libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a client. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle. Upstream fix: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 https://github.com/mariadb-corporation/mariadb-connector-c/compare/v3.1.7...v3.1.8
Created mariadb-connector-c tracking bugs for this issue: Affects: fedora-all [bug 1839828]
In reply to comment #0: > libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not > properly validate the content of an OK packet received from a client. This description is incorrect, as "An OK packet is sent from the server to the client to signal successful completion of a command.": https://dev.mysql.com/doc/internals/en/packet-OK_Packet.html
MariaDB Connector/C is included with MariaDB Server 10.2 and later. The fixed Connector/C version was added to Server source code via this commit: https://github.com/MariaDB/server/commit/1d1fb13e59 in versions 10.2.32, 10.3.23, 10.4.13, and 10.5.3.
The fix linked in comment 0 corrects multiple out-of-bounds read issues. They were possible because of insufficient checks of lengths of various fields extracted from OK packets received form a MySQL/MariaDB server - when field length was extracted from the packet, MariaDB Connector/C did not ensure that the length does no exceed the remaining size of the package received. These issues could trigger crash. However, there was also an out-of-bounds write issue, where a value read from the packet was copied to a fixed size buffer cs_name[] without checking the size of the data: https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.7/libmariadb/mariadb_lib.c#L2132-L2135
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1843795] Created mariadb:10.3/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1843796] Created mariadb:10.4/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1843797]
There is another case when out-of-bounds write can happen. The following code sets mysql->info to point directly into the input packet data without creating a copy: https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.7/libmariadb/mariadb_lib.c#L2045-L2046 and subsequently ensures that the data is correctly zero terminated: https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.7/libmariadb/mariadb_lib.c#L2065-L2067 However, missing field length checks as noted in comment 4 can cause the 0 to be written outside of the allocated buffer.
Actually, my info in comment 7 seems wrong - this check should have prevented write beyond the end of the packet: https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.7/libmariadb/mariadb_lib.c#L2057
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4174 https://access.redhat.com/errata/RHSA-2020:4174
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13249
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5246 https://access.redhat.com/errata/RHSA-2020:5246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5500 https://access.redhat.com/errata/RHSA-2020:5500
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5503 https://access.redhat.com/errata/RHSA-2020:5503
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5654 https://access.redhat.com/errata/RHSA-2020:5654
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5655 https://access.redhat.com/errata/RHSA-2020:5655
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5660 https://access.redhat.com/errata/RHSA-2020:5660
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5663 https://access.redhat.com/errata/RHSA-2020:5663
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5665 https://access.redhat.com/errata/RHSA-2020:5665
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5662 https://access.redhat.com/errata/RHSA-2020:5662