oss-sec mailing list archives
Re: Re: Use after free in libmysqlclient.so
From: pali () cpan org
Date: Sat, 11 Feb 2017 18:46:43 +0100
On Friday 10 February 2017 17:39:45 Solar Designer wrote:
As far as I can tell, pali () cpan org is not subscribed.
No, I'm not. I hope it is not a requirement.
----- Forwarded message from Simon McVittie <smcv () debian org> ----- Mailing-List: contact oss-security-help () lists openwall com; run by ezmlm Reply-To: oss-security () lists openwall com Date: Fri, 10 Feb 2017 16:20:58 +0000 From: Simon McVittie <smcv () debian org> To: oss-security () lists openwall com Subject: Re: [oss-security] Re: Use after free in libmysqlclient.so On Fri, 10 Feb 2017 at 11:59:59 +0100, pali () cpan org wrote:On Friday 27 January 2017 23:53:29 pali () cpan org wrote:C client library for MySQL (libmysqlclient.so) has use-after-free defect which can cause crash of applications using that MySQL client.Is this a security vulnerability, or just a bug?
It is bug for sure and I think it is security vulnerability.
How would an attacker cause this to happen in the application that they wish to target?
First, it needs that target application does not manually free structures for prepared statement and let this for mysql_close() (also applicable for languages where is order of executing destructors not defined or could not be predicable). Triggering this bug is possible if there stay allocated structure for at least one statement which is initialized, but not prepared on server yet. MySQL server has upper limit for prepared statements. So if attacker can hit this limit (e.g. when target application can be triggered to prepare lot of statements on server) and target application start closing connection to MySQL server then use-after-free happen in target application and it can crash. If attacker is able to repeat this procedure then target application is under denial-of-service attack. Or triggering this bug is also possible when connection with MySQL server is lost after preparing statement. If attacker is able to let target application to prepare some statement and after that execute another which will cause lost connection (e.g. some large/slow computation) then target application try to reconnect (close + open) and bug is triggered. Probably easier for attacker would be to combine this defect with another application specific.
S ----- End forwarded message -----
Current thread:
- Use after free in libmysqlclient.so pali (Jan 27)
- Re: Use after free in libmysqlclient.so pali (Feb 10)
- Re: Use after free in libmysqlclient.so Solar Designer (Feb 10)
- Re: Use after free in libmysqlclient.so pali (Feb 11)
- Re: Re: Use after free in libmysqlclient.so pali (Feb 11)
- posting without being subscribed (was: Use after free in libmysqlclient.so) Solar Designer (Feb 11)
- Re: posting without being subscribed pali (Feb 11)
- Re: posting without being subscribed Solar Designer (Feb 11)
- Re: Use after free in libmysqlclient.so Solar Designer (Feb 10)
- Re: Use after free in libmysqlclient.so pali (Feb 10)