Mailinglist Archive: opensuse-bugs (4258 mails)

< Previous Next >
[Bug 1022428] New: VUL-0: mariadb: Use after free in libmysqlclient.so
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sat, 28 Jan 2017 11:49:34 +0000
  • Message-id: <bug-1022428-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1022428


Bug ID: 1022428
Summary: VUL-0: mariadb: Use after free in libmysqlclient.so
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q1/213
===================================================
C client library for MySQL (libmysqlclient.so) has use-after-free defect
which can cause crash of applications using that MySQL client.

Defect occurs by calling mysql_close() function from libmysqlclient.so.
If mysql_close() is called before calling all mysql_stmt_close() (for
all allocated stmts), then following mysql_stmt_close() call try to
write to already released memory. mysql_close() let dangling pointer
exist for prepared statements. Real problem is in function
mysql_prune_stmt_list() which incorrectly iterate over elements.
Function list_add() overwrite ->next pointer of current element which
overwrite next element for iteration.

Basically it is just wrong usage of linked list structure.

Languages in which is not guaranteed order of executing destructor of
created objects have a big problem as such writing to memory pointed by
dangling can cause crash of whole application.

E.g. libmysqlclient.so used by perl DBD::mysql driver cause crash of
whole perl process with simple script:

perl -MDBI -e '
$dbh = DBI->connect("dbi:mysql:", "root", undef,
{RaiseError => 1, mysql_server_prepare => 1});
$sth1 = $dbh->prepare("SELECT 1");
$sth2 = $dbh->prepare("USE mysql");
$dbh->disconnect;
$dbh = undef;
'
Segmentation fault

Tested on amd64 Ubuntu 12.04 LTS with perl 5.14.2. To reproduce change
username, password and host where is running mysql server. Valgrind can
prove that memory corruption really occurs.

This defect was fixed in MySQL 5.6.21 and MySQL 5.7.5 releases. But is
present in all MySQL 5.5 versions (and also older) and appropriate older
5.6 and 5.7 versions. MySQL 5.5 is still used, supported and included in
lot of linux distributions.

Moreover this defect is present also in MariaDB releases. I tested all
last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all those are
affected.

MySQL and MariaDB provides also standalone package with only C client
library libmysqlclient.so (without server) under name "Connector/C" and
so appropriate versions of it are affected too.

I found that this defected was fixed in MySQL git repository by commit:
https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93

That commit can be easily applied to last MySQL 5.5.54 version and fixes
this defect.

Looks like problem was already reported and is publically available in
MySQL bug tracker, see more details on links:
https://bugs.mysql.com/bug.php?id=70429
https://bugs.mysql.com/bug.php?id=63363
(tickets are closed despite fact that MySQL 5.5 and older are not fixed)
===================================================

https://software.opensuse.org/package/mariadb

TW: 5.5.29
42.(1|2): 10.0.28

Please, check these versions in context of phrase "Moreover this defect is
present also in MariaDB releases. I tested all last major versions 10.2.3,
10.1.21, 10.0.29, 5.5.54 and all those are affected." Thanks!

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages