mysql bug

http://seclists.org/oss-sec/2012/q2/493

Hi



We have recently found a serious security bug in MariaDB and MySQL.

So, here, we'd like to let you know about what the issue and its impact

is. At the end you can find a patch, in case you need to patch an older

unsuported MySQL version.



All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are

vulnerable.

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.

MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.



This issue got assigned an id CVE-2012-2122.



Here's the issue. When a user connects to MariaDB/MySQL, a token (SHA

over a password and a random scramble string) is calculated and compared

with the expected value. Because of incorrect casting, it might've

happened that the token and the expected value were considered equal,

even if the memcmp() returned a non-zero value. In this case

MySQL/MariaDB would think that the password is correct, even while it is

not.  Because the protocol uses random strings, the probability of

hitting this bug is about 1/256.



Which means, if one knows a user name to connect (and "root" almost

always exists), she can connect using *any* password by repeating

connection attempts. ~300 attempts takes only a fraction of second, so

basically account password protection is as good as nonexistent. 

Any client will do, there's no need for a special libmysqlclient library.



But practically it's better than it looks - many MySQL/MariaDB builds

are not affected by this bug.



Whether a particular build of MySQL or MariaDB is vulnerable, depends on

how and where it was built. A prerequisite is a memcmp() that can return

an arbitrary integer (outside of -128..127 range). To my knowledge gcc

builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc

sse-optimized memcmp is not safe, but gcc usually uses the inlined

builtin version.



As far as I know, official vendor MySQL and MariaDB binaries are not

vulnerable.



Regards,

Sergei Golubchik

MariaDB Security Coordinator



References:



MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212

MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144



MySQL bug report: http://bugs.mysql.com/bug.php?id=64884

MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17

MySQL changelog:

  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html

  http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

你可能感兴趣的:(mysql)