Bug 23154

Summary: perl-DBD-mysql new security issues CVE-2017-10788 and CVE-2017-10789
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Source RPM: perl-DBD-mysql-4.43.0-1.mga6.src.rpm CVE:
Status comment:
Attachments: test script perl-mysql

Description David Walser 2018-06-08 20:28:25 CEST 
openSUSE has issued an advisory on May 29:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00138.html
Comment 1 Marja Van Waes 2018-06-08 21:37:16 CEST 
Assigning to the Perl stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => perl
CC: (none) => marja11, shlomif

Comment 2 David Walser 2018-06-09 17:02:32 CEST 
Updated packages uploaded by Shlomi and myself.  Thanks Shlomi!

Advisory:
========================

Updated perl-DBD-mysql package fixes security vulnerabilities:

The DBD::mysql Perl module through 4.043 for Perl allows remote attackers to
cause a denial of service (use-after-free and application crash) or possibly
have unspecified other impact by triggering certain error responses from a
MySQL server or a loss of a network connection to a MySQL server. The
use-after-free defect was introduced by relying on incorrect Oracle
mysql_stmt_close documentation and code examples (CVE-2017-10788).

The DBD::mysql Perl module, when used with mysql_ssl=1 setting enabled, means
that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which could lead
man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack
(CVE-2017-10789).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789
https://lists.opensuse.org/opensuse-updates/2018-05/msg00138.html
========================

Updated packages in core/updates_testing:
========================
perl-DBD-mysql-4.46.0-1.mga5
perl-DBD-mysql-4.46.0-1.mga6

from SRPMS:
perl-DBD-mysql-4.46.0-1.mga5.src.rpm
perl-DBD-mysql-4.46.0-1.mga6.src.rpm

Assignee: perl => qa-bugs
Whiteboard: (none) => MGA5TOO

Comment 3 Herman Viaene 2018-06-10 12:01:05 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Googling fiddled a test script (see attachment)
$ perl perldbdtest.pl 
DBD::mysql::db do failed: Unknown table 'test10.0.35.foo' at perldbdtest.pl line 14.
Dropping foo failed: DBD::mysql::db do failed: Unknown table 'test10.0.35.foo' at perldbdtest.pl line 14.

Found a row: id = 1, name = Tim
Found a row: id = 2, name = Jochen
Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 4 Herman Viaene 2018-06-10 12:02:11 CEST 
Created attachment 10235 [details]
test script perl-mysql
Comment 5 Herman Viaene 2018-06-11 11:37:03 CEST 
MGA6-32 on Thinkpad R50e MATE
No installation issues.
Used same testscript as above
$ perl perldbdtest.pl 
DBD::mysql::db do failed: Unknown table 'test.foo' at perldbdtest.pl line 14.
Dropping foo failed: DBD::mysql::db do failed: Unknown table 'test.foo' at perldbdtest.pl line 14.

Found a row: id = 1, name = Tim
Found a row: id = 2, name = Jochen
OK for me.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 6 claire robinson 2018-06-14 18:46:17 CEST 
Nice test Herman. Validating.

Keywords: (none) => has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2018-06-14 18:58:47 CEST 
Advisoried.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-06-14 20:16:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0283.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED