OOPS! MySQL Falls Down…

“two critical vulnerabilities, which can lead to arbitrary code execution, root privilege escalation, and server compromise, affect MySQL and forks like Percona Server, Percona XtraDB Cluster, and MariaDB, according to security researcher Dawid Golunski”
 
See Admins, update your databases to avoid the MySQL bug
While programming, it’s easy to get tunnel-vision or to accept some “tiny” risk that things could go wrong at some point but write the code that way anyway. That’s what happened with MySQL and MariaDB. Creating a database should not create a vulnerability but it does, because a repair operation allows changing permissions of a file with a particular name which a bad guy could substitute with malicious code…

So far, the version I have on my machine is affected. I hope TLW does not intend to take over Beast III. This is a serious disadvantage of running normal users on a single machine as desktop and server but at least my system is small enough the risk is manageable. I have one such normal user, TLW, and she has enough trouble running desktop applications let alone hacking servers and she now has her own machine, Odroid-C2, and does not usually run processes here. Of course, I use MariaDB and desktop applications on Beast III every day, so I am my most dangerous enemy…

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , . Bookmark the permalink.

22 Responses to OOPS! MySQL Falls Down…

  1. DrLoser, not understanding software freedom, wrote, “Only the Three Freedoms that require no effort whatsoever on your part?”

    It’s not just about source code. The licence applies to binaries as well. I have a licence to use the binary built and tested by someone else. That’s also efficient, reducing web-bandwidth and CPU-time to build locally. If I wanted to remove or add some feature or build with a different set of libraries I could of course download the source-code and go to work with it. That’s freedom, having the choice.

  2. oiaohm says:

    DrLoser you did not read far example is on this page.
    http://mrpogson.com/2016/11/06/oops-mysql-falls-down/#comment-357852
    I don’t go on blogs and post that I have Marfan Syndrome, so this gives me an advantage to picking citrus fruit.
    I never said that it gave advantage dougman made up that lie. Marfan Syndrome is no help to citrus fruit picking that is a endurance sport where the dehydration issue out weight any physical advantage. I have never said Marfan Syndrome gives me advantage fruit picking because it does not.

    No wonder you make for a top-gun citrus picker, Marfan Syndrome gives people long ass arms.
    This shows incompetence commenting on a field you don’t know. Having longer arms does not make you are better citrus picker in all countries. Do you think longer arms are that helpful if you have to climb centre of tree for some reason. In fact having Marfan Syndrome with the longer arms is dangerous in citrus picking in Australia because from ladder because you are reaching too far side ways from the ladder so risking the complete ladder coming unstable and end up majority hurt/dead.

    In fact falling from a 14 foot ladder as what is using in citrus picking as a person with pure Marfan Syndrome risks death due to dislocated ribs preventing breathing.

    Australia we use ladders to pick citrus fruit. So Australian gun pickers don’t get any advantage from Marfan Syndrome it just a disadvantage in form of a high risk of death by dehydration or falling. Now in New Zealand where all citrus picking is done from the ground that is a different matter the longer arms can be some advantage as long as they are not pure Marfan Syndrome and have some other mutation counting the higher dehydration rate caused by the missing protein.

    Just because I ignored this idiot comment by dougman then dougman goes ahead and believes it fact then turns it into a lie that he proceeds to spread.

    DrLoser I am not surprised you failed to see it as you are guilty of doing the same thing of presuming that when someone does not fight back that you have the correct information.

  3. DrLoser says:

    Really dougman how many times are you going to make up lies about me to attempt to win before you wake up that is exactly what you are doing.

    I haven’t seen a single instance of dougman “making up [a] lie” about you yet, Fifi. You are fantasising, as you always do.

    A cite might be appropriate, little tatterdemalion red leather mini-skirted lamp-post dwelling one?

    We all know how you have a massive database of linkies. Just a single one, please.

  4. DrLoser says:

    I installed directly from MariaDB.org.

    Definitionally most trustworthy.

    And yet, no examination of the code? Only the Three Freedoms that require no effort whatsoever on your part?

    Tut-tut, Robert. Tut-tut.

  5. oiaohm says:

    Really dougman how many times are you going to make up lies about me to attempt to win before you wake up that is exactly what you are doing.

