Date: Thu, 28 Jul 2016 06:31:20 -0700 From: lazytyped <lazytyped@...il.com> To: oss-security@...ts.openwall.com Cc: hanno@...eck.de Subject: Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) On 7/26/16 6:32 PM, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> https://blog.fuzzing-project.org/50-Use-after-free-in-my_login-function-of-DBDmysql-Perl-module.html >> >> DBD::mysql versions 4.033 and earlier have a use after free bug in the >> my_login() function. DBD::mysql is a Perl module providing bindings to >> the mysql database. The issue was fixed in version 4.034. >> >> https://github.com/perl5-dbi/DBD-mysql/pull/45 >>> When my_login fails the code tries to call mysql_errno on the mysql >>> connection. However my_login has already free'd that connection >>> variable, therefore causing a use-after-free error. >>> >>> This patch changes that so that the free happens after the call to the >>> error functions. >>> >>> https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156 > Use CVE-2015-8949. Quick question: - I guess the affecting function call is the following: do_error(dbh, mysql_errno(imp_dbh->pmysql), mysql_error(imp_dbh->pmysql) ,mysql_sqlstate(imp_dbh->pmysql)); which one of those calls provides an exploitation path? They seem all reads off the free'd structure. I see in the bug report: " (I think use after free's can be serious and potentially lead to malfunction and security issues)" and would like to understand more about the rationale. - twiz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