Date: Tue, 15 Nov 2016 23:11:46 -0500 From: Patrick Galbraith <patg@...g.net> To: oss-security@...ts.openwall.com Subject: CVE-2016-1249: Out-of-bounds read by DBD::mysql >= version 2.9003 ====== SECURITY ADVISORY - Out-of-bounds read by DBD::mysql Out-of-bounds read by DBD::mysql A vulnerability was discovered that can lead to an out-of-bounds read when using server side prepared statements with an unaligned number of placeholders in WHERE condition and output fields in SELECT expression. Project name and URL — DBD::mysql Perl MySQL client driver, http://search.cpan.org/~capttofu/DBD-mysql/lib/DBD/mysql.pm <http://search.cpan.org/~capttofu/DBD-mysql/lib/DBD/mysql.pm> Versions known to be affected — 2.9004 and later (2005 and later) Versions known to be not affected — 2.9003 and earlier (before 2005) Version containing Fix — 4.039 and later (current) Link to fix: https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe <https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe> Type of vulnerability and its impact — could lead to out-of-bounds read when using server-side prepared statement support in the driver CVE identifier — CVE-2016-1249 Planned release — availability: immediately Mitigating factors — This problem is only exposed when the user uses server-side prepared statement support, which is NOT default behavior and was turned off back for all drivers per MySQL AB decision in 2006 due to issues with server-side prepared statements in the server. The behavior of the driver is normally emulated. Work-arounds — Use the default driver setting which is using emulated prepared statements Credit — Many thanks to Pali Rohár for discovering and fixing the vulnerability. ====== Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.