_______________________________________________________
 MySQL Bug ID   : #24630
 Affected.Vers. : 5.0.27, 5.1.12 (not tested on others)
 Risk.level     : High
 Remotely Expl. : Yes
 Vendor.Status  : Patched
 Advisory link  : www.flowgate.net/advisories.html
_______________________________________________________


[OVERVIEW]

The MySQL Enterprise Server 5.0 software is the most reliable, secure and up-to-date version of the world's most popular open source database for cost-effectively delivering E-commerce, Online Transaction Processing (OLTP), and multi-terabyte Data Warehousing applications (from vendor's site).

Using an INFORMATION_SCHEMA table with ORDER BY in a subquery could cause a crash in the server.


[DETAILS]

The crash occurs because an unchecked second filling of the same INFORMATION_SCHEMA table happens in the case of a SUBSELECT with ORDER BY.

table->sort.io_cache previously allocated in create_sort_index() is deleted during a second filling (function get_schema_tables_result). There are two places where the INFORMATION_SCHEMA table can be filled: JOIN::exec and create_sort_index(). No proper checks for second filling attempts are made.


[POC/EXPLOIT]

select 1 from information_schema.tables  where "CHARACTER_SETS"=(select
cast(table_name as char)  from information_schema.tables 
 order by table_name limit 1);


[LINKS]

MySQL Bugs listing: http://bugs.mysql.com/bug.php?id=24630



[SOLUTION]

The fix has been pushed into 5.0.36 and 5.1.16-beta. Noted in 5.0.36, 5.1.16 changelogs.


[TIMELINE]

[27 Nov 2006 20:03] Bug entered in the bug reporting system
[27 Nov 2006 21:59] Vendor acknowledged the problem
[14 Feb 2007 11:39] Vendor pushes fix into next releases
[20 Feb 2007 ] Vendor announces availability of fixed releases
[09 Mar 2007 ] Public Disclosure


[CREDITS]
===========
Researcher: Oren Isacson
E-mail: info[*]flowgate[*]net