  6. oiaohm says:

    I don’t go on blogs and post that I have biological issues that cause wireless routers to drop offline.
    Please note I talked about this on IRC then to attempt to make point idiots like you post it everywhere so I have to explain it. If you had never mentioned I would have never posted here about it. So that is your fault not mine. Please start taking accountability for your own actions.

    But you are perfectly fine posting about some else dougman. Are you going to say sorry for bring it here as well. Or are you too small todo that as well.

    I don’t go on blogs and post that I have Marfan Syndrome, so this gives me an advantage to picking citrus fruit.
    I did not say that it gave me advantage that was you saying it gave me an advantage. Please note I said I was not pure Marfan Syndrome so do I have the Marfan Syndrome exact body ratios the answer is no I don’t because the oversized limbs are caused by the higher elasticity to normal. So this is you believing your made up lie dougman. You were the one who claimed a person with Marfan Syndrome would have advantage only possible true if they are pure but that is offset by faster dehydration in heat due to the missing protein.

    I don’t go on blogs and post that I have dyslexia, as my reasoning due to not being able to compose a functioning sentence.
    So if you have a disability effecting your ability to read or write that is causing issues you will not admit to it this explains a lot of your errors dougman. So I am truthful on this stuff and your are a pure fib teller.

    I don’t go on blogs and post that my writing style is special, and scientific in nature and analogous to doctors.
    Scientific english was created to deal with language trouble. Because science has had to operate across language barriers for a long time. So there was a simpler form of english created. So part of treating dyslexia at times is learning Scientific english instead of standard english and of course that leaves behind side effects.

    So fairly much is every one of your points is you want me to lie or not answer your demands.

  7. dougman says:

    “Dougman lets just say the faults you most see in other people are faults you have your self that you never admit.”

    I don’t go on blogs and post that I have dyslexia, as my reasoning due to not being able to compose a functioning sentence.

    I don’t go on blogs and post that my writing style is special, and scientific in nature and analogous to doctors.

    I don’t go on blogs and post that I have biological issues that cause wireless routers to drop offline.

    I don’t go on blogs and post that I paint my face black and dance the the macarena, while jumping around looking like Harambe.

    I don’t go on blogs and post that I have Marfan Syndrome, so this gives me an advantage to picking citrus fruit.

    The list is endless and you are just making yourself more a fool, then you already are, which coincidentally I did not think was possible.

  8. oiaohm says:

    But lets be real, you are full of sh1t! About the only thing wrong with you, is your lack of comprehension, reading level, writing and intelligence. I dare say, your emotional quotient is such that you will never procreate either, which is a relief!
    Dougman lets just say the faults you most see in other people are faults you have your self that you never admit.

  9. oiaohm says:

    http://www.cbsnews.com/news/romell-broom-court-inmate-who-survived-09-execution-can-be-put-to-death/
    dougman the reality there is a real case matching those conditions. Not everything Empire News is 100 percent fiction. I could dig out the real case it is not in the Tennessee. By altering the state and names and years lets different things be published. The state you are looking into is Ohio. Reason why this case was arguing about if the lethal drug went into the blood stream or not due to the prior case of a person getting out of jail free due to failed execution. This would require you going to Ohio and accessing court records under freedom of information.

    Sorry dougman you just failed even harder.

  10. dougman says:

    No wonder you make for a top-gun citrus picker, Marfan Syndrome gives people long ass arms.

    But lets be real, you are full of sh1t! About the only thing wrong with you, is your lack of comprehension, reading level, writing and intelligence. I dare say, your emotional quotient is such that you will never procreate either, which is a relief!

  11. oiaohm says:

    dougman basically you cannot take the fact you did not know what “no one” means or that Deafspy was totally wrong by the numbers on security of closed source vs open source. So you have gone googling attempting to find something I did wrong in the past so you don’t have admit that you are a incomplete idiot who is lier and a fraud to yourself.

    So dougman you are at troll who resorts personal attacks when ever you lose.

  12. dougman says:

    Ermmm…ummmm…regarding the Empirenews piece.

    About / Disclaimer – Empire News is intended for entertainment purposes only. Our website and social media content uses only fictional names, except in cases of public figure and celebrity parody or satirization. Any other use of real names is accidental and coincidental.

    http://empirenews.net/about-disclaimer/

    Please fail harder! LMAO!!

  13. oiaohm says:

    Marfan Syndrome the missing protein means I have this. This does not have any effect on giving blood. The 3 unique proteins means I don’t have most of the downsides of Marfan Syndrome. Found with me taking part in a research project into this fault.

