Bug 1472685 (CVE-2017-3635) - CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
Summary: CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
Alias: CVE-2017-3635
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1472716 1472717
Blocks: 1472713
TreeView+ depends on / blocked
Reported: 2017-07-19 08:28 UTC by Adam Mariš
Modified: 2019-09-29 14:16 UTC (History)
24 users (show)

Fixed In Version: mysql 5.5.57, mysql 5.6.37, mysql 5.7.19
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-02 11:28:31 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-07-19 08:28:19 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: C API). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. 

External References:


Comment 1 Adam Mariš 2017-07-19 08:51:05 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1472717]

Comment 2 Adam Mariš 2017-07-19 08:51:19 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1472716]

Comment 3 Tomas Hoger 2017-08-02 11:15:06 UTC
Oracle CPU includes the following note for this issue:

  The documentation has also been updated for the correct way to use
  mysql_stmt_close(). Please see:

  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html ,
  https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html , and

That not suggests this CVE is related to the discussion that started here:


and also led to the assignment of CVE-2017-10788 for perl-DBD-MySQL, see bug 1467600.  The problem pointed out in the link post is that MySQL documentation included a code example as:

  /* Close the statement */
  if (mysql_stmt_close(stmt))
    fprintf(stderr, " failed while closing the statement\n");
    fprintf(stderr, " %s\n", mysql_stmt_error(stmt));

If mysql_stmt_close() fails, mysql_stmt_error() is called for the statement to get the failure reason.  However, as the stmt is unconditionally freed at the end of mysql_stmt_close(), the mysql_stmt_error() accesses memory that was already freed (use-after-free issue).

MySQL release notes contain this information:


  If the mysql_stmt_close() C API function was called, it freed memory that
  later could be accessed if mysql_stmt_error(), mysql_stmt_errno(), or
  mysql_stmt_sqlstate() was called. To obtain error information after a call
  to mysql_stmt_close(), call mysql_error(), mysql_errno(), or
  mysql_sqlstate() instead. (Bug #25988681)

Related code commit referencing the same upstream bug id:


This change does not address the use-after-free, it only prevents the mysql_stmt_close() from copying error information into the stmt structure that is subsequently freed.  It does not prevent use-after-free if mysql_stmt_error() is called subsequently, and it possibly negatively impacts the output by causing it to be empty or unrelated error message.

It does not seem we can consider this CVE to be for a code fix and can only consider it a CVE for a flawed documentation.  As the official MySQL documentation is not part of MySQL distribution and hence is not part of MySQL packages distributed by Red Hat, this CVE does not seem applicable to any Red Hat distributed MySQL and MariaDB packages.

Note You need to log in before you can comment on or make changes to this bug.