Bug 619009 (CVE-2010-3063, CVE-2010-3064, MOPS-2010-057, MOPS-2010-058, MOPS-2010-059)

Summary: CVE-2010-3062 CVE-2010-3063 CVE-2010-3064 php: mysqlnd: multiple buffer overflows (MOPS-2010-05[789])
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-28 10:44:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2010-07-28 10:44:10 UTC 
Stefan Esser discovered multiple buffer overflow flaws in PHP's mysqlnd (MySQL native driver) extension in functions php_mysqlnd_rset_header_read(), php_mysqlnd_read_error_from_line() and php_mysqlnd_auth_write().  A malicious mysql server could trigger heap or stack based buffer overflow in PHP interpreter via a specially-crafted mysql network protocol packets, possibly leading to arbitrary code execution with interpreter's privileges.

References:
http://php-security.org/2010/05/31/mops-2010-057-php-php_mysqlnd_rset_header_read-buffer-overflow-vulnerability/index.html
http://php-security.org/2010/05/31/mops-2010-058-php-php_mysqlnd_read_error_from_line-buffer-overflow-vulnerability/index.html
http://php-security.org/2010/05/31/mops-2010-059-php-php_mysqlnd_auth_write-stack-buffer-overflow-vulnerability/index.html

Related upstream commits:
http://svn.php.net/viewvc?view=revision&revision=298703
http://svn.php.net/viewvc?view=revision&revision=298235
Comment 1 Tomas Hoger 2010-07-28 10:44:49 UTC 
mysqlnd extension was added in PHP 5.3.  Therefore, this issue does not affect
PHP versions in Red Hat Enterprise Linux 3, 4, and 5.  mysqlnd extension is not
enabled in Fedora and Red Hat Enterprise Linux 6 Beta php packages, older mysql
client library is still used.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with
Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
Comment 2 Tomas Hoger 2010-08-23 07:08:06 UTC 
Assigned CVEs:

CVE-2010-3062 (covers MOPS-2010-056 - bug #619007 - too):

mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows
remote attackers to (1) read sensitive memory via a modified length value,
which is not properly handled by the php_mysqlnd_ok_read function; or (2)
trigger a heap-based buffer overflow via a modified length value, which is not
properly handled by the php_mysqlnd_rset_header_read function.

CVE-2010-3063:

The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.

CVE-2010-3064:

Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.