Stefan Esser discovered multiple buffer overflow flaws in PHP's mysqlnd (MySQL native driver) extension in functions php_mysqlnd_rset_header_read(), php_mysqlnd_read_error_from_line() and php_mysqlnd_auth_write(). A malicious mysql server could trigger heap or stack based buffer overflow in PHP interpreter via a specially-crafted mysql network protocol packets, possibly leading to arbitrary code execution with interpreter's privileges. References: http://php-security.org/2010/05/31/mops-2010-057-php-php_mysqlnd_rset_header_read-buffer-overflow-vulnerability/index.html http://php-security.org/2010/05/31/mops-2010-058-php-php_mysqlnd_read_error_from_line-buffer-overflow-vulnerability/index.html http://php-security.org/2010/05/31/mops-2010-059-php-php_mysqlnd_auth_write-stack-buffer-overflow-vulnerability/index.html Related upstream commits: http://svn.php.net/viewvc?view=revision&revision=298703 http://svn.php.net/viewvc?view=revision&revision=298235
mysqlnd extension was added in PHP 5.3. Therefore, this issue does not affect PHP versions in Red Hat Enterprise Linux 3, 4, and 5. mysqlnd extension is not enabled in Fedora and Red Hat Enterprise Linux 6 Beta php packages, older mysql client library is still used. Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
Assigned CVEs: CVE-2010-3062 (covers MOPS-2010-056 - bug #619007 - too): mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function. CVE-2010-3063: The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used. CVE-2010-3064: Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.