Bug 1126272

Summary: mysql: yaSSL off-by-one when decoding dates form X.509 certificates
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, databases-maint, hhorak, jdornak, jorton, jstanek, mmaslano, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.5.39, mysql 5.6.20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-04 07:04:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1126275    

Description Murray McAllister 2014-08-04 04:18:27 UTC 
The MySQL 5.5.39 and 5.6.20 releases fix an unspecified certificate decoding issue in yaSSL:

"yaSSL code had an off-by-one error in certificate decoding that could cause buffer overflow."

References:

https://bugs.gentoo.org/show_bug.cgi?id=518718
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-20.html
Comment 1 Murray McAllister 2014-08-04 04:21:06 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1126274]
Comment 2 Murray McAllister 2014-08-04 04:21:09 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1126273]
Comment 3 Tomas Hoger 2014-08-04 07:04:02 UTC 
MySQL upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4647

This fixes an off-by-one issue in the handling of validity start and end dates in X.509 certificates.  Value written past the end of buffer is '\0'.  Additionally, overwrite should only clobber other members of the CertDecoder class, hence it does not seem this should lead to direct code execution.  However, as it might lead to overwrite of verify_ field, it may lead to bypass of certificate verification.

MySQL and MariaDB packages shipped in Red Hat products and Fedora use system OpenSSL library to implement TLS/SSL.  Embedded yaSSL is not used, hence those packages are not affected by this issue.

Statement:

Not vulnerable.  This issue did not affect the versions of MySQL and MariaDB as shipped with Red Hat Enterprise Linux 5, 6, and 7, and Red Hat Software Collections 1.