June 3, 2006

Consortium brings open source database projects together

Author: Joe 'Zonker' Brockmeier

It's no coincidence that PostgreSQL and MySQL released fixes for a SQL injection vulnerability within the last week. The SQL injection vulnerability find marks the first security collaboration between Open Source Database Consortium (OSDBC) members, but it probably won't be the last.

The OSDBC was formed at the first Open Source Database Conference (OpenDBCon) last year in Germany. According to Zak Greant, who was the lead organizer of OpenDBCon and who with Arjen Lenz of MySQL helped get the OSDBC off the ground, the idea behind the consortium is to share information between the various open source database projects that can help improve "the entire class of free software/open source database solutions."

Historically, PostgreSQL and MySQL have been seen as rivals, but Josh Berkus, PostgreSQL Core Team member, says that the project developers are willing to set differences aside to deal with common problems. "Rivalry between projects isn't going to stand in the way of sharing important security information. After all, sharing data is one of the major advantages of Open Source development."

Kaj Arnö, MySQL's vice president of open source community relations, says that the group has communicated about other issues, but that the security fix is the first to directly benefit the end user.

Catching the bug

The vulnerability was discovered by Akio Ishida, Tatsuo Ishii, and Yasuo Ohgaki in March. Ohgaki and Ishida are members of the Japanese PostgreSQL User Group, and Ishii is an employee of SRA OSS Japan. The researchers were studying PostgreSQL and other open source software for the IPA security center. Ishii reported the vulnerability to the PostgreSQL team, and the PostgreSQL team verified that it was a real problem.

After the vulnerability was verified to affect PostgreSQL, it was passed on to other members of the OSDBC to allow other open source database projects to see if they were also vulnerable. According to Berkus, the Derby, SQLite, and BerkeleyDB databases were examined and did not have the vulnerability. However, the vulnerability was found to affect MySQL, and MySQL developer Sergei Golubchik began working on a fix for MySQL that was released Wednesday.

Arnö points out that the common vulnerability is not the result of shared code, but the result of the "complexities of underlying code" that deals with multibyte character encodings. This is exactly the sort of area where different open source database projects can collaborate and deal with common issues. Arnö and Berkus agree that it's possible that this vulnerability may be present in proprietary databases as well, given the nature of the vulnerability.

Future collaboration

Right now, collaboration between the open source database projects is fairly minimal -- Arnö says that collaboration is on an "incident" basis, but at least it's a start. "We really strive for things like this to be areas where we can help each other. I hope next time we can return the favor."

The collaboration isn't entirely limited to security, either. Arnö also mentioned that MySQL has been releasing a sample database called Sakilaunder a BSD license -- which makes it compatible with PostgreSQL licensing as well. MySQL AB uses the GNU General Public License (GPL) for the open source releases of MySQL, while the PostgreSQL team uses the BSD license.

Having a common forum for discussion and collaboration between open source projects has worked out well for the participants in freedesktop.org. If the OSDBC is half as successful, it should be good news for all open source database users.

Click Here!