Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Feb 2017 18:46:43 +0100
From: pali@...n.org
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Simon McVittie <smcv@...ian.org>
Subject: Re: Re: Use after free in libmysqlclient.so

On Friday 10 February 2017 17:39:45 Solar Designer wrote:
> As far as I can tell, pali@...n.org is not subscribed.

No, I'm not. I hope it is not a requirement.

> ----- Forwarded message from Simon McVittie <smcv@...ian.org> -----
> 
> Mailing-List: contact oss-security-help@...ts.openwall.com; run by
> ezmlm Reply-To: oss-security@...ts.openwall.com
> Date: Fri, 10 Feb 2017 16:20:58 +0000
> From: Simon McVittie <smcv@...ian.org>
> To: oss-security@...ts.openwall.com
> Subject: Re: [oss-security] Re: Use after free in libmysqlclient.so
> 
> On Fri, 10 Feb 2017 at 11:59:59 +0100, pali@...n.org wrote:
> > On Friday 27 January 2017 23:53:29 pali@...n.org wrote:
> > > C client library for MySQL (libmysqlclient.so) has use-after-free
> > > defect which can cause crash of applications using that MySQL
> > > client.
> 
> Is this a security vulnerability, or just a bug?

It is bug for sure and I think it is security vulnerability.

> How would an attacker cause this to happen in the application
> that they wish to target?

First, it needs that target application does not manually free 
structures for prepared statement and let this for mysql_close() (also 
applicable for languages where is order of executing destructors not 
defined or could not be predicable). Triggering this bug is possible if 
there stay allocated structure for at least one statement which is 
initialized, but not prepared on server yet. MySQL server has upper 
limit for prepared statements. So if attacker can hit this limit (e.g. 
when target application can be triggered to prepare lot of statements on 
server) and target application start closing connection to MySQL server 
then use-after-free happen in target application and it can crash. If 
attacker is able to repeat this procedure then target application is 
under denial-of-service attack. Or triggering this bug is also possible 
when connection with MySQL server is lost after preparing statement. If 
attacker is able to let target application to prepare some statement and 
after that execute another which will cause lost connection (e.g. some 
large/slow computation) then target application try to reconnect (close 
+ open) and bug is triggered.

Probably easier for attacker would be to combine this defect with 
another application specific.

>     S
> 
> ----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.