A use after free vulnerability when using prepared statements was found in DBD::mysql. Function dbd_st_fetch() via Renew() can reallocate output buffer for mysql_stmt_fetch() call, but it does not update pointer to that buffer in imp_sth->stmt structure initialized by mysql_stmt_bind_result() function, which leads to use after free in any mysql function which access imp_sth->stmt structure.
This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.
Upstream patch:
https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1
References:
http://seclists.org/oss-sec/2016/q4/536
Mitigation:
This problem is only exposed when the user uses server-side prepared statement support (mysql_server_prepare=1), which is NOT default behavior and was turned off back for all drivers per MySQL AB decision in 2006 due to issues with server-side prepared statements in the server.
Use the default driver setting which uses emulated prepared statements.