From ab7ceba816bf29e8db7da4a77c74c48eba42da60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Tue, 29 Nov 2016 13:36:00 +0100
Subject: Fix CVE-2016-1251 (use after free when using prepared statements)
---
...er-free-for-repeated-fetchrow_arrayref-ca.patch | 129 +++++++++++++++++++++
perl-DBD-MySQL.spec | 6 +
2 files changed, 135 insertions(+)
create mode 100644
DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch
diff --git
a/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch
b/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch
new file mode 100644
index 0000000..11952cc
--- /dev/null
+++ b/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch
@@ -0,0 +1,129 @@
+From 87aa1a9746065fa7a3d8d56fb7a4c4ca8166555e Mon Sep 17 00:00:00 2001
+From: Pali <p...@cpan.org>
+Date: Fri, 18 Nov 2016 19:01:48 +0100
+Subject: [PATCH] Fix use-after-free for repeated fetchrow_arrayref calls when
+ mysql_server_prepare=1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Petr Pisar: Ported to 4.033:
+
+commit 3619c170461a3107a258d1fd2d00ed4832adb1b1
+Author: Pali <p...@cpan.org>
+Date: Fri Nov 18 19:01:48 2016 +0100
+
+ Fix use-after-free for repeated fetchrow_arrayref calls when
mysql_server_prepare=1
+
+ Function dbd_st_fetch() via Renew() can reallocate output buffer for
+ mysql_stmt_fetch() call. But it does not update pointer to that buffer in
+ imp_sth->stmt structure initialized by mysql_stmt_bind_result() function.
+ That leads to use-after-free in any mysql function which access
+ imp_sth->stmt structure (e.g. mysql_stmt_fetch()).
+
+ This patch fix this problem and properly updates pointer in imp_sth->stmt
+ structure after Renew() call.
+
+ Test 40server_prepare_crash.t is extended to check for that use-after-free
+ crash.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ MANIFEST | 1 +
+ dbdimp.c | 2 ++
+ t/40server_prepare_crash.t | 45 ++++++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 45 insertions(+), 3 deletions(-)
+
+diff --git a/MANIFEST b/MANIFEST
+index eacb465..f2e5078 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -52,6 +52,7 @@ t/40nulls.t
+ t/40nulls_prepare.t
+ t/40numrows.t
+ t/40server_prepare.t
++t/40server_prepare_crash.t
+ t/40server_prepare_error.t
+ t/40types.t
+ t/40bit.t
+diff --git a/dbdimp.c b/dbdimp.c
+index cc5724f..568181b 100644
+--- a/dbdimp.c
++++ b/dbdimp.c
+@@ -3959,6 +3959,8 @@ process:
+ Renew(fbh->data, fbh->length, char);
+ buffer->buffer_length= fbh->length;
+ buffer->buffer= (char *) fbh->data;
++ imp_sth->stmt->bind[i].buffer_length = fbh->length;
++ imp_sth->stmt->bind[i].buffer = (char *)fbh->data;
+
+ if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) {
+ int j;
+diff --git a/t/40server_prepare_crash.t b/t/40server_prepare_crash.t
+index 99a06e1..7537a94 100644
+--- a/t/40server_prepare_crash.t
++++ b/t/40server_prepare_crash.t
+@@ -10,11 +10,22 @@ require "t/lib.pl";
+ my $dbh = eval { DBI->connect($test_dsn, $test_user, $test_password, {
PrintError => 1, RaiseError => 1, AutoCommit => 0, mysql_server_prepare => 1 })
};
+ plan skip_all => "no database connection" if $@ or not $dbh;
+
+-plan tests => 17;
++plan tests => 39;
+
+-ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n TEXT)");
++my $sth;
+
+-ok my $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
++ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n LONGBLOB)");
++
++ok $sth = $dbh->prepare("INSERT INTO t(i, n) VALUES(?, ?)");
++ok $sth->execute(1, "x" x 10);
++ok $sth->execute(2, "x" x 100);
++ok $sth->execute(3, "x" x 1000);
++ok $sth->execute(4, "x" x 10000);
++ok $sth->execute(5, "x" x 100000);
++ok $sth->execute(6, "x" x 1000000);
++ok $sth->finish();
++
++ok $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
+
+ ok $sth->bind_param(2, "x" x 1000000);
+ ok $sth->bind_param(1, "abcx", 12);
+@@ -34,6 +45,34 @@ ok $sth = $dbh->prepare("SELECT 1 FROM t WHERE i = ?" . ("
OR i = ?" x 10000));
+ ok $sth->execute((1) x (10001));
+ ok $sth->finish();
+
++my $test;
++ok $sth = $dbh->prepare("SELECT i,n FROM t WHERE i = ?");
++
++ok $sth->execute(1);
++ok $sth->fetchrow_arrayref();
++
++ok $sth->execute(2);
++$test = map { $_ } 'a';
++ok $sth->fetchrow_arrayref();
++
++ok $sth->execute(3);
++$test = map { $_ } 'b' x 10000000; # try to reuse released memory
++ok $sth->fetchrow_arrayref();
++
++ok $sth->execute(4);
++$test = map { $_ } 'cd' x 10000000; # try to reuse of released memory
++ok $sth->fetchrow_arrayref();
++
++ok $sth->execute(5);
++$test = map { $_ } 'efg' x 10000000; # try to reuse of released memory
++ok $sth->fetchrow_arrayref();
++
++ok $sth->execute(6);
++$test = map { $_ } 'hijk' x 10000000; # try to reuse of released memory
++ok $sth->fetchrow_arrayref();
++
++ok $sth->finish();
++
+ ok $dbh->do("SELECT 1 FROM t WHERE i = ?" . (" OR i = ?" x 10000), {}, (1) x
(10001));
+
+ ok $dbh->disconnect();
+--
+2.7.4
+
diff --git a/perl-DBD-MySQL.spec b/perl-DBD-MySQL.spec
index 8c107b4..8952d79 100644
--- a/perl-DBD-MySQL.spec
+++ b/perl-DBD-MySQL.spec
@@ -14,6 +14,9 @@ Patch2: DBD-mysql-4.033-Pali-s-fix.patch
# Fix CVE-2016-1249 (out-of-bound read when using server-side prepared
# statements), bug #1395592, in upstream 4.039
Patch3: DBD-mysql-4.033-Added-Pali-s-fix-for-CVE-2016-1249.patch
+# Fix CVE-2016-1251 (use after free when using prepared statements),
+# bug #1399581, in upstream 4.041
+Patch4:
DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch
BuildRequires: mariadb, mariadb-devel, zlib-devel
BuildRequires: coreutils
BuildRequires: findutils
@@ -49,6 +52,7 @@ management system.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
# Correct file permissions
find . -type f | xargs chmod -x
@@ -86,6 +90,8 @@ find %{buildroot} -type f -name '*.bs' -empty -exec rm -f {}
';'
- Fix a crash when executing prepared statements after rebinding parameters
- Fix CVE-2016-1249 (out-of-bound read when using server-side prepared
statements) (bug #1395592)
+- Fix CVE-2016-1251 (use after free when using prepared statements)
+ (bug #1399581)
* Mon Oct 03 2016 Jitka Plesnikova <jples...@redhat.com> - 4.033-3
- Do not use unsafe sprintf w/variable length input (CVE-2016-1246)
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-DBD-MySQL.git/commit/?h=f23&id=ab7ceba816bf29e8db7da4a77c74c48eba42da60
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
