Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601144 (CVE-2016-1251) - <dev-perl/DBD-mysql-4.41.0: Use after free in DBD::mysql when using prepared statements
Summary: <dev-perl/DBD-mysql-4.41.0: Use after free in DBD::mysql when using prepared ...
Status: RESOLVED FIXED
Alias: CVE-2016-1251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q4/536
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-1249
  Show dependency tree
 
Reported: 2016-11-28 23:31 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-24 02:27 UTC (History)
2 users (show)

See Also:
Package list:
=dev-perl/DBD-mysql-4.41.0
Runtime testing required: No
kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 23:31:16 UTC 
DBD::mysql is the perl DBI driver for MySQL and the primary way Perl
applications and scripts access MySQL and MariaDB databases. The
source repository is at https://github.com/perl5-dbi/DBD-mysql.

A vulnerability was discovered that can lead to a use after free when
using prepared statements. This vulnerability is present in all
releases at least back to versions 3.0 of the driver, which were
released in 2005.

The CVE identifier for this vulnerability is CVE-2016-1251.

Version 4.041, including the fix for this vulnerability, is available
on CPAN at https://metacpan.org/pod/DBD::mysql

The fix itself is available at
https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1

Users of DBD::mysql using prepared statements are advised to patch
their installations as soon as possible. Distributors of DBD::mysql
are requested to make this fix available to their end users.

Many thanks to Pali Rohár for discovering and fixing the vulnerability.
Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2016-12-04 15:57:41 UTC 
commit 4d53b8b72459e05d47ece6069dbcec61447d3178
Author: Kent Fredric <kentnl@gentoo.org>
Date:   Mon Dec 5 04:41:59 2016 +1300

    dev-perl/DBD-mysql: Bump to version 4.41.0 re bug #601144
    
    Upstream:
    - Fixed use-after-free with repeated fetchrow_arrayref under
      mysql_server_prepare=1 (CVE-2016-1251)
    - auto_reconnect now properly reconnects when receiving
      CR_SERVER_LOST instead of only CR_SERVER_GONE
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-08 01:38:17 UTC 
@ Arches,

please test and mark stable: =dev-perl/DBD-mysql-4.41.0
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-12 15:58:02 UTC 
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-13 11:06:30 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-13 11:31:53 UTC 
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-12-17 15:34:04 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 14:41:27 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 15:17:36 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-20 09:50:41 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-22 09:39:08 UTC 
ppc64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-22 09:40:16 UTC 
Stable for HPPA.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-22 09:50:30 UTC 
GLSA request filed.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:27:14 UTC 
This issue was resolved and addressed in
 GLSA 201701-51 at https://security.gentoo.org/glsa/201701-51
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please clean the vulnerable versions.
Comment 14 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-24 02:01:36 UTC 
Cleaned: 

commit 19eeb140a84c8bb903b808bf7ea344a3c633857a
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: Mon Jan 23 21:09:43 2017 +1300
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: Tue Jan 24 14:50:42 2017 +1300

    dev-perl/DBD-mysql: Security cleanup re bug #601144
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 02:27:47 UTC 
Tree is clean