Bug 814605 (CVE-2012-2122)

Fixed (MySQL) upstream in:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

  Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED

  Fixed an improper type conversion on return that can make the server accept
  logins with a wrong password.

Fix included in upstream versions 5.1.63 and 5.5.24:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

This is now public via:

http://seclists.org/oss-sec/2012/q2/493

https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

The MySQL bug (casting of the int to char, which may lead to truncation) exists in MySQL code base since 4.x versions.  However, it only is an issue when used with memcmp() implementation that can return values out of the -255 .. 255 range.

memcmp() function is defined as:

  int memcmp(const void *s1, const void *s2, size_t n);

It returns an integer less than, equal to, or greater than zero if the first n bytes of s1 is found, respectively, to be less than, to match, or be greater than the first n bytes of s2.

memcmp() implementations often return values that do not use full range of the int type and rather return one of the following:

- normalized values (-1/0/1)
- diff of the first non-equal bytes (this is a documented behavior of BSD libc
implementation, but also a behavior of the gcc builtin implementation used on x86 architectures)

A glibc x86_64 SSE4 optimized memcmp() implementation was identified as one that returns values out of the -255 .. 255 range.  Depending on the position of the first non-equal byte, it often returns value that is multiple of 256, which results in non-0 memcmp() return value to be incorrectly converted to 0 after casting the value to char type.  This optimized memcmp() version is only available in recent glibc versions.  Red Hat Enterprise Linux 6 is the first Red Hat Enterprise Linux version that has this optimized implementation available.

However, mysql packages in Red Hat Enterprise Linux 6 do not use glibc optimized memcmp() version.  A gcc builtin is used in check_scramble(), which do not trigger this problem (see above).

This problem was tested on all Red Hat Enterprise Linux 4, 5, and 6 architectures using the latest released mysql packages and was not found to affect any version.  There is no plan for an immediate update correcting this issue, it will be corrected with future mysql packages updates.

In Fedora, glibc memcmp() function is called from check_scramble() and hence x86_64 SSE4 systems are known to be affected by this problem.

Created mysql tracking bugs for this issue

Affects: fedora-all [bug 830680]

Statement:

This issue does not affect MySQL as shipped with Red Hat Enterprise Linux 4, 5, or 6.  For a technical explanation please see https://bugzilla.redhat.com/show_bug.cgi?id=814605#c19

mysql-5.5.24-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

mysql-5.5.24-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0180 https://rhn.redhat.com/errata/RHSA-2013-0180.html

As explained in comment 19, this issue did not affect MySQL packages in Red Hat Enterprise Linux 4, 5 and 6.  Due to the possible impact of the flaw, mysql packages in Red Hat Enterprise Linux 5 and 6 now include the fix to ensure no future builds (possibly done with different compiler or C library optimization) are affected by this problem.

In Red Hat Enterprise Linux 5, the fix was included in RHSA-2013:0180 as backported patch:
  https://rhn.redhat.com/errata/RHSA-2013-0180.html

In Red Hat Enterprise Linux 6, mysql packages were updated to upstream version that includes the fix via RHSA-2012:1462:
  https://rhn.redhat.com/errata/RHSA-2012-1462.html