enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #02668
[Bug 1186748] [NEW] Oracle fix for CVE-2012-5611 is incomplete
Public bug reported:
This is Oracle-only bug report. Percona Server has the MariaDB fix and
is not affected. The impact of this bug is two bytes overwritten on
stack, which should not be enough for remote code execution.
[2 Jun 14:48] Laurynas Biveinis
Description:
Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld.
The fix at 3853.1.1 attempted to check for overflow:
copy_length= (size_t) (strlen(ip ? ip : "") +
strlen(user ? user : "") +
strlen(db ? db : ""));
if (copy_length >= ACL_KEY_LENGTH)
DBUG_RETURN(0);
And here is how the buffer is filled:
end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
Both "+1"s are not accounted for in the copy_length check.
How to repeat:
Add
if (end - key > ACL_KEY_LENGTH)
fprintf(stderr, "end - key = %d\n", (int)(end - key));
after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice.
Also should give an asan but not Valgrind errors.
--source include/not_embedded.inc
--source include/count_sessions.inc
grant usage on *.* to mysqltest_1@localhost;
connect (con1, localhost, mysqltest_1,,);
connection con1;
select 1 from information_schema.tables where table_schema=repeat('a', 246);
select 1 from information_schema.tables where table_schema=repeat('a', 245);
connection default;
disconnect con1;
drop user mysqltest_1@localhost;
--source include/wait_until_count_sessions.inc
Suggested fix:
copy_length= ... + 2;
** Affects: mysql-server
Importance: Unknown
Status: Unknown
** Affects: percona-server
Importance: High
Assignee: Laurynas Biveinis (laurynas-biveinis)
Status: Triaged
** Affects: percona-server/5.1
Importance: High
Status: Fix Released
** Affects: percona-server/5.5
Importance: High
Status: Fix Released
** Affects: percona-server/5.6
Importance: High
Assignee: Laurynas Biveinis (laurynas-biveinis)
Status: Triaged
** Tags: upstream
** Also affects: percona-server/5.1
Importance: Undecided
Status: New
** Also affects: percona-server/5.5
Importance: Undecided
Status: New
** Also affects: percona-server/5.6
Importance: Undecided
Status: New
** Summary changed:
- Fix for CVE-2012-5611 is incomplete
+ Oracle fix for CVE-2012-5611 is incomplete
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5611
** Bug watch added: MySQL Bug System #69380
http://bugs.mysql.com/bug.php?id=69380
** Also affects: mysql-server via
http://bugs.mysql.com/bug.php?id=69380
Importance: Unknown
Status: Unknown
** Changed in: percona-server/5.1
Importance: Undecided => High
** Changed in: percona-server/5.5
Importance: Undecided => High
** Changed in: percona-server/5.1
Status: New => Fix Released
** Changed in: percona-server/5.5
Status: New => Fix Released
** Changed in: percona-server/5.1
Milestone: None => 5.1.66-14.2
** Changed in: percona-server/5.5
Milestone: None => 5.5.28-29.3
** Changed in: percona-server/5.6
Assignee: (unassigned) => Laurynas Biveinis (laurynas-biveinis)
** Tags added: upstream
** Changed in: percona-server/5.6
Milestone: None => 5.6.11-60.4
** Changed in: percona-server/5.6
Importance: Undecided => High
** Changed in: percona-server/5.6
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to MySQL.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1186748
Title:
Oracle fix for CVE-2012-5611 is incomplete
To manage notifications about this bug go to:
https://bugs.launchpad.net/mysql-server/+bug/1186748/+subscriptions
Follow ups
References
