Fix for MySQL Bug #22413 should be backported to LTS releases

mysql> show create view v_info_top50_tablecount\G
*************************** 1. row ***************************
       View: v_info_top50_tablecount
Create View: CREATE ALGORITHM=UNDEFINED DEFINER=`deeden`@`localhost` SQL SECURITY DEFINER VIEW `deeden`.`v_info_top50_tablecount` AS select sql_no_cache `v_info_tablecount`.`schema_name` AS `schema_name`,`v_info_tablecount`.`table_count` AS `table_count` from `deeden`.`v_info_tablecount` order by `v_info_tablecount`.`table_count` desc limit 50
1 row in set (0.00 sec)

mysql> show create view v_info_tablecount\G
*************************** 1. row ***************************
       View: v_info_tablecount
Create View: CREATE ALGORITHM=UNDEFINED DEFINER=`deeden`@`localhost` SQL SECURITY DEFINER VIEW `deeden`.`v_info_tablecount` AS select sql_no_cache `s`.`SCHEMA_NAME` AS `schema_name`,count(`t`.`TABLE_NAME`) AS `table_count` from (`information_schema`.`schemata` `s` left join `information_schema`.`tables` `t` on((`s`.`SCHEMA_NAME` = `t`.`TABLE_SCHEMA`))) group by `s`.`SCHEMA_NAME`
1 row in set (0.00 sec)

mysql> select count(*) from information_schema.tables;
+----------+
| count(*) |
+----------+
| 8519 |
+----------+
1 row in set (3.36 sec)

mysql> select count(*) from information_schema.schemata;
+----------+
| count(*) |
+----------+
| 247 |
+----------+
1 row in set (0.01 sec)

mysql> explain select * from v_info_top50_tablecount;
ERROR 2013 (HY000): Lost connection to MySQL server during query

0x8189e49 handle_segfault + 639
0xffffe420 _end + -140734800
0x8f65a18 _end + 9634984
0x825e889 _Z14get_all_tablesP3THDP13st_table_listP4Item + 1765
0x82590a6 _Z24get_schema_tables_resultP4JOIN23enum_schema_table_state + 308
0x81e4610 _ZN4JOIN4execEv + 2528
0x81e5ef5 _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_mP13select_resultP18st_select_lex_unitP13st_sel + 313
0x827a9f5 _Z21mysql_derived_fillingP3THDP6st_lexP13st_table_list + 249
0x827a89e _Z20mysql_handle_derivedP6st_lexPFbP3THDS0_P13st_table_listE + 78
0x81c26a1 _Z20open_and_lock_tablesP3THDP13st_table_list + 201
0x819cc7c _Z21mysql_execute_commandP3THD + 5872
0x81a2859 _Z11mysql_parseP3THDPcj + 337
0x81a2e23 _Z16dispatch_command19enum_server_commandP3THDPcj + 1259
0x81a3f5c _Z10do_commandP3THD + 134
0x81a4908 handle_one_connection + 2238
0xb7f7a341 _end + -1349235247
0xb7dcb4ee _end + -1351000194

Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu - the Hardy Heron.

This bug has already been nominated for dapper. However I'm not sure that it fits the requirement for a stable release update: https://wiki.ubuntu.com/StableReleaseUpdates.

It can be used as a DoS attack, so I consider it a security vulnerability. It does not need many privileges so it is likely to occur under realistic circumstances.

Got CVE-2006-7232 assigned for this issue. This issue will be fixed in the next update for mysql.

A patch for this issue has been tested and introduced no regressions when tested. This fix will be part of a larger update, and if no regressions are found within this update, new packages will be uploaded to -proposed early next week for wider testing. After at least a week in -proposed, if no regressions are found, the packages will be moved to -security.

This fix is part of a larger upgrade that is now available in -proposed. Please test and report results in bug #201009

http://www.ubuntu.com/usn/usn-588-1