Hello community,
here is the log from the commit of package perl-DBD-mysql for openSUSE:Factory checked in at 2016-11-29 12:50:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-DBD-mysql (Old)
and /work/SRC/openSUSE:Factory/.perl-DBD-mysql.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-DBD-mysql"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-DBD-mysql/perl-DBD-mysql.changes 2016-11-22 18:59:00.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.perl-DBD-mysql.new/perl-DBD-mysql.changes 2016-11-29 12:50:09.000000000 +0100
@@ -1,0 +2,27 @@
+Tue Nov 29 06:18:42 UTC 2016 - coolo@suse.com
+
+- updated to 4.041
+ see /usr/share/doc/packages/perl-DBD-mysql/Changes
+
+ 2016-11-28 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.041)
+ * Fix use-after-free for repeated fetchrow_arrayref calls when
+ mysql_server_prepare=1
+
+ Function dbd_st_fetch() via Renew() can reallocate output buffer for
+ mysql_stmt_fetch() call. But it does not update pointer to that buffer in
+ imp_sth->stmt structure initialized by mysql_stmt_bind_result() function.
+ That leads to use-after-free in any mysql function which access
+ imp_sth->stmt structure (e.g. mysql_stmt_fetch()).
+
+ This patch fix this problem and properly updates pointer in imp_sth->stmt
+ structure after Renew() call.
+ This is a medium level security issue to which the Debian security team
+ assigned identifier CVE-2016-1251. Discovered and fixed by Pali Rohár.
+
+ * auto_reconnect now also matches CR_SERVER_LOST, previously this only
+ matched CR_SERVER_GONE.
+ Fixes http://bugs.mysql.com/bug.php?id=27613
+ Fix suggested by Wouter de Jong.
+ * Fix compilation fixes (Pali Rohár).
+
+-------------------------------------------------------------------
Old:
----
DBD-mysql-4.040.tar.gz
New:
----
DBD-mysql-4.041.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-DBD-mysql.spec ++++++
--- /var/tmp/diff_new_pack.E0WUXb/_old 2016-11-29 12:50:10.000000000 +0100
+++ /var/tmp/diff_new_pack.E0WUXb/_new 2016-11-29 12:50:10.000000000 +0100
@@ -17,7 +17,7 @@
Name: perl-DBD-mysql
-Version: 4.040
+Version: 4.041
Release: 0
%define cpan_name DBD-mysql
Summary: MySQL driver for the Perl5 Database Interface (DBI)
++++++ DBD-mysql-4.040.tar.gz -> DBD-mysql-4.041.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/Changes new/DBD-mysql-4.041/Changes
--- old/DBD-mysql-4.040/Changes 2016-11-19 20:55:08.000000000 +0100
+++ new/DBD-mysql-4.041/Changes 2016-11-28 21:19:51.000000000 +0100
@@ -1,3 +1,24 @@
+2016-11-28 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.041)
+* Fix use-after-free for repeated fetchrow_arrayref calls when
+ mysql_server_prepare=1
+
+ Function dbd_st_fetch() via Renew() can reallocate output buffer for
+ mysql_stmt_fetch() call. But it does not update pointer to that buffer in
+ imp_sth->stmt structure initialized by mysql_stmt_bind_result() function.
+ That leads to use-after-free in any mysql function which access
+ imp_sth->stmt structure (e.g. mysql_stmt_fetch()).
+
+ This patch fix this problem and properly updates pointer in imp_sth->stmt
+ structure after Renew() call.
+ This is a medium level security issue to which the Debian security team
+ assigned identifier CVE-2016-1251. Discovered and fixed by Pali Rohár.
+
+* auto_reconnect now also matches CR_SERVER_LOST, previously this only
+ matched CR_SERVER_GONE.
+ Fixes http://bugs.mysql.com/bug.php?id=27613
+ Fix suggested by Wouter de Jong.
+* Fix compilation fixes (Pali Rohár).
