Bug 1472685 (CVE-2017-3635)

Summary: CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mkocka, mmuzila, mschorm, praiskup, rbryant, sclewis, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.5.57, mysql 5.6.37, mysql 5.7.19 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-02 11:28:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1472716, 1472717    
Bug Blocks: 1472713    

Description Adam Mariš 2017-07-19 08:28:19 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: C API). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. 

External References:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL

Comment 1 Adam Mariš 2017-07-19 08:51:05 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1472717]

Comment 2 Adam Mariš 2017-07-19 08:51:19 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1472716]

Comment 3 Tomas Hoger 2017-08-02 11:15:06 UTC
Oracle CPU includes the following note for this issue:

  The documentation has also been updated for the correct way to use
  mysql_stmt_close(). Please see:

  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html , and
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html

That not suggests this CVE is related to the discussion that started here:

http://seclists.org/oss-sec/2017/q2/443

and also led to the assignment of CVE-2017-10788 for perl-DBD-MySQL, see bug 1467600.  The problem pointed out in the link post is that MySQL documentation included a code example as:

  /* Close the statement */
  if (mysql_stmt_close(stmt))
  {
    fprintf(stderr, " failed while closing the statement\n");
    fprintf(stderr, " %s\n", mysql_stmt_error(stmt));
    exit(0);
  }

If mysql_stmt_close() fails, mysql_stmt_error() is called for the statement to get the failure reason.  However, as the stmt is unconditionally freed at the end of mysql_stmt_close(), the mysql_stmt_error() accesses memory that was already freed (use-after-free issue).

MySQL release notes contain this information:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

  If the mysql_stmt_close() C API function was called, it freed memory that
  later could be accessed if mysql_stmt_error(), mysql_stmt_errno(), or
  mysql_stmt_sqlstate() was called. To obtain error information after a call
  to mysql_stmt_close(), call mysql_error(), mysql_errno(), or
  mysql_sqlstate() instead. (Bug #25988681)

Related code commit referencing the same upstream bug id:

https://github.com/mysql/mysql-server/commit/3d8134d2c9b74bc8883ffe2ef59c168361223837

This change does not address the use-after-free, it only prevents the mysql_stmt_close() from copying error information into the stmt structure that is subsequently freed.  It does not prevent use-after-free if mysql_stmt_error() is called subsequently, and it possibly negatively impacts the output by causing it to be empty or unrelated error message.

It does not seem we can consider this CVE to be for a code fix and can only consider it a CVE for a flawed documentation.  As the official MySQL documentation is not part of MySQL distribution and hence is not part of MySQL packages distributed by Red Hat, this CVE does not seem applicable to any Red Hat distributed MySQL and MariaDB packages.