    You will not be able to stretch and bend without constantly tearing bits and pieces of it.
    That is the issue. Marfan Syndrome gives over flexibility of cell membrane. I have proteins close to that of bacteria/plant give my cells a part cell wall and that rigidity counters the fault of Marfans Syndrome. That is why they are for sure unique. Humans normally don’t have a cell wall even a part one other than direct blood relations no one else is documented with this. So my cell membrane is part way between Cell wall and Cell membrane and it different from cell to cell some cells are very close to normal human but my red blood cells and my connective tissue contain a part cell wall so are not normal human.

    Red cross documents rare cases of matched blood type and adverse effect. The the red cross sites do not give the complete list of reasons why people are excluded from giving blood. If you give blood and your blood causes adverse effect you get black listed and if the possibility of your blood giving adverse effect is documented by generic illness research project you are listed with Red cross and black balled from giving blood. Of course general population does not need to know this we are talking about 1 in 200 million need to be blacklisted due to uniqueness so about 50-70 people world wide are basically born with blood that will kill if given to person of matching blood type.

    Oh my!…mister electrical engineer, you are NOT! A human being’s skin can handle ANY voltage. Take a van de graaff generator, which is easily capable of building an electrostatic potential of 500,000 volts.
    Live 240 is revering to the normal 10A 240 wall socket voltage.
    ~1/10th of an ampere this is not true the strongest human to electricity can take way more than that.
    http://www.odditycentral.com/news/meet-raj-mohan-nair-the-super-human-immune-to-electrecution.html
    So the amount of ampere required to kill you is directly based on your DNA and the skin construction you have. The weakest humans to electricity will die at ~1/10th of a ampere the strongest 12+ amps across the skin is not even going to burn them.
    http://empirenews.net/death-row-inmate-survives-execution-released-from-prison/
    The scary part is that high ampere resistance has been used as get out of jail free card in the USA. Sodium thiopental does not work on those who have a part cell wall but I don’t have the high amp resistance but I do have a difference in conductivity compared to average. So that death row inmate could have different variation of it.

    Biology 101 covers basic common human Biology does not cover the rarer varieties of humans. You quote Biology 101 electrical resistance not maxim rare humans can take. Of course if you compare what I said to 101 Biology it appears wrong because what I have does not match what 101 Biology says.

    So yes I have unique cell wall construction and it unique because humans are not meant to have a cell wall of any form on any cells but a cell membrane on all cells but that is not the case for me. So since I have this I can do a few things a normal human can never do.

    Sorry dougman again you believing general information without having enough understanding to comment at all. So I told the absolute truth yet you called it a lie again because you don’t understand enough to comment on the subject.

  14. dougman says:

    “my body has 3 unique proteins”

    Oh?….who did you determine this? What methodology did you use? Could you even name the proteins? I find it ironic that you could possibly even know this information, when current medical science cannot even determine the total number of proteins in human cells. Hint: estimated to be between 250,000 to one million.

    “I cannot give you blood even if your blood type exactly matches mine because my blood possibly toxic and gives me quite a different effects on radio signals that will pass through my body or be reflected”

    It’s funny that you say you cannot give blood, but the Red Cross does not list you supposed condition as reason for ineligibility.

    http://www.redcrossblood.org/donating-blood/eligibility-requirements/eligibility-criteria-alphabetical-listing

    “the unique cell wall construction I have.”

    Unique you say? Obviously, you know that humans do not have a cellular wall, we share a cellular membrane. See, plants have hard outer layers. Imagine your skin suddenly take the texture and properties of a plant’s cell wall. You will not be able to stretch and bend without constantly tearing bits and pieces of it. The very things that are suppose to protect you from outside pathogens will not suit their function well. Humans instead have specialized skin cells that allow the organism to move around freely while still doing the job of keeping out pathogens. You failed biology 101!

    “Its the same reason you find people able to handle live 240 on their skin.”

    Oh my!…mister electrical engineer, you are NOT! A human being’s skin can handle ANY voltage. Take a van de graaff generator, which is easily capable of building an electrostatic potential of 500,000 volts. In reality, it’s NOT the amount of voltage that kills you, however it IS the amount of amperage that will do so, which is ~1/10th of an ampere. This equals to be about 0.1 coulomb/second, or 6.24e+17 electrons. Go study ohms law.

