Bug 1022428 - (CVE-2017-3302) VUL-0: CVE-2017-3302: mariadb: Use after free in libmysqlclient.so
(CVE-2017-3302)
VUL-0: CVE-2017-3302: mariadb: Use after free in libmysqlclient.so
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-5616:6.0:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-28 11:49 UTC by Mikhail Kasimov
Modified: 2020-06-08 19:12 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-28 11:49:34 UTC
Ref: http://seclists.org/oss-sec/2017/q1/213
===================================================
C client library for MySQL (libmysqlclient.so) has use-after-free defect 
which can cause crash of applications using that MySQL client.

Defect occurs by calling mysql_close() function from libmysqlclient.so. 
If mysql_close() is called before calling all mysql_stmt_close() (for 
all allocated stmts), then following mysql_stmt_close() call try to 
write to already released memory. mysql_close() let dangling pointer 
exist for prepared statements. Real problem is in function 
mysql_prune_stmt_list() which incorrectly iterate over elements. 
Function list_add() overwrite ->next pointer of current element which 
overwrite next element for iteration.

Basically it is just wrong usage of linked list structure.

Languages in which is not guaranteed order of executing destructor of 
created objects have a big problem as such writing to memory pointed by 
dangling can cause crash of whole application.

E.g. libmysqlclient.so used by perl DBD::mysql driver cause crash of 
whole perl process with simple script:

perl -MDBI -e '
$dbh = DBI->connect("dbi:mysql:", "root", undef,
                    {RaiseError => 1, mysql_server_prepare => 1});
$sth1 = $dbh->prepare("SELECT 1");
$sth2 = $dbh->prepare("USE mysql");
$dbh->disconnect;
$dbh = undef;
'
Segmentation fault

Tested on amd64 Ubuntu 12.04 LTS with perl 5.14.2. To reproduce change 
username, password and host where is running mysql server. Valgrind can 
prove that memory corruption really occurs.

This defect was fixed in MySQL 5.6.21 and MySQL 5.7.5 releases. But is 
present in all MySQL 5.5 versions (and also older) and appropriate older 
5.6 and 5.7 versions. MySQL 5.5 is still used, supported and included in 
lot of linux distributions.

Moreover this defect is present also in MariaDB releases. I tested all 
last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all those are 
affected.

MySQL and MariaDB provides also standalone package with only C client 
library libmysqlclient.so (without server) under name "Connector/C" and 
so appropriate versions of it are affected too. 

I found that this defected was fixed in MySQL git repository by commit:
https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93

That commit can be easily applied to last MySQL 5.5.54 version and fixes 
this defect.

Looks like problem was already reported and is publically available in 
MySQL bug tracker, see more details on links:
https://bugs.mysql.com/bug.php?id=70429
https://bugs.mysql.com/bug.php?id=63363
(tickets are closed despite fact that MySQL 5.5 and older are not fixed)
===================================================

https://software.opensuse.org/package/mariadb

TW: 5.5.29
42.(1|2): 10.0.28

Please, check these versions in context of phrase "Moreover this defect is present also in MariaDB releases. I tested all last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all those are affected." Thanks!
Comment 1 Swamp Workflow Management 2017-01-28 23:00:15 UTC
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2017-02-06 23:09:34 UTC
SUSE-SU-2017:0408-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020868,1020873,1020875,1020877,1020882,1020884,1020885,1020890,1020891,1020894,1020896,1022428
CVE References: CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3313,CVE-2017-3317,CVE-2017-3318
Sources used:
SUSE OpenStack Cloud 5 (src):    mysql-5.5.54-0.35.1
SUSE Manager Proxy 2.1 (src):    mysql-5.5.54-0.35.1
SUSE Manager 2.1 (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Server 11-SP4 (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mysql-5.5.54-0.35.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mysql-5.5.54-0.35.1
Comment 8 Swamp Workflow Management 2017-02-07 17:11:09 UTC
SUSE-SU-2017:0411-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    mariadb-10.0.29-20.23.1
SUSE Linux Enterprise Server 12-LTSS (src):    mariadb-10.0.29-20.23.1
Comment 9 Swamp Workflow Management 2017-02-07 17:13:46 UTC
SUSE-SU-2017:0412-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    mariadb-10.0.29-22.1
Comment 10 Mikhail Kasimov 2017-02-11 18:18:07 UTC
http://seclists.org/oss-sec/2017/q1/406
=========================================
Now I was contacted by Oracle that they assigned CVE-2017-3302
=========================================
Comment 11 Swamp Workflow Management 2017-02-17 03:19:01 UTC
openSUSE-SU-2017:0486-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
openSUSE Leap 42.2 (src):    mariadb-10.0.29-18.1
openSUSE Leap 42.1 (src):    mariadb-10.0.29-18.1
Comment 12 Kristyna Streitova 2017-03-15 14:14:42 UTC
mariadb
-------
- CVE-2017-3302 was fixed [1] in the latest MariaDB 10.0.30 and MariaDB 10.1.22


