Bug 814605 (CVE-2012-2122) - CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authentication bypass
Summary: CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authe...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2012-2122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 830650 830680 871813 871814 892679 892680
Blocks: 814613 mysql-cpu-2012-07 833743
TreeView+ depends on / blocked
 
Reported: 2012-04-20 08:41 UTC by Jan Lieskovsky
Modified: 2021-02-24 12:39 UTC (History)
10 users (show)

Fixed In Version: mysql 5.1.63, mysql 5.5.24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-22 21:13:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 677018 0 None None None 2012-06-11 14:43:17 UTC
Novell 765092 0 None None None 2012-06-11 11:57:36 UTC
Red Hat Knowledge Base (Solution) 139683 0 None None None 2012-06-11 10:25:03 UTC
Red Hat Product Errata RHSA-2013:0180 0 normal SHIPPED_LIVE Important: mysql security update 2013-01-22 23:34:58 UTC

Description Jan Lieskovsky 2012-04-20 08:41:38 UTC
MariaDB upstream reported a flaw in MySQL server's check_scramble() function that is used to check user passwords during authentication.  The memcmp() function return value of type int was cast to my_bool (char) type, which could result in 0 being returned by check_scramble() in cases when memcmp() returned non-0.

On systems where system memcmp() implementation can return values that do not fit into an int type, this flaw could allow (possibly remote) attackers able to connect to mysql port or socket to easily bypass password authentication.

MySQL upstream bug report:
http://bugs.mysql.com/bug.php?id=64884 (private)

MariaDB upstream patch and bug report:
https://bazaar.launchpad.net/~maria-captains/maria/5.5-release/revision/2502.554.2
https://mariadb.atlassian.net/browse/MDEV-212

Comment 10 Tomas Hoger 2012-05-14 15:54:27 UTC
Fixed (MySQL) upstream in:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

  Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED

  Fixed an improper type conversion on return that can make the server accept
  logins with a wrong password.

Fix included in upstream versions 5.1.63 and 5.5.24:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

Comment 16 Huzaifa S. Sidhpurwala 2012-06-11 06:40:21 UTC
This is now public via:

http://seclists.org/oss-sec/2012/q2/493

Comment 19 Tomas Hoger 2012-06-11 08:13:09 UTC
The MySQL bug (casting of the int to char, which may lead to truncation) exists in MySQL code base since 4.x versions.  However, it only is an issue when used with memcmp() implementation that can return values out of the -255 .. 255 range.

memcmp() function is defined as:

  int memcmp(const void *s1, const void *s2, size_t n);

It returns an integer less than, equal to, or greater than zero if the first n bytes of s1 is found, respectively, to be less than, to match, or be greater than the first n bytes of s2.

memcmp() implementations often return values that do not use full range of the int type and rather return one of the following:

- normalized values (-1/0/1)
- diff of the first non-equal bytes (this is a documented behavior of BSD libc
implementation, but also a behavior of the gcc builtin implementation used on x86 architectures)

A glibc x86_64 SSE4 optimized memcmp() implementation was identified as one that returns values out of the -255 .. 255 range.  Depending on the position of the first non-equal byte, it often returns value that is multiple of 256, which results in non-0 memcmp() return value to be incorrectly converted to 0 after casting the value to char type.  This optimized memcmp() version is only available in recent glibc versions.  Red Hat Enterprise Linux 6 is the first Red Hat Enterprise Linux version that has this optimized implementation available.

However, mysql packages in Red Hat Enterprise Linux 6 do not use glibc optimized memcmp() version.  A gcc builtin is used in check_scramble(), which do not trigger this problem (see above).

This problem was tested on all Red Hat Enterprise Linux 4, 5, and 6 architectures using the latest released mysql packages and was not found to affect any version.  There is no plan for an immediate update correcting this issue, it will be corrected with future mysql packages updates.

In Fedora, glibc memcmp() function is called from check_scramble() and hence x86_64 SSE4 systems are known to be affected by this problem.

Comment 20 Jan Lieskovsky 2012-06-11 08:18:07 UTC
Created mysql tracking bugs for this issue

Affects: fedora-all [bug 830680]

Comment 21 Mark J. Cox 2012-06-12 08:23:49 UTC
Statement:

This issue does not affect MySQL as shipped with Red Hat Enterprise Linux 4, 5, or 6.  For a technical explanation please see https://bugzilla.redhat.com/show_bug.cgi?id=814605#c19

Comment 22 Fedora Update System 2012-06-17 22:24:22 UTC
mysql-5.5.24-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-06-26 21:30:48 UTC
mysql-5.5.24-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2013-01-22 18:35:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0180 https://rhn.redhat.com/errata/RHSA-2013-0180.html

Comment 26 Tomas Hoger 2013-01-22 21:13:04 UTC
As explained in comment 19, this issue did not affect MySQL packages in Red Hat Enterprise Linux 4, 5 and 6.  Due to the possible impact of the flaw, mysql packages in Red Hat Enterprise Linux 5 and 6 now include the fix to ensure no future builds (possibly done with different compiler or C library optimization) are affected by this problem.

In Red Hat Enterprise Linux 5, the fix was included in RHSA-2013:0180 as backported patch:
  https://rhn.redhat.com/errata/RHSA-2013-0180.html

In Red Hat Enterprise Linux 6, mysql packages were updated to upstream version that includes the fix via RHSA-2012:1462:
  https://rhn.redhat.com/errata/RHSA-2012-1462.html


Note You need to log in before you can comment on or make changes to this bug.