Bug 1012546 - (CVE-2016-1251) VUL-0: CVE-2016-1251: perl-DBD-mysql: use after free when using prepared statements
(CVE-2016-1251)
VUL-0: CVE-2016-1251: perl-DBD-mysql: use after free when using prepared stat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176896/
CVSSv2:RedHat:CVE-2016-1251:5.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-29 09:25 UTC by Alexander Bergmann
Modified: 2018-12-16 15:53 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
lib.pl, put it in a folder called t (2.32 KB, application/x-perl)
2017-01-11 18:01 UTC, Sergio Rafael Lemke
Details
1012546.pl (2.06 KB, application/x-perl)
2017-01-11 18:04 UTC, Sergio Rafael Lemke
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-11-29 09:25:49 UTC
CVE-2016-1251

https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1

Fix use-after-free for repeated fetchrow_arrayref calls when mysql_server_prepare=1

Function dbd_st_fetch() via Renew() can reallocate output buffer for
mysql_stmt_fetch() call. But it does not update pointer to that buffer in
imp_sth->stmt structure initialized by mysql_stmt_bind_result() function.
That leads to use-after-free in any mysql function which access
imp_sth->stmt structure (e.g. mysql_stmt_fetch()).

This patch fix this problem and properly updates pointer in imp_sth->stmt
structure after Renew() call.

Test 40server_prepare_crash.t is extended to check for that use-after-free
crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1251
http://seclists.org/oss-sec/2016/q4/536
https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1
Comment 1 Swamp Workflow Management 2016-11-29 23:00:37 UTC
bugbot adjusting priority
Comment 2 Tomáš Chvátal 2016-11-30 08:34:19 UTC
All submissions done.
Comment 3 Bernhard Wiedemann 2016-11-30 09:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (1012546) was mentioned in
https://build.opensuse.org/request/show/442783 13.2 / perl-DBD-mysql
Comment 5 Swamp Workflow Management 2016-11-30 13:00:07 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-12-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63237
Comment 6 Swamp Workflow Management 2016-12-12 17:10:21 UTC
openSUSE-SU-2016:3090-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1012546
CVE References: CVE-2016-1251
Sources used:
openSUSE 13.2 (src):    perl-DBD-mysql-4.021-8.3.1
Comment 8 Swamp Workflow Management 2017-01-04 20:07:24 UTC
SUSE-SU-2017:0025-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1012546
CVE References: CVE-2016-1251
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    perl-DBD-mysql-4.008-6.1
SUSE Linux Enterprise Server 11-SP4 (src):    perl-DBD-mysql-4.008-6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    perl-DBD-mysql-4.008-6.1
Comment 9 Sergio Rafael Lemke 2017-01-11 18:01:12 UTC
Created attachment 709635 [details]
lib.pl, put it in a folder called t
Comment 10 Sergio Rafael Lemke 2017-01-11 18:04:49 UTC
Created attachment 709636 [details]
1012546.pl
Comment 11 Sergio Rafael Lemke 2017-01-11 18:05:09 UTC
Hello,
I was testing this update and my test results are not very good, the result of my tests remain the same with old and new package: (FYI tests for bsc#1002626 and bsc#1010457 are passed).

Before update:
slemke@linux-nekh:~> ./1012546.pl
t/lib.pl did not return a true value at ./1012546.pl line 10.
slemke@linux-nekh:~>

After update:
linux-nekh:/home/slemke # ./1012546.pl
t/lib.pl did not return a true value at ./1012546.pl line 10.

Tests already attached:
t/lib.pl
1012546.pl

Thanks,
SUSE QAM
Comment 12 Sergio Rafael Lemke 2017-01-11 18:13:12 UTC
Extra Info:
linux-nekh:/home/slemke # cat /etc/issue
Welcome to SUSE Linux Enterprise Server 12 SP1  (x86_64) - Kernel \r (\l).
Comment 13 Sergio Rafael Lemke 2017-01-11 18:49:25 UTC
Please ignore my last comments, after checking the lib.perl I found that I need the entire test tree as there are more dependencies.

Thanks,
SUSE- QAM
Comment 14 Swamp Workflow Management 2017-01-13 13:10:31 UTC
SUSE-SU-2017:0123-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1002626,1010457,1012546
CVE References: CVE-2016-1246,CVE-2016-1249,CVE-2016-1251
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    perl-DBD-mysql-4.021-11.1
SUSE Linux Enterprise Server 12-SP2 (src):    perl-DBD-mysql-4.021-11.1
SUSE Linux Enterprise Server 12-SP1 (src):    perl-DBD-mysql-4.021-11.1
Comment 15 Swamp Workflow Management 2017-01-23 11:10:25 UTC
openSUSE-SU-2017:0252-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1002626,1010457,1012546
CVE References: CVE-2016-1246,CVE-2016-1249,CVE-2016-1251
Sources used:
openSUSE Leap 42.2 (src):    perl-DBD-mysql-4.021-14.1
openSUSE Leap 42.1 (src):    perl-DBD-mysql-4.021-13.1
Comment 16 Marcus Meissner 2017-06-15 20:12:03 UTC
released