+
2016-11-19 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.040)
* Since 4.038 we had problems compiling on big-endian architectures, such
as MIPS, s390 and Sparc. Thanks to Salvatore Bonaccorso @ Debian project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/META.json new/DBD-mysql-4.041/META.json
--- old/DBD-mysql-4.040/META.json 2016-11-19 20:55:49.000000000 +0100
+++ new/DBD-mysql-4.041/META.json 2016-11-28 21:39:20.000000000 +0100
@@ -57,7 +57,7 @@
"x_IRC" : "irc://irc.perl.org/#dbi",
"x_MailingList" : "mailto:dbi-dev@perl.org"
},
- "version" : "4.040",
+ "version" : "4.041",
"x_contributors" : [
"Alexandr Ciornii ",
"Alexey Molchanov ",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/META.yml new/DBD-mysql-4.041/META.yml
--- old/DBD-mysql-4.040/META.yml 2016-11-19 20:55:49.000000000 +0100
+++ new/DBD-mysql-4.041/META.yml 2016-11-28 21:39:20.000000000 +0100
@@ -30,7 +30,7 @@
homepage: http://dbi.perl.org/
license: http://dev.perl.org/licenses/
repository: https://github.com/perl5-dbi/DBD-mysql
-version: '4.040'
+version: '4.041'
x_contributors:
- 'Alexandr Ciornii '
- 'Alexey Molchanov '
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/dbdimp.c new/DBD-mysql-4.041/dbdimp.c
--- old/DBD-mysql-4.040/dbdimp.c 2016-11-19 20:55:08.000000000 +0100
+++ new/DBD-mysql-4.041/dbdimp.c 2016-11-28 21:16:27.000000000 +0100
@@ -1426,6 +1426,7 @@
{
dTHX;
DBISTATE_INIT;
+ PERL_UNUSED_ARG(dbistate);
}
@@ -1448,7 +1449,6 @@
{
dTHX;
D_imp_xxh(h);
- STRLEN lna;
SV *errstr;
SV *errstate;
@@ -1469,7 +1469,7 @@
/* NO EFFECT DBIh_EVENT2(h, ERROR_event, DBIc_ERR(imp_xxh), errstr); */
if (DBIc_TRACE_LEVEL(imp_xxh) >= 2)
PerlIO_printf(DBIc_LOGPIO(imp_xxh), "%s error %d recorded: %s\n",
- what, rc, SvPV(errstr,lna));
+ what, rc, SvPV_nolen(errstr));
if (DBIc_TRACE_LEVEL(imp_xxh) >= 2)
PerlIO_printf(DBIc_LOGPIO(imp_xxh), "\t\t<-- do_error\n");
}
@@ -1481,7 +1481,6 @@
{
dTHX;
D_imp_xxh(h);
- STRLEN lna;
SV *errstr = DBIc_ERRSTR(imp_xxh);
sv_setiv(DBIc_ERR(imp_xxh), (IV)rc); /* set err early */
@@ -1489,7 +1488,7 @@
/* NO EFFECT DBIh_EVENT2(h, WARN_event, DBIc_ERR(imp_xxh), errstr);*/
if (DBIc_TRACE_LEVEL(imp_xxh) >= 2)
PerlIO_printf(DBIc_LOGPIO(imp_xxh), "%s warning %d recorded: %s\n",
- what, rc, SvPV(errstr,lna));
+ what, rc, SvPV_nolen(errstr));
warn("%s", what);
}
@@ -2302,7 +2301,11 @@
dTHR;
#endif
dTHX;
+#if defined(DBD_MYSQL_EMBEDDED)
D_imp_xxh(drh);
+#else
+ PERL_UNUSED_ARG(drh);
+#endif
#if defined(DBD_MYSQL_EMBEDDED)
if (imp_drh->embedded.state)
@@ -4047,6 +4050,8 @@
Renew(fbh->data, fbh->length, char);
buffer->buffer_length= fbh->length;
buffer->buffer= (char *) fbh->data;
+ imp_sth->stmt->bind[i].buffer_length = fbh->length;
+ imp_sth->stmt->bind[i].buffer = (char *)fbh->data;
if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) {
int j;
@@ -4907,7 +4912,7 @@
char *buffer= NULL;
int buffer_is_null= 0;
int buffer_is_unsigned= 0;
- int buffer_length= slen;
+ int buffer_length= 0;
unsigned int buffer_type= 0;
#endif
@@ -5123,7 +5128,8 @@
else
imp_dbh= (imp_dbh_t*) imp_xxh;
- if (mysql_errno(imp_dbh->pmysql) != CR_SERVER_GONE_ERROR)
+ if (mysql_errno(imp_dbh->pmysql) != CR_SERVER_GONE_ERROR &&
+ mysql_errno(imp_dbh->pmysql) != CR_SERVER_LOST)
/* Other error */
return FALSE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/lib/Bundle/DBD/mysql.pm new/DBD-mysql-4.041/lib/Bundle/DBD/mysql.pm
--- old/DBD-mysql-4.040/lib/Bundle/DBD/mysql.pm 2016-11-19 20:55:08.000000000 +0100
+++ new/DBD-mysql-4.041/lib/Bundle/DBD/mysql.pm 2016-11-28 21:20:44.000000000 +0100
@@ -3,7 +3,7 @@
use strict;
use warnings;
-our $VERSION = '4.040';
+our $VERSION = '4.041';
1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/lib/DBD/mysql.pm new/DBD-mysql-4.041/lib/DBD/mysql.pm
--- old/DBD-mysql-4.040/lib/DBD/mysql.pm 2016-11-19 20:55:08.000000000 +0100
+++ new/DBD-mysql-4.041/lib/DBD/mysql.pm 2016-11-28 21:20:44.000000000 +0100
@@ -15,7 +15,7 @@
# SQL_DRIVER_VER is formatted as dd.dd.dddd
# for version 5.x please switch to 5.00(_00) version numbering
# keep $VERSION in Bundle/DBD/mysql.pm in sync
-our $VERSION = '4.040';
+our $VERSION = '4.041';
bootstrap DBD::mysql $VERSION;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/t/40server_prepare_crash.t new/DBD-mysql-4.041/t/40server_prepare_crash.t
--- old/DBD-mysql-4.040/t/40server_prepare_crash.t 2016-11-19 20:55:08.000000000 +0100
+++ new/DBD-mysql-4.041/t/40server_prepare_crash.t 2016-11-28 21:16:27.000000000 +0100
@@ -10,11 +10,22 @@
my $dbh = eval { DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 1, AutoCommit => 0, mysql_server_prepare => 1, mysql_server_prepare_disable_fallback => 1 }) };
plan skip_all => "no database connection" if $@ or not $dbh;
-plan tests => 17;
+plan tests => 39;
-ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n TEXT)");
+my $sth;
-ok my $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
+ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n LONGBLOB)");
+
+ok $sth = $dbh->prepare("INSERT INTO t(i, n) VALUES(?, ?)");
+ok $sth->execute(1, "x" x 10);
+ok $sth->execute(2, "x" x 100);
+ok $sth->execute(3, "x" x 1000);
+ok $sth->execute(4, "x" x 10000);
+ok $sth->execute(5, "x" x 100000);
+ok $sth->execute(6, "x" x 1000000);
+ok $sth->finish();
+
+ok $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
ok $sth->bind_param(2, "x" x 1000000);
ok $sth->bind_param(1, "abcx", 12);
@@ -34,6 +45,34 @@
ok $sth->execute((1) x (10001));
ok $sth->finish();
+my $test;
+ok $sth = $dbh->prepare("SELECT i,n FROM t WHERE i = ?");
+
+ok $sth->execute(1);
+ok $sth->fetchrow_arrayref();
+
+ok $sth->execute(2);
+$test = map { $_ } 'a';
+ok $sth->fetchrow_arrayref();
+
+ok $sth->execute(3);
+$test = map { $_ } 'b' x 10000000; # try to reuse released memory
+ok $sth->fetchrow_arrayref();
+
+ok $sth->execute(4);
+$test = map { $_ } 'cd' x 10000000; # try to reuse of released memory
+ok $sth->fetchrow_arrayref();
+
+ok $sth->execute(5);
+$test = map { $_ } 'efg' x 10000000; # try to reuse of released memory
+ok $sth->fetchrow_arrayref();
+
+ok $sth->execute(6);
+$test = map { $_ } 'hijk' x 10000000; # try to reuse of released memory
+ok $sth->fetchrow_arrayref();
+
+ok $sth->finish();
+
ok $dbh->do("SELECT 1 FROM t WHERE i = ?" . (" OR i = ?" x 10000), {}, (1) x (10001));
ok $dbh->disconnect();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/t/rt85919-fetch-lost-connection.t new/DBD-mysql-4.041/t/rt85919-fetch-lost-connection.t
--- old/DBD-mysql-4.040/t/rt85919-fetch-lost-connection.t 2016-08-01 08:26:44.000000000 +0200
+++ new/DBD-mysql-4.041/t/rt85919-fetch-lost-connection.t 2016-11-28 21:16:21.000000000 +0100
@@ -36,8 +36,16 @@
1;
};
if (not $ok) {
- is ( $DBI::err, 2006, 'Received error 2006' );
- is ( $DBI::errstr, 'MySQL server has gone away', 'Received MySQL server has gone away');
+ # if we're connected via a local socket we receive error 2006
+ # (CR_SERVER_GONE_ERROR) but if we're connected using TCP/IP we get
+ # 2013 (CR_SERVER_LOST)
+ if ($DBI::err == 2006) {
+ pass("received error 2006 (CR_SERVER_GONE_ERROR)");
+ } elsif ($DBI::err == 2013) {
+ pass("received error 2013 (CR_SERVER_LOST)");
+ } else {
+ fail('Should return error 2006 or 2013');
+ }
eval { $sth->finish(); } if defined $sth;
eval { $dbh->disconnect(); } if defined $dbh;
}