Security bug http://bugs.mysql.com/bug.php?id=64884 Already fixed in MariaDB 5.1.62+/5.5.23+ Depends on the result of check_scramble being cast to char directly. diff -Nuar mysql.orig/sql/password.c mysql/sql/password.c --- mysql.orig/sql/password.c 2012-03-02 11:44:47.000000000 -0800 +++ mysql/sql/password.c 2012-04-21 10:59:39.502744613 -0700 @@ -531,7 +531,7 @@ mysql_sha1_reset(&sha1_context); mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE); mysql_sha1_result(&sha1_context, hash_stage2_reassured); - return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE); + return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE)); }