[1] https://mariadb.com/kb/en/mariadb/security/
Comment 13 Kristyna Streitova 2017-04-19 12:05:00 UTC
mysql
-----
- CVE-2017-3302	was fixed [1] in the latest MySQL 5.5.55 and 5.6.36
- 5.7 branch is not affected

[1] http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Comment 16 Swamp Workflow Management 2017-04-28 19:14:20 UTC
SUSE-SU-2017:1137-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1020976,1022428,1029014,1029396,1034850
CVE References: CVE-2016-5483,CVE-2017-3302,CVE-2017-3305,CVE-2017-3308,CVE-2017-3309,CVE-2017-3329,CVE-2017-3453,CVE-2017-3456,CVE-2017-3461,CVE-2017-3462,CVE-2017-3463,CVE-2017-3464,CVE-2017-3600
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mysql-5.5.55-0.38.1
SUSE Linux Enterprise Server 11-SP4 (src):    mysql-5.5.55-0.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mysql-5.5.55-0.38.1
Comment 17 Swamp Workflow Management 2017-05-08 16:18:59 UTC
openSUSE-SU-2017:1209-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1020976,1022428,1029014,1029396,1034850,889126
CVE References: CVE-2016-5483,CVE-2017-3302,CVE-2017-3305,CVE-2017-3308,CVE-2017-3309,CVE-2017-3329,CVE-2017-3450,CVE-2017-3452,CVE-2017-3453,CVE-2017-3456,CVE-2017-3461,CVE-2017-3462,CVE-2017-3463,CVE-2017-3464,CVE-2017-3599,CVE-2017-3600
Sources used:
openSUSE Leap 42.2 (src):    mysql-community-server-5.6.36-24.3.3
openSUSE Leap 42.1 (src):    mysql-community-server-5.6.36-25.3
Comment 18 Swamp Workflow Management 2017-05-16 19:09:53 UTC
SUSE-SU-2017:1311-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020890,1020976,1022428,1034911
CVE References: CVE-2017-3302,CVE-2017-3313
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    mariadb-10.0.30-20.26.1
SUSE Linux Enterprise Server 12-LTSS (src):    mariadb-10.0.30-20.26.1
Comment 19 Swamp Workflow Management 2017-05-16 19:14:38 UTC
SUSE-SU-2017:1315-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1020868,1020890,1020976,1022428,1034911,996821
CVE References: CVE-2017-3302,CVE-2017-3313
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Server 12-SP2 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Server 12-SP1 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    mariadb-10.0.30-25.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    mariadb-10.0.30-25.1
Comment 20 Swamp Workflow Management 2017-06-02 10:10:40 UTC
openSUSE-SU-2017:1475-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1020868,1020890,1020976,1022428,1034911,1038740,996821
CVE References: CVE-2017-3302,CVE-2017-3313
Sources used:
openSUSE Leap 42.2 (src):    mariadb-10.0.30-20.4.1
Comment 21 Marcus Meissner 2017-06-20 13:21:11 UTC
released