    The harder you try Fifi, you harder you fail.

  15. oiaohm says:

    dougman the reason my body messes with wifi so bad is unlike most people body does not produce 1 standard human protein at all and my body has 3 unique proteins that means I cannot give you blood even if your blood type exactly matches mine because my blood possibly toxic and gives me quite a different effects on radio signals that will pass through my body or be reflected. In fact from 2012 I have learnt how to avoid interfering as much and why some days I was way worst than others. To factor is hydration as well as state of mind effecting blood flow combined with the unique cell wall construction I have.

    Sorry so the very thing you just pointed to is fact not lie. Its the same reason you find people able to handle live 240 on their skin. DNA mutations create a lot of interesting features.

    So dougman the reality is Deaf Spy point is defeated by the absolute truth of numbers out there and you just attempted to throw absolute truth about me in my face you idiot. This is the problem how much I have said is the absolute truth that you guys keep on thinking are lies.

    Sorry dougman you cannot bare losing right so now you have to attempt to dig up something off topic to win even worse bring in something that is the truth to attempt to say I am not saying the truth.

  16. dougman says:

    “Lets go to a independent third party”

    Sure, Fifi…lets review how you are a liar and a fraud.

    http://techrights.org/wp-content/uploads/2010/07/irc-log-31072010.html

    Scroll dowm about half way, use F3 or Ctril-F and type “oiaohm”, look for the line thats states ” also have fun with wireless networks.” and read what was said.

    LOL….”At work I am not allowed inside 10 meters of the wireless access point while it working…On my bad days I get inside 10 meters of the wireless access point and everyone gets disconnected…My body seams to produce the right freq to screw up 2.4 ghz…I know I contain water but what is off..I can arc between fingers.”

  17. oiaohm says:

    http://www.coverity.com/press-releases/coverity-scan-open-source-report-shows-commercial-code-is-more-compliant-to-security-standards-than-open-source-code/

    Lets go to a independent third party for numbers Deaf Spy. The findable defect rate in commercial closed source code is higher than open source code and that is fact.

    Even so it is rare to be absolutely perfect software from a security point of view.

    This also refutes all your long-lasting claims that FLOSS just works for people, that it is inherently secure, and everyone can examine and fix the code.
    The numbers say that closed source is inherently more insecure than open source but open source is not perfect. Some of this is open source is built by more parties using different methods so digging out more faults by using a bigger variation in tools.

  18. Deaf Spy wrote, “how do you intend to resolve this particular issue?”

    I installed directly from MariaDB.org.

  19. Deaf Spy says:

    I am my most dangerous enemy

    I absolutely agree with you on this one, Robert.

    Not only you fail to setup and administer your own environment in a proper, secure way. This also refutes all your long-lasting claims that FLOSS just works for people, that it is inherently secure, and everyone can examine and fix the code.

    So, for the fun, how do you intend to resolve this particular issue?

  20. oiaohm says:

    https://tools.cisco.com/security/center/viewAlert.x?alertId=39678

    Good job there on the underlying security foundations, btw. “A file with a particular name?” How very *nix. How very stupid.
    To be truthful this fault in Mysql compared to Oracle and SQLServers faults that turn up is quite complex one. Normally Oracle and SQLServer privilage exploits you can get there without having to cause a file name collision. Both Oracle and SQLServer have been attacking in the pass by causing file name collisions.

    Just because something is open source does not mean it cannot make the same goofs as closed source.

    I recommend all users, normal or abnormal, to Examine FLOSS Code. It is their right.
    So I guess you are now saying don’t use closed source DrLoser because you cannot examine that source code and will suffer from the same faults as what is documented in the different CVE numbers and will not be told about it until many months latter.

  21. dougman says:

    Database for what? Are you hosting wikileaks in Winnipeg??

  22. DrLoser says:

    Creating a database should not create a vulnerability but it does, because a repair operation allows changing permissions of a file with a particular name which a bad guy could substitute with malicious code…

    How could this happen, Robert? It’s FLOSS. And otiose though it is, one of the Four Freedoms is to Examine The Code.

    I recommend all users, normal or abnormal, to Examine FLOSS Code. It is their right.

    And apparently it’s essential if you need to “repair” things.

    Good job there on the underlying security foundations, btw. “A file with a particular name?” How very *nix. How very stupid.

Leave a Reply