Bug 1472685 - (CVE-2017-3635) CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170719,repor...
: Security
Depends On: 1472716 1472717
Blocks: 1472713
  Show dependency treegraph
 
Reported: 2017-07-19 04:28 EDT by Adam Mariš
Modified: 2017-08-09 13:06 EDT (History)
24 users (show)

See Also:
Fixed In Version: mysql 5.5.57, mysql 5.6.37, mysql 5.7.19
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-02 07:28:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-07-19 04:28:19 EDT
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: C API). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. 

External References:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL
Comment 1 Adam Mariš 2017-07-19 04:51:05 EDT
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1472717]
Comment 2 Adam Mariš 2017-07-19 04:51:19 EDT
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1472716]
Comment 3 Tomas Hoger 2017-08-02 07:15:06 EDT
Oracle CPU includes the following note for this issue:

  The documentation has also been updated for the correct way to use
  mysql_stmt_close(). Please see:

  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html , and
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html

That not suggests this CVE is related to the discussion that started here:

http://seclists.org/oss-sec/2017/q2/443

and also led to the assignment of CVE-2017-10788 for perl-DBD-MySQL, see bug 1467600.  The problem pointed out in the link post is that MySQL documentation included a code example as:

  /* Close the statement */
  if (mysql_stmt_close(stmt))
  {
    fprintf(stderr, " failed while closing the statement\n");
    fprintf(stderr, " %s\n", mysql_stmt_error(stmt));
    exit(0);
  }

If mysql_stmt_close() fails, mysql_stmt_error() is called for the statement to get the failure reason.  However, as the stmt is unconditionally freed at the end of mysql_stmt_close(), the mysql_stmt_error() accesses memory that was already freed (use-after-free issue).

MySQL release notes contain this information:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

  If the mysql_stmt_close() C API function was called, it freed memory that
  later could be accessed if mysql_stmt_error(), mysql_stmt_errno(), or
  mysql_stmt_sqlstate() was called. To obtain error information after a call
  to mysql_stmt_close(), call mysql_error(), mysql_errno(), or
  mysql_sqlstate() instead. (Bug #25988681)

Related code commit referencing the same upstream bug id:

https://github.com/mysql/mysql-server/commit/3d8134d2c9b74bc8883ffe2ef59c168361223837

This change does not address the use-after-free, it only prevents the mysql_stmt_close() from copying error information into the stmt structure that is subsequently freed.  It does not prevent use-after-free if mysql_stmt_error() is called subsequently, and it possibly negatively impacts the output by causing it to be empty or unrelated error message.

It does not seem we can consider this CVE to be for a code fix and can only consider it a CVE for a flawed documentation.  As the official MySQL documentation is not part of MySQL distribution and hence is not part of MySQL packages distributed by Red Hat, this CVE does not seem applicable to any Red Hat distributed MySQL and MariaDB packages.

Note You need to log in before you can comment on or make changes to this bug.