Percona Server moved to https://jira.percona.com/projects/PS

Series 5.1
Bug #1186748
Activity log

Activity log for bug #1186748

Date	Who	What changed	Old value	New value	Message
2013-06-02 14:52:11	Laurynas Biveinis	bug			added bug
2013-06-02 14:52:21	Laurynas Biveinis	nominated for series		percona-server/5.1
2013-06-02 14:52:21	Laurynas Biveinis	bug task added		percona-server/5.1
2013-06-02 14:52:21	Laurynas Biveinis	nominated for series		percona-server/5.5
2013-06-02 14:52:21	Laurynas Biveinis	bug task added		percona-server/5.5
2013-06-02 14:52:21	Laurynas Biveinis	nominated for series		percona-server/5.6
2013-06-02 14:52:21	Laurynas Biveinis	bug task added		percona-server/5.6
2013-06-02 14:52:33	Laurynas Biveinis	summary	Fix for CVE-2012-5611 is incomplete	Oracle fix for CVE-2012-5611 is incomplete
2013-06-02 14:52:47	Laurynas Biveinis	cve linked		2012-5611
2013-06-02 14:53:10	Laurynas Biveinis	bug watch added		http://bugs.mysql.com/bug.php?id=69380
2013-06-02 14:53:10	Laurynas Biveinis	bug task added		mysql-server
2013-06-02 14:54:06	Laurynas Biveinis	percona-server/5.1: importance	Undecided	High
2013-06-02 14:54:09	Laurynas Biveinis	percona-server/5.5: importance	Undecided	High
2013-06-02 14:54:12	Laurynas Biveinis	percona-server/5.1: status	New	Fix Released
2013-06-02 14:54:15	Laurynas Biveinis	percona-server/5.5: status	New	Fix Released
2013-06-02 14:55:06	Laurynas Biveinis	percona-server/5.1: milestone		5.1.66-14.2
2013-06-02 14:55:10	Laurynas Biveinis	percona-server/5.5: milestone		5.5.28-29.3
2013-06-02 14:58:59	Laurynas Biveinis	percona-server/5.6: assignee		Laurynas Biveinis (laurynas-biveinis)
2013-06-02 14:59:26	Laurynas Biveinis	tags		upstream
2013-06-02 15:02:39	Laurynas Biveinis	percona-server/5.6: milestone		5.6.11-60.4
2013-06-02 15:02:45	Laurynas Biveinis	percona-server/5.6: importance	Undecided	High
2013-06-02 15:02:49	Laurynas Biveinis	percona-server/5.6: status	New	Triaged
2013-06-02 15:36:04	Laurynas Biveinis	description	This is Oracle-only bug report. Percona Server has the MariaDB fix and is not affected. The impact of this bug is two bytes overwritten on stack, which should not be enough for remote code execution. [2 Jun 14:48] Laurynas Biveinis Description: Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld. The fix at 3853.1.1 attempted to check for overflow: copy_length= (size_t) (strlen(ip ? ip : "") + strlen(user ? user : "") + strlen(db ? db : "")); if (copy_length >= ACL_KEY_LENGTH) DBUG_RETURN(0); And here is how the buffer is filled: end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); Both "+1"s are not accounted for in the copy_length check. How to repeat: Add if (end - key > ACL_KEY_LENGTH) fprintf(stderr, "end - key = %d\n", (int)(end - key)); after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice. Also should give an asan but not Valgrind errors. --source include/not_embedded.inc --source include/count_sessions.inc grant usage on . to mysqltest_1@localhost; connect (con1, localhost, mysqltest_1,,); connection con1; select 1 from information_schema.tables where table_schema=repeat('a', 246); select 1 from information_schema.tables where table_schema=repeat('a', 245); connection default; disconnect con1; drop user mysqltest_1@localhost; --source include/wait_until_count_sessions.inc Suggested fix: copy_length= ... + 2;	This is for Oracle MySQL 5.1/5.5/5.6 and Percona Server 5.6. Percona Server 5.1/5.5 has the MariaDB fix and is not affected. The impact of this bug is two bytes overwritten on stack, which should not be enough for remote code execution. [2 Jun 14:48] Laurynas Biveinis Description: Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld. The fix at 3853.1.1 attempted to check for overflow: copy_length= (size_t) (strlen(ip ? ip : "") + strlen(user ? user : "") + strlen(db ? db : "")); if (copy_length >= ACL_KEY_LENGTH) DBUG_RETURN(0); And here is how the buffer is filled: end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); Both "+1"s are not accounted for in the copy_length check. How to repeat: Add if (end - key > ACL_KEY_LENGTH) fprintf(stderr, "end - key = %d\n", (int)(end - key)); after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice. Also should give an asan but not Valgrind errors. --source include/not_embedded.inc --source include/count_sessions.inc grant usage on . to mysqltest_1@localhost; connect (con1, localhost, mysqltest_1,,); connection con1; select 1 from information_schema.tables where table_schema=repeat('a', 246); select 1 from information_schema.tables where table_schema=repeat('a', 245); connection default; disconnect con1; drop user mysqltest_1@localhost; --source include/wait_until_count_sessions.inc Suggested fix: copy_length= ... + 2;
2013-06-21 11:06:59	Laurynas Biveinis	percona-server/5.6: milestone	5.6.12-60.4	5.6.12-61.0
2013-08-13 06:19:35	Laurynas Biveinis	percona-server/5.6: milestone	5.6.13-60.5	5.6.13-61.0
2013-09-20 05:56:44	Laurynas Biveinis	percona-server/5.6: milestone	5.6.13-60.6	5.6.13-61.0
2013-10-07 06:03:28	Laurynas Biveinis	percona-server/5.6: milestone	5.6.13-61.0	5.6.14-61.1
2013-10-21 13:17:57	Laurynas Biveinis	percona-server/5.6: milestone	5.6.14-62.0	5.6.14-62.1
2013-12-05 09:49:52	Laurynas Biveinis	percona-server/5.6: assignee	Laurynas Biveinis (laurynas-biveinis)
2013-12-05 10:05:48	Laurynas Biveinis	percona-server/5.6: status	Triaged	Fix Committed
2013-12-05 10:05:04	Launchpad Janitor	branch linked		lp:~laurynas-biveinis/percona-server/merge-5.6.15
2013-12-16 07:55:49	Laurynas Biveinis	percona-server/5.6: status	Fix Committed	Fix Released