Bugzilla – Bug 1022428
VUL-0: CVE-2017-3302: mariadb: Use after free in libmysqlclient.so
Last modified: 2020-06-08 19:12:55 UTC
Ref: http://seclists.org/oss-sec/2017/q1/213 =================================================== C client library for MySQL (libmysqlclient.so) has use-after-free defect which can cause crash of applications using that MySQL client. Defect occurs by calling mysql_close() function from libmysqlclient.so. If mysql_close() is called before calling all mysql_stmt_close() (for all allocated stmts), then following mysql_stmt_close() call try to write to already released memory. mysql_close() let dangling pointer exist for prepared statements. Real problem is in function mysql_prune_stmt_list() which incorrectly iterate over elements. Function list_add() overwrite ->next pointer of current element which overwrite next element for iteration. Basically it is just wrong usage of linked list structure. Languages in which is not guaranteed order of executing destructor of created objects have a big problem as such writing to memory pointed by dangling can cause crash of whole application. E.g. libmysqlclient.so used by perl DBD::mysql driver cause crash of whole perl process with simple script: perl -MDBI -e ' $dbh = DBI->connect("dbi:mysql:", "root", undef, {RaiseError => 1, mysql_server_prepare => 1}); $sth1 = $dbh->prepare("SELECT 1"); $sth2 = $dbh->prepare("USE mysql"); $dbh->disconnect; $dbh = undef; ' Segmentation fault Tested on amd64 Ubuntu 12.04 LTS with perl 5.14.2. To reproduce change username, password and host where is running mysql server. Valgrind can prove that memory corruption really occurs. This defect was fixed in MySQL 5.6.21 and MySQL 5.7.5 releases. But is present in all MySQL 5.5 versions (and also older) and appropriate older 5.6 and 5.7 versions. MySQL 5.5 is still used, supported and included in lot of linux distributions. Moreover this defect is present also in MariaDB releases. I tested all last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all those are affected. MySQL and MariaDB provides also standalone package with only C client library libmysqlclient.so (without server) under name "Connector/C" and so appropriate versions of it are affected too. I found that this defected was fixed in MySQL git repository by commit: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 That commit can be easily applied to last MySQL 5.5.54 version and fixes this defect. Looks like problem was already reported and is publically available in MySQL bug tracker, see more details on links: https://bugs.mysql.com/bug.php?id=70429 https://bugs.mysql.com/bug.php?id=63363 (tickets are closed despite fact that MySQL 5.5 and older are not fixed) =================================================== https://software.opensuse.org/package/mariadb TW: 5.5.29 42.(1|2): 10.0.28 Please, check these versions in context of phrase "Moreover this defect is present also in MariaDB releases. I tested all last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all those are affected." Thanks!
bugbot adjusting priority
SUSE-SU-2017:0408-1: An update that solves 10 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1020868,1020873,1020875,1020877,1020882,1020884,1020885,1020890,1020891,1020894,1020896,1022428 CVE References: CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3313,CVE-2017-3317,CVE-2017-3318 Sources used: SUSE OpenStack Cloud 5 (src): mysql-5.5.54-0.35.1 SUSE Manager Proxy 2.1 (src): mysql-5.5.54-0.35.1 SUSE Manager 2.1 (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Server 11-SP4 (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mysql-5.5.54-0.35.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): mysql-5.5.54-0.35.1
SUSE-SU-2017:0411-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428 CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): mariadb-10.0.29-20.23.1 SUSE Linux Enterprise Server 12-LTSS (src): mariadb-10.0.29-20.23.1
SUSE-SU-2017:0412-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428 CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Server 12-SP2 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Server 12-SP1 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Desktop 12-SP2 (src): mariadb-10.0.29-22.1 SUSE Linux Enterprise Desktop 12-SP1 (src): mariadb-10.0.29-22.1
http://seclists.org/oss-sec/2017/q1/406 ========================================= Now I was contacted by Oracle that they assigned CVE-2017-3302 =========================================
openSUSE-SU-2017:0486-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428 CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Sources used: openSUSE Leap 42.2 (src): mariadb-10.0.29-18.1 openSUSE Leap 42.1 (src): mariadb-10.0.29-18.1
mariadb ------- - CVE-2017-3302 was fixed [1] in the latest MariaDB 10.0.30 and MariaDB 10.1.22 [1] https://mariadb.com/kb/en/mariadb/security/
mysql ----- - CVE-2017-3302 was fixed [1] in the latest MySQL 5.5.55 and 5.6.36 - 5.7 branch is not affected [1] http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
SUSE-SU-2017:1137-1: An update that fixes 13 vulnerabilities is now available. Category: security (important) Bug References: 1020976,1022428,1029014,1029396,1034850 CVE References: CVE-2016-5483,CVE-2017-3302,CVE-2017-3305,CVE-2017-3308,CVE-2017-3309,CVE-2017-3329,CVE-2017-3453,CVE-2017-3456,CVE-2017-3461,CVE-2017-3462,CVE-2017-3463,CVE-2017-3464,CVE-2017-3600 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): mysql-5.5.55-0.38.1 SUSE Linux Enterprise Server 11-SP4 (src): mysql-5.5.55-0.38.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mysql-5.5.55-0.38.1
openSUSE-SU-2017:1209-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1020976,1022428,1029014,1029396,1034850,889126 CVE References: CVE-2016-5483,CVE-2017-3302,CVE-2017-3305,CVE-2017-3308,CVE-2017-3309,CVE-2017-3329,CVE-2017-3450,CVE-2017-3452,CVE-2017-3453,CVE-2017-3456,CVE-2017-3461,CVE-2017-3462,CVE-2017-3463,CVE-2017-3464,CVE-2017-3599,CVE-2017-3600 Sources used: openSUSE Leap 42.2 (src): mysql-community-server-5.6.36-24.3.3 openSUSE Leap 42.1 (src): mysql-community-server-5.6.36-25.3
SUSE-SU-2017:1311-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1020890,1020976,1022428,1034911 CVE References: CVE-2017-3302,CVE-2017-3313 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): mariadb-10.0.30-20.26.1 SUSE Linux Enterprise Server 12-LTSS (src): mariadb-10.0.30-20.26.1
SUSE-SU-2017:1315-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1020868,1020890,1020976,1022428,1034911,996821 CVE References: CVE-2017-3302,CVE-2017-3313 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Server 12-SP2 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Server 12-SP1 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Desktop 12-SP2 (src): mariadb-10.0.30-25.1 SUSE Linux Enterprise Desktop 12-SP1 (src): mariadb-10.0.30-25.1
openSUSE-SU-2017:1475-1: An update that solves two vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1020868,1020890,1020976,1022428,1034911,1038740,996821 CVE References: CVE-2017-3302,CVE-2017-3313 Sources used: openSUSE Leap 42.2 (src): mariadb-10.0.30-20.4.1
released