Off-by-one(大小差一)缓冲区漏洞。本地用户可以借助可在调用convert_dirname函数时触发溢出的未明向量,引起拒绝服务(应用程序崩溃)。注:厂商在发给CVE的电子邮件中对此问题提出反驳,表示只有在用户已经访问配置文件或Instance Manager daemon程序时才能利用这个问题。 由于预期的功能性,这种访问等级已经允许用户中断程序操作,因此这并未跨越安全界限,并不是漏洞。

- 公告与补丁

        暂无数据

- 漏洞信息

28288
MySQL Instance_options::complete_initialization Function Overflow
Local Access Required Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

A local overflow has been reported in MySQL. The Instance Manager fails to properly sanitize input to the Instance_options::complete_initialization function resulting in an off-by-one overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code. MySQL developers have stated that this is "only exploitable when the user has access to the configuration file or the Instance Manager daemon. Due to intended functionality, this level of access would already allow the user to disrupt program operation", so this does not cross security boundaries and is not a vulnerability.

- 时间线

2006-06-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站