Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 06:31:20 -0700
From: lazytyped <>
Subject: Re: Re: Use after free in my_login() function of
 DBD::mysql (Perl module)

On 7/26/16 6:32 PM, wrote:
> Hash: SHA256
>> DBD::mysql versions 4.033 and earlier have a use after free bug in the
>> my_login() function. DBD::mysql is a Perl module providing bindings to
>> the mysql database. The issue was fixed in version 4.034.
>>> When my_login fails the code tries to call mysql_errno on the mysql
>>> connection. However my_login has already free'd that connection
>>> variable, therefore causing a use-after-free error.
>>> This patch changes that so that the free happens after the call to the
>>> error functions.
> Use CVE-2015-8949.

Quick question:

- I guess the affecting function call is the following:

   do_error(dbh, mysql_errno(imp_dbh->pmysql),

which one of those calls provides an exploitation path? They seem all 
reads off the free'd structure.

I see in the bug report: " (I think use after free's can be serious and 
potentially lead to malfunction and security issues)" and would like to 
understand more about the rationale.

            -  twiz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