Bug 1399580 (CVE-2016-1251)

Summary: CVE-2016-1251 perl-DBD-MySQL: Use after free when using prepared statements
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, jplesnik, perl-devel, perl-maint-list, ppisar, psabata, sardella, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-DBD-MySQL 4.041 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1399581, 1405899    
Bug Blocks: 1399583    

Description Adam Mariš 2016-11-29 10:41:15 UTC 
A use after free vulnerability when using prepared statements was found in DBD::mysql. Function dbd_st_fetch() via Renew() can reallocate output buffer for mysql_stmt_fetch() call, but it does not update pointer to that buffer in imp_sth->stmt structure initialized by mysql_stmt_bind_result() function, which leads to use after free in any mysql function which access imp_sth->stmt structure.

This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.

Upstream patch:

https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1

References:

http://seclists.org/oss-sec/2016/q4/536
Comment 1 Adam Mariš 2016-11-29 10:41:44 UTC 
Created perl-DBD-MySQL tracking bugs for this issue:

Affects: fedora-all [bug 1399581]
Comment 7 Dhiru Kholia 2017-01-04 05:04:33 UTC 
Mitigation:

This problem is only exposed when the user uses server-side prepared statement support (mysql_server_prepare=1), which is NOT default behavior and was turned off back for all drivers per MySQL AB decision in 2006 due to issues with server-side prepared statements in the server.

Use the default driver setting which uses emulated prepared statements.