Recently Oracle accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to "Security Fix: Bug #13510739 and Bug #63775 were fixed" with no other details on the problems. It is a common practice to keep details of issues which could be used to against older versions of software; even the bug reports for 13510739 and 63775 are not yet publicly available.

But, as security researcher Eric Romang found, Oracle also shipped the new MySQL versions with a development script "mysql-test/suite/innodb/t/innodb_bug13510739.test " in the source which appears to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw which crashes MySQL 5.5.21 and earlier versions. Romang posted the script on Pastebin; it requires authenticated access and appropriate privileges to be run which mitigates the problem somewhat.

This incident demonstrates that, especially with applications where the buildable and testable source code is released, if a company is going to adopt a non-disclosure policy, it really is necessary to make sure that absolutely no information leaks out in the form of test scripts. A better path for companies is to adopt a policy where they fully document what they have fixed and release test scripts for administrators to test their installations; trying to hide security bug fixes makes no sense when criminals and other bad actors are already looking for them and will find plenty of hints in the code itself.

(djwm)