2013-06-02 14:52:11 |
Laurynas Biveinis |
bug |
|
|
added bug |
2013-06-02 14:52:21 |
Laurynas Biveinis |
nominated for series |
|
percona-server/5.1 |
|
2013-06-02 14:52:21 |
Laurynas Biveinis |
bug task added |
|
percona-server/5.1 |
|
2013-06-02 14:52:21 |
Laurynas Biveinis |
nominated for series |
|
percona-server/5.5 |
|
2013-06-02 14:52:21 |
Laurynas Biveinis |
bug task added |
|
percona-server/5.5 |
|
2013-06-02 14:52:21 |
Laurynas Biveinis |
nominated for series |
|
percona-server/5.6 |
|
2013-06-02 14:52:21 |
Laurynas Biveinis |
bug task added |
|
percona-server/5.6 |
|
2013-06-02 14:52:33 |
Laurynas Biveinis |
summary |
Fix for CVE-2012-5611 is incomplete |
Oracle fix for CVE-2012-5611 is incomplete |
|
2013-06-02 14:52:47 |
Laurynas Biveinis |
cve linked |
|
2012-5611 |
|
2013-06-02 14:53:10 |
Laurynas Biveinis |
bug watch added |
|
http://bugs.mysql.com/bug.php?id=69380 |
|
2013-06-02 14:53:10 |
Laurynas Biveinis |
bug task added |
|
mysql-server |
|
2013-06-02 14:54:06 |
Laurynas Biveinis |
percona-server/5.1: importance |
Undecided |
High |
|
2013-06-02 14:54:09 |
Laurynas Biveinis |
percona-server/5.5: importance |
Undecided |
High |
|
2013-06-02 14:54:12 |
Laurynas Biveinis |
percona-server/5.1: status |
New |
Fix Released |
|
2013-06-02 14:54:15 |
Laurynas Biveinis |
percona-server/5.5: status |
New |
Fix Released |
|
2013-06-02 14:55:06 |
Laurynas Biveinis |
percona-server/5.1: milestone |
|
5.1.66-14.2 |
|
2013-06-02 14:55:10 |
Laurynas Biveinis |
percona-server/5.5: milestone |
|
5.5.28-29.3 |
|
2013-06-02 14:58:59 |
Laurynas Biveinis |
percona-server/5.6: assignee |
|
Laurynas Biveinis (laurynas-biveinis) |
|
2013-06-02 14:59:26 |
Laurynas Biveinis |
tags |
|
upstream |
|
2013-06-02 15:02:39 |
Laurynas Biveinis |
percona-server/5.6: milestone |
|
5.6.11-60.4 |
|
2013-06-02 15:02:45 |
Laurynas Biveinis |
percona-server/5.6: importance |
Undecided |
High |
|
2013-06-02 15:02:49 |
Laurynas Biveinis |
percona-server/5.6: status |
New |
Triaged |
|
2013-06-02 15:36:04 |
Laurynas Biveinis |
description |
This is Oracle-only bug report. Percona Server has the MariaDB fix and is not affected. The impact of this bug is two bytes overwritten on stack, which should not be enough for remote code execution.
[2 Jun 14:48] Laurynas Biveinis
Description:
Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld.
The fix at 3853.1.1 attempted to check for overflow:
copy_length= (size_t) (strlen(ip ? ip : "") +
strlen(user ? user : "") +
strlen(db ? db : ""));
if (copy_length >= ACL_KEY_LENGTH)
DBUG_RETURN(0);
And here is how the buffer is filled:
end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
Both "+1"s are not accounted for in the copy_length check.
How to repeat:
Add
if (end - key > ACL_KEY_LENGTH)
fprintf(stderr, "end - key = %d\n", (int)(end - key));
after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice. Also should give an asan but not Valgrind errors.
--source include/not_embedded.inc
--source include/count_sessions.inc
grant usage on *.* to mysqltest_1@localhost;
connect (con1, localhost, mysqltest_1,,);
connection con1;
select 1 from information_schema.tables where table_schema=repeat('a', 246);
select 1 from information_schema.tables where table_schema=repeat('a', 245);
connection default;
disconnect con1;
drop user mysqltest_1@localhost;
--source include/wait_until_count_sessions.inc
Suggested fix:
copy_length= ... + 2; |
This is for Oracle MySQL 5.1/5.5/5.6 and Percona Server 5.6. Percona Server 5.1/5.5 has the MariaDB fix and is not affected. The impact of this bug is two bytes overwritten on stack, which should not be enough for remote code execution.
[2 Jun 14:48] Laurynas Biveinis
Description:
Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld.
The fix at 3853.1.1 attempted to check for overflow:
copy_length= (size_t) (strlen(ip ? ip : "") +
strlen(user ? user : "") +
strlen(db ? db : ""));
if (copy_length >= ACL_KEY_LENGTH)
DBUG_RETURN(0);
And here is how the buffer is filled:
end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
Both "+1"s are not accounted for in the copy_length check.
How to repeat:
Add
if (end - key > ACL_KEY_LENGTH)
fprintf(stderr, "end - key = %d\n", (int)(end - key));
after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice. Also should give an asan but not Valgrind errors.
--source include/not_embedded.inc
--source include/count_sessions.inc
grant usage on *.* to mysqltest_1@localhost;
connect (con1, localhost, mysqltest_1,,);
connection con1;
select 1 from information_schema.tables where table_schema=repeat('a', 246);
select 1 from information_schema.tables where table_schema=repeat('a', 245);
connection default;
disconnect con1;
drop user mysqltest_1@localhost;
--source include/wait_until_count_sessions.inc
Suggested fix:
copy_length= ... + 2; |
|
2013-06-21 11:06:59 |
Laurynas Biveinis |
percona-server/5.6: milestone |
5.6.12-60.4 |
5.6.12-61.0 |
|
2013-08-13 06:19:35 |
Laurynas Biveinis |
percona-server/5.6: milestone |
5.6.13-60.5 |
5.6.13-61.0 |
|
2013-09-20 05:56:44 |
Laurynas Biveinis |
percona-server/5.6: milestone |
5.6.13-60.6 |
5.6.13-61.0 |
|
2013-10-07 06:03:28 |
Laurynas Biveinis |
percona-server/5.6: milestone |
5.6.13-61.0 |
5.6.14-61.1 |
|
2013-10-21 13:17:57 |
Laurynas Biveinis |
percona-server/5.6: milestone |
5.6.14-62.0 |
5.6.14-62.1 |
|
2013-12-05 09:49:52 |
Laurynas Biveinis |
percona-server/5.6: assignee |
Laurynas Biveinis (laurynas-biveinis) |
|
|
2013-12-05 10:05:48 |
Laurynas Biveinis |
percona-server/5.6: status |
Triaged |
Fix Committed |
|
2013-12-05 10:05:04 |
Launchpad Janitor |
branch linked |
|
lp:~laurynas-biveinis/percona-server/merge-5.6.15 |
|
2013-12-16 07:55:49 |
Laurynas Biveinis |
percona-server/5.6: status |
Fix Committed |
Fix Released |
|