| Summary: | perl-DBD-mysql new security issue CVE-2016-1246, CVE-2016-1249, CVE-2016-1251 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, mageia, mageia, marja11, sysadmin-bugs, zen25000 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/702551/ | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | perl-DBD-mysql-4.35.0-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-10-04 12:34:01 CEST
David Walser
2016-10-04 12:34:40 CEST
CC:
(none) =>
guillomovitch, mageia Debian has issued an advisory for this on October 3: https://www.debian.org/security/2016/dsa-3684 Assigning to maintainer Assignee:
bugsquad =>
jquelin
David Walser
2016-10-04 18:44:04 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/702551/ Freeze push requested for cauldron. A security issue fixed upstream in perl-DBD-mysql has been announced: http://openwall.com/lists/oss-security/2016/11/16/1 The issue is fixed in 4.039 and the commit to fix it is linked in the message above. Mageia 5 is also affected. Summary:
perl-DBD-mysql new security issue CVE-2016-1246 =>
perl-DBD-mysql new security issue CVE-2016-1246 and CVE-2016-1249 perl-DBD-mysql-4.39.0-1.mga6 uploaded for Cauldron by Guillaume. Whiteboard:
MGA5TOO =>
(none) (In reply to David Walser from comment #4) > A security issue fixed upstream in perl-DBD-mysql has been announced: > http://openwall.com/lists/oss-security/2016/11/16/1 > > The issue is fixed in 4.039 and the commit to fix it is linked in the > message above. > > Mageia 5 is also affected. LWN reference: https://lwn.net/Vulnerabilities/707362/ Fedora has issued an advisory for this on November 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY3AHSF4ZPQQ5OGYZYNQOD7TBL7CAG4F/ A security issue fixed upstream in perl-DBD-mysql has been announced: http://openwall.com/lists/oss-security/2016/11/28/2 The issue is fixed in 4.041 and the commit to fix it is linked in the message above. Mageia 5 is also affected. Version:
5 =>
Cauldron perl-DBD-mysql-4.41.0-1.mga6 uploaded for Cauldron by Guillaume. Thanks again! Whiteboard:
MGA5TOO =>
(none) LWN reference for CVE-2016-1251: https://lwn.net/Vulnerabilities/708876/ Fedora has issued an advisory for this on December 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BLHU5FAHMKZBZ4LAHIASWUJVK4O6JS6/ CVE-2017-10788: http://openwall.com/lists/oss-security/2017/07/03/3 Looks like the fix for this is actually in code in documentation, not in the perl module itself. It seems there is an actual problem in the Perl module (in C code), due to erroneous documentation on Oracle side... A patch is available here, but I'd rather wait for upstream review before shipping it: https://github.com/perl5-dbi/DBD-mysql/issues/120 Status:
NEW =>
ASSIGNED Thanks for the clarification on CVE-2017-10788 Guillaume. Now there's also CVE-2017-10789: http://openwall.com/lists/oss-security/2017/07/05/1 I don't believe there's a fix for that one yet. We'll need to split out a new bug for these two if we don't fix them all at the same time. Fedora has issued an advisory for CVE-2017-10788 on July 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CWISRFDOB7YRPBNDD3BNIQHSRYBDD6S/ can we update to version 4.043 in mageia 5 ? ( fixes CVE-2017-10788 ) CC:
(none) =>
mageia It's worth a shot. Fedora has issued an advisory on December 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TAWTNCSYWNBJHJR4AYQAAW65JVWDWMEW/ It fixes CVE-2017-10789. I tried building 4.043 from Cauldron in Mageia 6 and it doesn't build (I'm not sure if it built in Cauldron since Sophie is not on IRC): http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20171227030611.luigiwalser.duvel.37320/log/perl-DBD-mysql-4.43.0-1.mga6/build.0.20171227030708.log We would have to update Mageia 6 as well if we're going to update Mageia 5 to this version. Cauldron still has 4.041, so it didn't build there either. Advisory: ======================== Updated perl-DBD-mysql package fixes security vulnerabilities: Pali Rohar discovered that DBD::mysql constructed an error message in a fixed-length buffer, leading to a crash (_FORTIFY_SOURCE failure) and, potentially, to denial of service (CVE-2016-1246). A vulnerability was discovered in perl-DBD-MySQL that can lead to an out-of-bounds read when using server side prepared statements with an unaligned number of placeholders in WHERE condition and output fields in SELECT expression (CVE-2016-1249). There is a vulnerability of type use-after-free affecting DBD::mysql before 4.041 when used with mysql_server_prepare=1 (CVE-2016-1251). The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection to a MySQL server. The use-after-free defect was introduced by relying on incorrect Oracle mysql_stmt_close documentation and code examples (CVE-2017-10788). The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack (CVE-2017-10789). Note that the CVE-2016-1246, CVE-2017-1249, and CVE-2016-1251 issues only affected Mageia 5. Also note that server-side prepared statements are disabled by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789 https://www.debian.org/security/2016/dsa-3684 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY3AHSF4ZPQQ5OGYZYNQOD7TBL7CAG4F/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BLHU5FAHMKZBZ4LAHIASWUJVK4O6JS6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CWISRFDOB7YRPBNDD3BNIQHSRYBDD6S/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TAWTNCSYWNBJHJR4AYQAAW65JVWDWMEW/ ======================== Updated packages in core/updates_testing: ======================== perl-DBD-mysql-4.43.0-1.mga5 perl-DBD-mysql-4.43.0-1.mga6 from SRPMS: perl-DBD-mysql-4.43.0-1.mga5.src.rpm perl-DBD-mysql-4.43.0-1.mga6.src.rpm Assignee:
jquelin =>
qa-bugs Warrants proper testing. (In reply to Lewis Smith from comment #20) > Warrants proper testing. If it's any help I have a zoneminder server (which uses perl-DBD-mysql) running Mga5 which I can update with the new version and do tests if someone can explain how ;) CC:
(none) =>
zen25000 If zoneminder uses perl-DBD-mysql and still works with the update, then that's how. That's actually great, a real world test. I fully updated the server, re-booted it and then installed the perl-DBD-mysql from updates_testing. I then re-started apache, mysql and zoneminder. All seems OK so far, but I will keep an eye on the logs.
Dave Hodgins
2017-12-31 06:44:06 CET
CC:
(none) =>
davidwhodgins Nothing unusual in the logs and I also ran my zmsetup script which calls a perl script that accesses the mysql database and that ran without error so for me there are no regressions on Mga5 x86_64. Same in Mga6 - here I removed the old db and allowed the upstream perl script to create a clean new zoneminder db. No problems or regressions, so Mga6 x86_64 is OK for me. [baz@leno ~]$ uname -r 4.9.56-desktop-1.mga6 [baz@leno ~]$ rpm -q perl-DBD-mysql perl-DBD-mysql-4.43.0-1.mga6 [baz@leno ~]$ sudo zmsetup *** Welcome to ZoneMinder Setup *** OK Please wait a moment... Please enter your mysql root password: You already have a ZoneMinder database installed Do you want to re-use it? [y/n] n Delete existing ZoneMinder database? OK? [y/n] y Installing a new ZoneMinder database ... Congratulations - ZoneMinder is now running. You should be able to access the ZM Console in your browser using :- http://leno/zm [baz@leno ~]$ Adding the oks and validating the update based on Barry's comments. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0031.html Resolution:
(none) =>
FIXED |