Bug 619009 (CVE-2010-3063, CVE-2010-3064, MOPS-2010-057, MOPS-2010-058, MOPS-2010-059) - CVE-2010-3062 CVE-2010-3063 CVE-2010-3064 php: mysqlnd: multiple buffer overflows (MOPS-2010-05[789])
Summary: CVE-2010-3062 CVE-2010-3063 CVE-2010-3064 php: mysqlnd: multiple buffer overf...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-3063, CVE-2010-3064, MOPS-2010-057, MOPS-2010-058, MOPS-2010-059
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-28 10:44 UTC by Tomas Hoger
Modified: 2021-02-24 22:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-28 10:44:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2010-07-28 10:44:10 UTC 
Stefan Esser discovered multiple buffer overflow flaws in PHP's mysqlnd (MySQL native driver) extension in functions php_mysqlnd_rset_header_read(), php_mysqlnd_read_error_from_line() and php_mysqlnd_auth_write().  A malicious mysql server could trigger heap or stack based buffer overflow in PHP interpreter via a specially-crafted mysql network protocol packets, possibly leading to arbitrary code execution with interpreter's privileges.

References:
http://php-security.org/2010/05/31/mops-2010-057-php-php_mysqlnd_rset_header_read-buffer-overflow-vulnerability/index.html
http://php-security.org/2010/05/31/mops-2010-058-php-php_mysqlnd_read_error_from_line-buffer-overflow-vulnerability/index.html
http://php-security.org/2010/05/31/mops-2010-059-php-php_mysqlnd_auth_write-stack-buffer-overflow-vulnerability/index.html

Related upstream commits:
http://svn.php.net/viewvc?view=revision&revision=298703
http://svn.php.net/viewvc?view=revision&revision=298235
Comment 1 Tomas Hoger 2010-07-28 10:44:49 UTC 
mysqlnd extension was added in PHP 5.3.  Therefore, this issue does not affect
PHP versions in Red Hat Enterprise Linux 3, 4, and 5.  mysqlnd extension is not
enabled in Fedora and Red Hat Enterprise Linux 6 Beta php packages, older mysql
client library is still used.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with
Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
Comment 2 Tomas Hoger 2010-08-23 07:08:06 UTC 
Assigned CVEs:

CVE-2010-3062 (covers MOPS-2010-056 - bug #619007 - too):

mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows
remote attackers to (1) read sensitive memory via a modified length value,
which is not properly handled by the php_mysqlnd_ok_read function; or (2)
trigger a heap-based buffer overflow via a modified length value, which is not
properly handled by the php_mysqlnd_rset_header_read function.

CVE-2010-3063:

The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.

CVE-2010-3064:

Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.
Note You need to log in before you can comment on or make changes to this bug.