There are numerous places in the code where SQL statements are generated and written into the binary log. User-supplied identifiers (table names, field names, etc.) are not always properly quoted (for example, the proper quoted form of SPECI`AL is `SPECI``AL`), so authorized users that have privileges to modify a table (any non-temporary table) can inject arbitrary SQL into the binary log.

Such injected SQL will be executed by the slave or when a DBA does a mysqlbinlog|mysql style point-in-time recovery.

During the normal MySQL replication (master-slave, not mysqlbinlog|mysql), the options to exploit these vulnerabilities are somewhat limited by the fact, that the slave does not execute many statements, when it expects the one. So, one can not inject a new SQL statement. But one can extend the WHERE condition, or modify tables that he usually would have no access to.

Just to be clear: to exploit this one needs a valid account on the server and privileges to modify data.

To trigger the bug one can use, for example,

create temporary table temp(a int);

create table `a``b` (a int);

drop table `a``b`, temp;

show binlog events;

This issue was reported on MySQL bug tracker: http://bugs.mysql.com/66550

It has CVE identifier CVE-2012-4414

The patches are available on launchpad:

• http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3151.1.1
• http://bazaar.launchpad.net/~maria-captains/maria/5.2/revision/3163.1.1
• http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/3556.1.2
• http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/3508