[dbsec] When is a security bug not a security bug?

• From: Chris Anley <chris@xxxxxxxxxxxxxxx>
• To: dbsec@xxxxxxxxxxxxx
• Date: Thu, 17 Nov 2005 15:09:12 +0000

(also posted to databasesecurity blog)

There's a common misunderstanding about vulnerabilities - security folks and managerial statistics weenies tend to believe that you can create a comprehensive list of security bugs.

For instance, quite a lot of people think that CVE already *is* a comprehensive list of security bugs. It isn't. If you're in the business of writing vulnerability scanning software (like I am) you soon realise that there are lots of little gaps.

Another problem is that even if you were to create a list of all published vulnerabilities, you still wouldn't have all of the security bugs, because some researchers don't issue advisories, and some vendors don't issue information about what was fixed in their security patches.

Still more worrying is the fact that there are a lot of bugs that have a serious security impact (such as crashing a service, exhausting processor or memory) that seem not to be considered security bugs by either the vendors or by security researchers.

Being a transparent organisation, MySQL post a list of the bugs that are fixed in each version in the documentation pages:

http://dev.mysql.com/doc/refman/5.0/en/news-5-0-16.html

Here are some of the bugs in the current production version (5.0.15) of MySQL. If you're running the latest version, you're vulnerable to these:

Server crash when running REPAIR, ANALYZE or OPTIMIZE TABLE on a view whose underlying table has been dropped:
http://bugs.mysql.com/bug.php?id=14540

Server crash using a prepared statement selecting from a view:
http://bugs.mysql.com/bug.php?id=14026

Server hang using rollup and procedure_analyse():
http://bugs.mysql.com/bug.php?id=14138

Update of a CSV table causes a server crash:
http://bugs.mysql.com/bug.php?id=13894

Now, I'd consider all four of those to be security bugs, or at least, bugs with a security impact. They crash the server and (mostly) don't require any special privileges to run. Looking back through the changelogs, there are a great many similar bugs that - as far as I know - no-one considers to be security flaws.

This issue isn't unique to MySQL - if you look through the logs of almost any large open source project you'll see much the same thing, and closed source software vendors are no different.

No-one is doing anything wrong here, it's just an interesting information point. The conclusion I'm reaching is that our current understanding of how many "security bugs" there are is out by an order of magnitude.

     -chris.

• Follow-Ups:
  • [dbsec] Re: When is a security bug not a security bug?
    • From: David Litchfield

Other related posts:

• » [dbsec] When is a security bug not a security bug?
• » [dbsec] Re: When is a security bug not a security bug?

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription