Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611318 - <dev-db/mysql-{5.5.54-r1,5.6.21}: use-after-free in libmysqlclient.so (CVE-2017-3302)
Summary: <dev-db/mysql-{5.5.54-r1,5.6.21}: use-after-free in libmysqlclient.so (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-3302
  Show dependency tree
 
Reported: 2017-03-01 19:33 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-03-01 21:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch back ported to MySQL 5.5 branch (fix_use_after_free_in_mysql_prune_stmt_list.patch,4.52 KB, patch)
2017-03-01 19:56 UTC, Thomas Deutschmann (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-01 19:33:31 UTC 
Incoming details. See bug 611314 for more details.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-01 19:38:42 UTC 
CVE-2017-3302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3302):
  Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x before
  5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through
  10.1.21, and 10.2.x through 10.2.3.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-01 19:56:11 UTC 
Created attachment 465658 [details, diff]
Patch back ported to MySQL 5.5 branch

Patch for MySQL 5.5 branch from Debian.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-01 19:58:06 UTC 
MySQL 5.6.x branch is patched, stable and clean.

But we need to apply the back ported patch to 5.5.x which we still have in repository.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-01 21:00:48 UTC 
v5.5 branch now patched.

GLSA Vote: No

Repository is clean, all done.