Bug 814605 (CVE-2012-2122)

Summary: CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authentication bypass
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: athmanem, law, luke, mjc, mrunge, rcvalle, rdassen, roomojee, security-response-team, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.1.63, mysql 5.5.24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-22 21:13:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 830650, 830680, 871813, 871814, 892679, 892680    
Bug Blocks: 814613, 832540, 833743    

Description Jan Lieskovsky 2012-04-20 08:41:38 UTC
MariaDB upstream reported a flaw in MySQL server's check_scramble() function that is used to check user passwords during authentication.  The memcmp() function return value of type int was cast to my_bool (char) type, which could result in 0 being returned by check_scramble() in cases when memcmp() returned non-0.

On systems where system memcmp() implementation can return values that do not fit into an int type, this flaw could allow (possibly remote) attackers able to connect to mysql port or socket to easily bypass password authentication.

MySQL upstream bug report:
http://bugs.mysql.com/bug.php?id=64884 (private)

MariaDB upstream patch and bug report:
https://bazaar.launchpad.net/~maria-captains/maria/5.5-release/revision/2502.554.2
https://mariadb.atlassian.net/browse/MDEV-212

Comment 10 Tomas Hoger 2012-05-14 15:54:27 UTC
Fixed (MySQL) upstream in:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

  Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED

  Fixed an improper type conversion on return that can make the server accept
  logins with a wrong password.

Fix included in upstream versions 5.1.63 and 5.5.24:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

Comment 16 Huzaifa S. Sidhpurwala 2012-06-11 06:40:21 UTC
This is now public via:

http://seclists.org/oss-sec/2012/q2/493

Comment 19 Tomas Hoger 2012-06-11 08:13:09 UTC
The MySQL bug (casting of the int to char, which may lead to truncation) exists in MySQL code base since 4.x versions.  However, it only is an issue when used with memcmp() implementation that can return values out of the -255 .. 255 range.

memcmp() function is defined as:

  int memcmp(const void *s1, const void *s2, size_t n);

It returns an integer less than, equal to, or greater than zero if the first n bytes of s1 is found, respectively, to be less than, to match, or be greater than the first n bytes of s2.

memcmp() implementations often return values that do not use full range of the int type and rather return one of the following:

- normalized values (-1/0/1)
- diff of the first non-equal bytes (this is a documented behavior of BSD libc
implementation, but also a behavior of the gcc builtin implementation used on x86 architectures)

A glibc x86_64 SSE4 optimized memcmp() implementation was identified as one that returns values out of the -255 .. 255 range.  Depending on the position of the first non-equal byte, it often returns value that is multiple of 256, which results in non-0 memcmp() return value to be incorrectly converted to 0 after casting the value to char type.  This optimized memcmp() version is only available in recent glibc versions.  Red Hat Enterprise Linux 6 is the first Red Hat Enterprise Linux version that has this optimized implementation available.

However, mysql packages in Red Hat Enterprise Linux 6 do not use glibc optimized memcmp() version.  A gcc builtin is used in check_scramble(), which do not trigger this problem (see above).

This problem was tested on all Red Hat Enterprise Linux 4, 5, and 6 architectures using the latest released mysql packages and was not found to affect any version.  There is no plan for an immediate update correcting this issue, it will be corrected with future mysql packages updates.

In Fedora, glibc memcmp() function is called from check_scramble() and hence x86_64 SSE4 systems are known to be affected by this problem.

Comment 20 Jan Lieskovsky 2012-06-11 08:18:07 UTC
Created mysql tracking bugs for this issue

Affects: fedora-all [bug 830680]

Comment 21 Mark J. Cox 2012-06-12 08:23:49 UTC
Statement:

This issue does not affect MySQL as shipped with Red Hat Enterprise Linux 4, 5, or 6.  For a technical explanation please see https://bugzilla.redhat.com/show_bug.cgi?id=814605#c19

Comment 22 Fedora Update System 2012-06-17 22:24:22 UTC
mysql-5.5.24-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-06-26 21:30:48 UTC
mysql-5.5.24-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2013-01-22 18:35:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0180 https://rhn.redhat.com/errata/RHSA-2013-0180.html

Comment 26 Tomas Hoger 2013-01-22 21:13:04 UTC
As explained in comment 19, this issue did not affect MySQL packages in Red Hat Enterprise Linux 4, 5 and 6.  Due to the possible impact of the flaw, mysql packages in Red Hat Enterprise Linux 5 and 6 now include the fix to ensure no future builds (possibly done with different compiler or C library optimization) are affected by this problem.

In Red Hat Enterprise Linux 5, the fix was included in RHSA-2013:0180 as backported patch:
  https://rhn.redhat.com/errata/RHSA-2013-0180.html

In Red Hat Enterprise Linux 6, mysql packages were updated to upstream version that includes the fix via RHSA-2012:1462:
  https://rhn.redhat.com/errata/RHSA-2012-1462.html