Date: Sat, 11 Feb 2017 18:46:43 +0100 From: pali@...n.org To: oss-security@...ts.openwall.com Cc: Solar Designer <solar@...nwall.com>, Simon McVittie <smcv@...ian.org> Subject: Re: Re: Use after free in libmysqlclient.so On Friday 10 February 2017 17:39:45 Solar Designer wrote: > As far as I can tell, pali@...n.org is not subscribed. No, I'm not. I hope it is not a requirement. > ----- Forwarded message from Simon McVittie <smcv@...ian.org> ----- > > Mailing-List: contact oss-security-help@...ts.openwall.com; run by > ezmlm Reply-To: oss-security@...ts.openwall.com > Date: Fri, 10 Feb 2017 16:20:58 +0000 > From: Simon McVittie <smcv@...ian.org> > To: oss-security@...ts.openwall.com > Subject: Re: [oss-security] Re: Use after free in libmysqlclient.so > > On Fri, 10 Feb 2017 at 11:59:59 +0100, pali@...n.org wrote: > > On Friday 27 January 2017 23:53:29 pali@...n.org wrote: > > > C client library for MySQL (libmysqlclient.so) has use-after-free > > > defect which can cause crash of applications using that MySQL > > > client. > > Is this a security vulnerability, or just a bug? It is bug for sure and I think it is security vulnerability. > How would an attacker cause this to happen in the application > that they wish to target? First, it needs that target application does not manually free structures for prepared statement and let this for mysql_close() (also applicable for languages where is order of executing destructors not defined or could not be predicable). Triggering this bug is possible if there stay allocated structure for at least one statement which is initialized, but not prepared on server yet. MySQL server has upper limit for prepared statements. So if attacker can hit this limit (e.g. when target application can be triggered to prepare lot of statements on server) and target application start closing connection to MySQL server then use-after-free happen in target application and it can crash. If attacker is able to repeat this procedure then target application is under denial-of-service attack. Or triggering this bug is also possible when connection with MySQL server is lost after preparing statement. If attacker is able to let target application to prepare some statement and after that execute another which will cause lost connection (e.g. some large/slow computation) then target application try to reconnect (close + open) and bug is triggered. Probably easier for attacker would be to combine this defect with another application specific. > S > > ----- End forwarded message -----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.