A use after free vulnerability when using prepared statements was found in DBD::mysql. Function dbd_st_fetch() via Renew() can reallocate output buffer for mysql_stmt_fetch() call, but it does not update pointer to that buffer in imp_sth->stmt structure initialized by mysql_stmt_bind_result() function, which leads to use after free in any mysql function which access imp_sth->stmt structure. This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005. Upstream patch: https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1 References: http://seclists.org/oss-sec/2016/q4/536
Created perl-DBD-MySQL tracking bugs for this issue: Affects: fedora-all [bug 1399581]
Mitigation: This problem is only exposed when the user uses server-side prepared statement support (mysql_server_prepare=1), which is NOT default behavior and was turned off back for all drivers per MySQL AB decision in 2006 due to issues with server-side prepared statements in the server. Use the default driver setting which uses emulated prepared statements.