Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 06:31:20 -0700
From: lazytyped <lazytyped@...il.com>
To: oss-security@...ts.openwall.com
Cc: hanno@...eck.de
Subject: Re: Re: Use after free in my_login() function of
 DBD::mysql (Perl module)



On 7/26/16 6:32 PM, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> https://blog.fuzzing-project.org/50-Use-after-free-in-my_login-function-of-DBDmysql-Perl-module.html
>>
>> DBD::mysql versions 4.033 and earlier have a use after free bug in the
>> my_login() function. DBD::mysql is a Perl module providing bindings to
>> the mysql database. The issue was fixed in version 4.034.
>>
>> https://github.com/perl5-dbi/DBD-mysql/pull/45
>>> When my_login fails the code tries to call mysql_errno on the mysql
>>> connection. However my_login has already free'd that connection
>>> variable, therefore causing a use-after-free error.
>>>
>>> This patch changes that so that the free happens after the call to the
>>> error functions.
>>>
>>> https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156
> Use CVE-2015-8949.

Quick question:

- I guess the affecting function call is the following:

   do_error(dbh, mysql_errno(imp_dbh->pmysql),
                  mysql_error(imp_dbh->pmysql) 
,mysql_sqlstate(imp_dbh->pmysql));

which one of those calls provides an exploitation path? They seem all 
reads off the free'd structure.

I see in the bug report: " (I think use after free's can be serious and 
potentially lead to malfunction and security issues)" and would like to 
understand more about the rationale.


            -  twiz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