Red Hat Bugzilla – Bug 1472685
CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
Last modified: 2017-08-09 13:06:18 EDT
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: C API). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1472717]
Created community-mysql tracking bugs for this issue:
Affects: fedora-all [bug 1472716]
Oracle CPU includes the following note for this issue:
The documentation has also been updated for the correct way to use
mysql_stmt_close(). Please see:
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html , and
That not suggests this CVE is related to the discussion that started here:
and also led to the assignment of CVE-2017-10788 for perl-DBD-MySQL, see bug 1467600. The problem pointed out in the link post is that MySQL documentation included a code example as:
/* Close the statement */
fprintf(stderr, " failed while closing the statement\n");
fprintf(stderr, " %s\n", mysql_stmt_error(stmt));
If mysql_stmt_close() fails, mysql_stmt_error() is called for the statement to get the failure reason. However, as the stmt is unconditionally freed at the end of mysql_stmt_close(), the mysql_stmt_error() accesses memory that was already freed (use-after-free issue).
MySQL release notes contain this information:
If the mysql_stmt_close() C API function was called, it freed memory that
later could be accessed if mysql_stmt_error(), mysql_stmt_errno(), or
mysql_stmt_sqlstate() was called. To obtain error information after a call
to mysql_stmt_close(), call mysql_error(), mysql_errno(), or
mysql_sqlstate() instead. (Bug #25988681)
Related code commit referencing the same upstream bug id:
This change does not address the use-after-free, it only prevents the mysql_stmt_close() from copying error information into the stmt structure that is subsequently freed. It does not prevent use-after-free if mysql_stmt_error() is called subsequently, and it possibly negatively impacts the output by causing it to be empty or unrelated error message.
It does not seem we can consider this CVE to be for a code fix and can only consider it a CVE for a flawed documentation. As the official MySQL documentation is not part of MySQL distribution and hence is not part of MySQL packages distributed by Red Hat, this CVE does not seem applicable to any Red Hat distributed MySQL and MariaDB packages.