Bug 8921 - mariadb bugfix update
: mariadb bugfix update
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: https://kb.askmonty.org/en/mariadb-55...
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
: 8984
:
  Show dependency treegraph
 
Reported: 2013-01-31 22:45 CET by AL13N
Modified: 2013-02-21 07:22 CET (History)
6 users (show)

See Also:
Source RPM: mariadb-5.5.25-2.8.mga2.src.rpm
CVE:
Status comment:


Attachments

Description AL13N 2013-01-31 22:45:33 CET
I've submitted mariadb-5.5.25-2.6.mga2 for update testing.

This release fixes mdev4029: a critical fix (which seems unimportant to Oracle, as it only fixes it in mysql-5.7), a buffer overflow similar to CVE-2012-5611 and CVE-2012-5615 & CVE-2012-5627.

see https://kb.askmonty.org/en/mariadb-5529-release-notes/ for more information

possible advisory:
------------------
This release includes fixes for the following security vulnerabilities:
* A buffer overflow that can cause a server crash or arbitrary code execution (a variant of CVE-2012-5611)
* CVE-2012-5627/MDEV-3915 fast password brute-forcing using the "change user" command
* CVE-2012-5615/MDEV-3909 information leakage about existing user accounts via the protocol handshake
* in addition it fixes MDEV-4029 (which to Oracle seems to be unimportant as it's only fixed for mysql-5.7)

references:
https://mariadb.atlassian.net/browse/MDEV-4029
https://mariadb.atlassian.net/browse/MDEV-3915
https://mariadb.atlassian.net/browse/MDEV-3909
Comment 1 AL13N 2013-01-31 22:47:38 CET
*** Bug 8917 has been marked as a duplicate of this bug. ***
Comment 2 David Walser 2013-02-01 02:39:01 CET
Four patches were added in Mageia 2 SVN:
- mariadb-5.5-mdev4029.patch
- mariadb-5.5-CVE-2012-5627.patch
- mariadb-5.5-buffer-overflow.patch
- mariadb-5.5-CVE-2012-5615.patch

For MySQL in Mageia 1, I tried adding those patches.

The first one applied cleanly (mdev4029)

The next two needed minor rediffing, then applied (CVE-2012-5627, buffer-overflow)

The last one needed major rediffing work, then still didn't work because of too many code changes.  I don't know the code well enough to finish backporting it.

So, the first three patches are in Mageia 1 SVN.
Comment 3 claire robinson 2013-02-03 17:31:33 CET
Is this one ready for testing?
Comment 4 David Walser 2013-02-03 17:54:56 CET
Yes.  My comment about the Mageia 1 MySQL package are irrelevant for this Mageia 2 MariaDB update.  It's been ready to test since this bug was filed.
Comment 5 claire robinson 2013-02-03 18:20:39 CET
PoC's: CVE-2012-5627/MDEV-3915: http://seclists.org/fulldisclosure/2012/Dec/58
       CVE-2012-5615/MDEV-3909: http://seclists.org/fulldisclosure/2012/Dec/9

SRPM: mariadb-5.5.25-2.6.mga2.src.rpm
-------------------------------------
libmariadb18
libmariadb-devel
libmariadb-embedded18
libmariadb-embedded-devel
mariadb-bench
mariadb-client
mariadb-common-core
mariadb-common
mariadb-core
mariadb-debug
mariadb-extra
mariadb-feedback
mariadb
mariadb-obsolete
mysql-MariaDB
Comment 6 claire robinson 2013-02-03 19:26:05 CET
Testing mga2 32

Before
------
# mysql -u root -p
Enter password:

MariaDB [(none)]> CREATE USER 'crackme'@'localhost' IDENTIFIED BY 'pass';
MariaDB [(none)]> CREATE USER 'user'@'localhost' IDENTIFIED BY 'secret';
MariaDB [(none)]> CREATE DATABASE test;
MariaDB [(none)]> grant select, insert, delete on test.* to 'user'@'localhost';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> quit;
Bye

# urpmi perl-Net-MySQL

Edit /etc/my.cnf and comment out skip-networking by putting a # in front of it and restart the service. Edit mysqlcrack.pl and change the hostname variable to localhost at the top.

# systemctl restart mysqld.service

$ john --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
[*] Cracked! --> pass

Confirmed vulnerable to CVE-2012-5627

$ wget -O mysql_userenum.pl http://seclists.org/fulldisclosure/2012/Dec/att-9/mysql_userenum_pl.bin

$ echo -e "wrong1\nwrong2\nwrong3\nwrong4\nuser\nwrong5\nwrong6\n" > wordlist.txt

# urpmi perl-Parallel-ForkManager

$ perl mysql_userenum.pl localhost wordlist.txt

[*] HIT! -- USER EXISTS: user@localhost

Confirmed vulnerable to CVE-2012-5615


After
-----
# systemctl restart mysqld.service

$ perl mysql_userenum.pl localhost wordlist.txt
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 13725  time: 0:00:03:54 0.00%  w/s: 58.42  current: ance
Session aborted

Killed after a few minutes with ctrl-c (yes it's an old laptop :P).
Confirmed fixed CVE-2012-5627

$ perl mysql_userenum.pl localhost wordlist.txt

[*] HIT! -- USER EXISTS: user@localhost

So the patch doesn't seem to fix CVE-2012-5615. Added 'crackme' to the wordlist too and it finds that one also.
Comment 7 claire robinson 2013-02-03 19:28:15 CET
Mis-paste above, should have been.

$ john --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 13725  time: 0:00:03:54 0.00%  w/s: 58.42  current: ance
Session aborted
Comment 8 claire robinson 2013-02-03 19:40:21 CET
Running john for quite a bit longer finishes at exactly the same point (13725 ance), strangely, guessing it now limits the incorrect attempts.
Comment 9 AL13N 2013-02-04 10:53:24 CET
did you also run:

cd /usr/share/mysql/mysql-test && ./mysql-test-run.pl failed_auth_3909

which should be the test to fix CVE-2012-5615 ...
Comment 10 AL13N 2013-02-04 17:15:36 CET
that particular test fails, but only due to unrelated changes.

There was a separate patch which fixed this some test cases where NO was reported instead of YES; and the error string changed in another patch.

in backporting the patch, i should've checked it first and corrected the expected results accordingly; but they are non-critical.

I talked to upstream about this, and due to fixing, the exploit isn't working properly anymore and also reports some nonexisting users as existing as well.
Comment 11 AL13N 2013-02-06 08:25:54 CET
I've submitted mariadb-5.5.25-2.7.mga2 for update testing.

this also fixes the failed_auth_3909 test and disables adding anonymous user by default, which in certain cases with certain configuration would still be exploitable with CVE-2012-5615.



Addendum to advisory:
---------------------

Be advised that for CVE-2012-5615 to be completely closed, it's recommended to remove any anonymous logins. previously, such a user without access rights w
Comment 12 AL13N 2013-02-06 08:26:10 CET
as added by default.
Comment 13 AL13N 2013-02-06 08:26:36 CET
oops, i submitted between comment by accident
Comment 14 claire robinson 2013-02-06 13:33:49 CET
Testing mga2 64

Using a VM with lxde so I can start without any mariadb installed and installing the testing version directly.

$ rpm -qa | grep -i -e mysql -e maria
$

Installed from updates testing

# urpmi mariadb-bench mariadb-client mariadb-common-core mariadb-common mariadb-core mariadb-extra mariadb mariadb-obsolete mysql-MariaDB lib64mariadb18 lib64mariadb-embedded18

# service mysqld start
Starting mysqld (via systemctl):                                [  OK  ]
# mysqladmin password
New password: 
Confirm new password: 

# mysql -u root -p
Enter password: 

MariaDB [(none)]> select user,host,length(password) from mysql.user;
+------+-----------+------------------+
| user | host      | length(password) |
+------+-----------+------------------+
| root | localhost |               41 |
| root | 127.0.0.1 |                0 |
| root | ::1       |                0 |
+------+-----------+------------------+
3 rows in set (0.00 sec)

Shows the anonymous user, without password has now gone from the default installation. The patch is valid.

Removed all packages and installed again from Updates to compare the result.
+------+-----------+------------------+
| user | host      | length(password) |
+------+-----------+------------------+
| root | localhost |               41 |
| root | 127.0.0.1 |                0 |
| root | ::1       |                0 |
|      | localhost |                0 |
+------+-----------+------------------+
4 rows in set (0.01 sec)

I'll test the update on an existing installation in a few minutes.
Comment 15 claire robinson 2013-02-06 13:36:27 CET
Failed_auth_3909 also passes now

# cd /usr/share/mysql/mysql-test && ./mysql-test-run.pl failed_auth_3909
Logging: ./mysql-test-run.pl  failed_auth_3909
vardir: /usr/share/mysql/mysql-test/var
Removing old var directory...
Creating var directory '/usr/share/mysql/mysql-test/var'...
Checking supported features...
MariaDB Version 5.5.25-MariaDB
Installing system database...
 - skipping ndbcluster
 - SSL connections supported
Collecting tests...
Using server port 46522

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
worker[1] mysql-test-run: WARNING: running this script as _root_ will cause some tests to be skipped
main.failed_auth_3909                    [ pass ]   3075
--------------------------------------------------------------------------
The servers were restarted 0 times
Spent 3.075 of 7 seconds executing testcases

Completed: All 1 tests were successful.
Comment 16 claire robinson 2013-02-06 14:17:04 CET
Testing complete mga2 64

Updated the host computer and manually removed the anonymous user with phpmyadmin.

Tested with db using things like zoneminder, phpmyadmin
Comment 17 Dave Hodgins 2013-02-07 01:52:07 CET
On a Mageia 2 32 bit vb install ...

./mysql-test-run --force
<snip>
Too many tests(10) failed! Terminating...

Only  221  of 2466 completed.
--------------------------------------------------------------------------
The servers were restarted 19 times
Spent 3.542 of 73 seconds executing testcases

Too many failed: Failed 10/23 tests, 56.52% were successful.

Failing test(s): federated.federated_partition federated.federated_transactions federated.federated_innodb rpl.rpl_auto_increment rpl.rpl_invoked_features rpl.rpl_auto_increment_bug45679 rpl.rpl_auto_increment_update_failure rpl.rpl_binlog_grant
Comment 18 AL13N 2013-02-07 12:28:13 CET
it is possible that quite some tests fail on some systems, i too have a similar issue when i noticed that the mysql server being started by the test system used a port that was in use by pulseaudio.

i would not like this to be blocking this security update...

we can investigate all the tests at a later date.
Comment 19 claire robinson 2013-02-07 12:55:54 CET
Bug 8984 created for the failing testsuite

Are you happy to validate otherwise Dave?
Comment 20 Dave Hodgins 2013-02-07 22:39:43 CET
Confirmed the core updates version of mariadb segfaults when running the test
from mariadb-bench on i586 too, so the problems are not a regression.

Validating the update.

Could someone from the sysadmin team push the srpm
mariadb-5.5.25-2.7.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: This release includes fixes for the following security
vulnerabilities:
* A buffer overflow that can cause a server crash or arbitrary code execution
(a variant of CVE-2012-5611)
* CVE-2012-5627/MDEV-3915 fast password brute-forcing using the "change user"
command
* CVE-2012-5615/MDEV-3909 information leakage about existing user accounts
via the protocol handshake
* in addition it fixes MDEV-4029

References:
https://mariadb.atlassian.net/browse/MDEV-4029
https://mariadb.atlassian.net/browse/MDEV-3915
https://mariadb.atlassian.net/browse/MDEV-3909

Be advised that for CVE-2012-5615 to be completely closed, it's recommended
to remove any anonymous logins. Previously, such a user without access
rights was added by default.

https://bugs.mageia.org/show_bug.cgi?id=8921
Comment 21 Thomas Backlund 2013-02-08 13:42:33 CET
Dropping validation ad alien has pushed a mariadb-5.5.25-2.8.mga2 to updates_testing
Comment 22 AL13N 2013-02-08 13:57:42 CET
i had no time yet to react, but this second release fixes the last remaining failing test case:

rpl.rpl_mdev382

this was a security issue that didn't full gotten fixed in our build.

i also added the patch that should fix the aio problem that happens during testing.


nothing has changed wrt to the older bugs, so that should be fine.
Comment 23 claire robinson 2013-02-08 16:29:14 CET
Testing mga2 64

# cd /usr/share/mysql/mysql-test && ./mysql-test-run.pl

mysqltest: Result length mismatch

 - saving '/usr/share/mysql/mysql-test/var/log/binlog.binlog_row_mysqlbinlog_options-row/' to '/usr/share/mysql/mysql-test/var/log/binlog.binlog_row_mysqlbinlog_options-row/'

Only  816  of 2442 completed.
--------------------------------------------------------------------------
The servers were restarted 292 times
Spent 1469.307 of 2519 seconds executing testcases

Failure: Failed 1/600 tests, 99.83% were successful.

Failing test(s): binlog.binlog_row_mysqlbinlog_options

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

181 tests were skipped, 47 by the test itself.

mysql-test-run: *** ERROR: there were failing test cases
Comment 24 AL13N 2013-02-08 23:42:33 CET
could you give me the detail?

# cd /usr/share/mysql/mysql-test && ./mysql-test-run.pl binlog.binlog_row_mysqlbinlog_options

thanks a lot
Comment 25 AL13N 2013-02-09 02:15:00 CET
ok, can reproduce, and this one is very very strange... (but is actually just the test that fails)

(i've also found some more noncritical ones)

in any case, i would prefer this update not to be blocked by this issue (since these issues are not critical). even though i will likely do an update later that will fix more tests.


so, the problem here is that there's a helpfile called loaddata7.dat for this test. and this file is really only:

2,2
3,3
4,4
5,5
6,6

except that the line endings are \r\n aka CRLF aka DOS line endings.

now, this file is inside the tarball from upstream, nicely with CRLF endings, except that when it gets built and packaged, it seems to change magically to CR endings (unix line endings).

the problem is that this particular test expects it to be in \r\n endings and thus fail in interesting ways...

is there something like an automagic CRLF convertor in our buildsystem?

does anyone know anyone who would know? can they be CC'd?
Comment 26 David Walser 2013-02-09 03:07:41 CET
Sounds like the unix2dos command (in the dos2unix package) is what you want.
Comment 27 AL13N 2013-02-09 09:30:38 CET
no, the tarball contains it in dos format. but the installed file is in unix format, while the tests are counting it to be in dos format.

afaics it should be in dos format, i have no idea why/how it was converted... somewhere along the way...
Comment 28 claire robinson 2013-02-09 10:40:10 CET
I'm not clear, are you wanting to fix the test or push the current build?
Comment 29 AL13N 2013-02-09 12:01:47 CET
i do want to fix all tests eventually, but imho even the 2.7 should've been pushed. that one contains the critical security fixes. the 2.8 sort of fixes a  part of an earlier fix that slipped through the cracks, but afaik the remaining failed tests are not critical and will take a while to completely fix.

since 2.7 was validated, please validate asap 2.8 by following procedure by testing 'rpl.rpl_mdev382'

# cd /usr/share/mysql/mysql-test && ./mysql-test-run.pl rpl.rpl_mdev382
Comment 30 Thomas Backlund 2013-02-09 12:19:29 CET
(In reply to comment #27)
> no, the tarball contains it in dos format. but the installed file is in unix
> format, while the tests are counting it to be in dos format.
> 
> afaics it should be in dos format, i have no idea why/how it was converted...
> somewhere along the way...

It's because we run: /usr/share/spec-helper/fix_eol on every rpm during build,
(and yes, we have been doing it for ages, so it's not a new thing...)

If you need to exclude some files from the stripping, you need to export the EXCLUDE_FROM_EOL_CONVERSION for those specific files in the spec.


(In reply to comment #29)
> i do want to fix all tests eventually, but imho even the 2.7 should've been
> pushed. that one contains the critical security fixes.

Well, it would have been pushed as it was validated, but you pushed 2.8 on top of it before, so you created this re-validation need....
Comment 31 claire robinson 2013-02-09 12:23:15 CET
Pressurising us is uncalled for, we were waiting for you. 

The previous package would have already been pushed if the rebuild to fix tests hadn't taken place between validation & push.


Re-Testing completed mga2 32 & 64

Re-Validating

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Updated Advisory: 
==================================
This release includes fixes for the following security vulnerabilities:

* A buffer overflow that can cause a server crash or arbitrary code execution
(a variant of CVE-2012-5611)
* CVE-2012-5627/MDEV-3915 fast password brute-forcing using the "change user"
command
* CVE-2012-5615/MDEV-3909 information leakage about existing user accounts
via the protocol handshake
* in addition it fixes MDEV-4029 and rpl.rpl_mdev382 test from mariadb-bench

References:
https://mariadb.atlassian.net/browse/MDEV-4029
https://mariadb.atlassian.net/browse/MDEV-3915
https://mariadb.atlassian.net/browse/MDEV-3909

Be advised that for CVE-2012-5615 to be completely closed, it's recommended
to remove any anonymous logins. Previously, such a user without access
rights was added by default.

https://bugs.mageia.org/show_bug.cgi?id=8921
===================================

SRPM: mariadb-5.5.25-2.8.mga2.src.rpm
Comment 32 Thomas Backlund 2013-02-09 14:09:22 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0046
Comment 33 AL13N 2013-02-09 14:48:25 CET
(In reply to comment #30)
> (In reply to comment #27)
> > no, the tarball contains it in dos format. but the installed file is in unix
> > format, while the tests are counting it to be in dos format.
> > 
> > afaics it should be in dos format, i have no idea why/how it was converted...
> > somewhere along the way...
> 
> It's because we run: /usr/share/spec-helper/fix_eol on every rpm during build,
> (and yes, we have been doing it for ages, so it's not a new thing...)
> 
> If you need to exclude some files from the stripping, you need to export the
> EXCLUDE_FROM_EOL_CONVERSION for those specific files in the spec.

do you mean something like:

export EXCLUDE_FROM_EOL_CONVERSION=%{datadir}/mysql/mysql-test/std_data/loaddata7.dat

somewhere in the %install section?

> (In reply to comment #29)
> > i do want to fix all tests eventually, but imho even the 2.7 should've been
> > pushed. that one contains the critical security fixes.
> 
> Well, it would have been pushed as it was validated, but you pushed 2.8 on top
> of it before, so you created this re-validation need....

ah, so you can't move older builds?
Comment 34 AL13N 2013-02-09 14:51:22 CET
(In reply to comment #31)
> Pressurising us is uncalled for, we were waiting for you. 
> 
> The previous package would have already been pushed if the rebuild to fix tests
> hadn't taken place between validation & push.
[...]

Sorry, i definately didn't mean to pressure people.

i didn't think me building a new version would cancel the push, sorry...
Comment 35 claire robinson 2013-02-09 16:24:52 CET
let you off this time ;)
Comment 36 AL13N 2013-02-21 07:22:20 CET
*** Bug 8984 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.