Bug 1472685 (CVE-2017-3635)
Summary: | CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, apevec, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mkocka, mmuzila, mschorm, praiskup, rbryant, sclewis, srevivo, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mysql 5.5.57, mysql 5.6.37, mysql 5.7.19 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-02 11:28:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1472716, 1472717 | ||
Bug Blocks: | 1472713 |
Description
Adam Mariš
2017-07-19 08:28:19 UTC
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1472717] Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1472716] Oracle CPU includes the following note for this issue: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html , https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html , https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html , https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html , https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html , and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html That not suggests this CVE is related to the discussion that started here: http://seclists.org/oss-sec/2017/q2/443 and also led to the assignment of CVE-2017-10788 for perl-DBD-MySQL, see bug 1467600. The problem pointed out in the link post is that MySQL documentation included a code example as: /* Close the statement */ if (mysql_stmt_close(stmt)) { fprintf(stderr, " failed while closing the statement\n"); fprintf(stderr, " %s\n", mysql_stmt_error(stmt)); exit(0); } If mysql_stmt_close() fails, mysql_stmt_error() is called for the statement to get the failure reason. However, as the stmt is unconditionally freed at the end of mysql_stmt_close(), the mysql_stmt_error() accesses memory that was already freed (use-after-free issue). MySQL release notes contain this information: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html If the mysql_stmt_close() C API function was called, it freed memory that later could be accessed if mysql_stmt_error(), mysql_stmt_errno(), or mysql_stmt_sqlstate() was called. To obtain error information after a call to mysql_stmt_close(), call mysql_error(), mysql_errno(), or mysql_sqlstate() instead. (Bug #25988681) Related code commit referencing the same upstream bug id: https://github.com/mysql/mysql-server/commit/3d8134d2c9b74bc8883ffe2ef59c168361223837 This change does not address the use-after-free, it only prevents the mysql_stmt_close() from copying error information into the stmt structure that is subsequently freed. It does not prevent use-after-free if mysql_stmt_error() is called subsequently, and it possibly negatively impacts the output by causing it to be empty or unrelated error message. It does not seem we can consider this CVE to be for a code fix and can only consider it a CVE for a flawed documentation. As the official MySQL documentation is not part of MySQL distribution and hence is not part of MySQL packages distributed by Red Hat, this CVE does not seem applicable to any Red Hat distributed MySQL and MariaDB packages. |