991212 – (CVE-2015-8949) VUL-0: CVE-2015-8949: perl-DBD-mysql: Use after free when my_login fails

Bug 991212 (CVE-2015-8949) - VUL-0: CVE-2015-8949: perl-DBD-mysql: Use after free when my_login fails

Summary: VUL-0: CVE-2015-8949: perl-DBD-mysql: Use after free when my_login fails

Status:	RESOLVED INVALID

Alias:	CVE-2015-8949

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2016-08-12
Assignee:	Forgotten User l5HDYKT_qR
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171376/
Whiteboard:	maint:running:62917:moderate CVSSv2:S...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-29 09:05 UTC by Andreas Stieger
Modified:	2016-08-31 16:21 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-29 09:05:42 UTC

http://seclists.org/oss-sec/2016/q3/150

https://blog.fuzzing-project.org/50-Use-after-free-in-my_login-function-of-DBDmysql-Perl-module.html

DBD::mysql versions 4.033 and earlier have a use after free bug in the
my_login() function. Fixed in version 4.034.

This issue was discovered with Address Sanitizer.

https://github.com/perl5-dbi/DBD-mysql/pull/45

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1360279
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8949
http://seclists.org/oss-sec/2016/q3/168
http://seclists.org/oss-sec/2016/q3/164
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8949.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8949
https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc

Comment 1 Swamp Workflow Management 2016-07-29 09:12:20 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-08-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62917

Comment 2 Swamp Workflow Management 2016-07-29 22:00:36 UTC

bugbot adjusting priority

Comment 3 Forgotten User l5HDYKT_qR 2016-08-10 14:47:26 UTC

It's a small miracle this package works for anyone at all.  As I couldn't really
make any good sense of the chaotic commits and code, I boldly assumed that
everything is all right in git master, and the diff of the entire file for the
latest distributed version 4.021, being archaic enough, is then reduced in the
relevant parts to what seems to be plugging a leak.  Therefore I'm assuming
the two related VULs bsc#991212 and bsc#991207 are invalid.

> --- dbdimp.c.orig	2012-04-28 15:48:56.000000000 +0200
> +++ dbdimp.c	2016-08-10 13:48:57.314565872 +0200
> @@ -2054,8 +2054,11 @@
>  
>    if (!my_login(aTHX_ dbh, imp_dbh))
>    {
> -    do_error(dbh, mysql_errno(imp_dbh->pmysql),
> -            mysql_error(imp_dbh->pmysql) ,mysql_sqlstate(imp_dbh->pmysql));
> +    if(imp_dbh->pmysql) {
> +      do_error(dbh, mysql_errno(imp_dbh->pmysql),
> +              mysql_error(imp_dbh->pmysql) ,mysql_sqlstate(imp_dbh->pmysql));
> +      Safefree(imp_dbh->pmysql);
> +    }
>      return FALSE;
>    }
>  

(And it's not even obvious whether this doesn't potentially add a problem because
of "pmysql" not being reset to NULL.  Which could easily by added, though.)